3.1.   STET (Torsten)

Anoop asked about STET's status as Intuit is now integrating with STET and found that their API is not as expected. Torsten explained that we have contacted them and they are fixing the security issues by aligning to the security BCP but not OpenID Connect as they are not providing customer identities.

John pointed out that ID Token does not necessarily mean the provision of customer identities as sub can be filled by something like 'consent ID' (previously Intent ID) as in Open Banking UK. Then, it acts as a detached signature. He also noted that an advantage of using ID Token as a detached signature is that as soon as Banks become wanting to provide customer identity, it can instantaneously, and he is seeing that coming.

3.2.   Open Banking (John)

Some of the banks having problems with eIDAS certs.

Problems include:

• ETSI changing the spec.
• QTSP's lengthy and tiresome process for getting the certs.
• QTSPs are not checking the "currentness" of the information on the certs. OB Directory is checking them.
• Organization identifier number changes as the organization obtains new licence making it difficult to map to a previously obtained consent.
• etc.

Instead, OB is checking the currentness and reflects them in the protocol.

So, moving from OB certs to eIDAS poses significant risk to the UK Banks and FCA is allowing it.

Also, the performance by the implementations is problematic. They tend to be slow (like taking several seconds) and screen scraping seems to be much faster. The performance guidance was not in the requirements from the government and as a programme pushed by the government, banks did not proactively fill the gap. If it were on their own, it would have been considered to be impacting customer experience but it did not.

3.3.   Berlin Group (Dave)

• Dave is sending reminders to them but there has been no response.

5.1.   CIBA FAPI Profile (Dave)

• Finalizing attaker model. It is expected to take another week.

5.2.   TR Cross-Browser Payment Initiation Attack (Daniel/Torsten)

• TR-Cross_browser_payment_initiation_attack.md
• Torsten introduced a blog post quoting this in LinkedIn.

5.3.   TR Lodging Intent Pattern (Torsten)

• Financial_API_Lodging_Intent.md
• Torsten etc. are writing a Medium post to solicit more information. They have not come to a conclusion on how to consolidate various approaches found in the wild. Writing on Medium hopefully attracts more comments.
• Nat pointed out that there is no IPR protection in the comments acquired that way and an appropriate way needs to be sought.

6.1.   IIW (Apr 30 - May 2)

Nat was reporting a bit of problem as it falls within the 10-consecutive days holiday in Japan and ticket prices are skyrocketing.

6.2.   EIC (May 14 - 17)

https://www.kuppingercole.com/events/eic2019

There will be a certification team meeting. Also, there will be hands-on sessions on the tests.

6.3.   Identiverse (June 25 - 28)

https://identiverse.com/

There will be a banking track.

8.1.   PSU IDENTITY, HISTORIC CHALLENGES AND HOW TO SOLVE THEM (John)

• John created a blog post on the use of sub in ID Token used in Open Banking.
• https://www.raidiam.com/blog/2019/4/9/psu-identity-historic-challenges-and-how-to-solve-them
• There is other information as well.
• Any comments are much appreciated.

8.2.   Next Call

• Atlantic "Spec" call next week.

The meeting was adjourned at 15:00 UTC.