Clone wiki

fapi / FAPI_Meeting_Notes_2019-04-10_Atlantic

FAPI WG Meeting Notes (2019-04-10)

Date & Time: 2019-04-10 14:00 UTC

Location: GoToMeeting

The meeting was called to order at 14:05 UTC.

1.   Roll Call

  • Attending:
    • Nat Sakimura (NRI)
    • Anoop Saxana (Intuit)
    • Dave Tonge (Moneyhub)
    • Bjorn Hjelm (Verizon)
    • Brian Campbel (Ping)
    • John Heaton-Armstrong (Radium)
    • Joseph Heanan (FinTech Labs)
    • Torsten Lodderstedt (YES)
  • Regrets:

3.   External Organizations

3.1.   STET (Torsten)

Anoop asked about STET's status as Intuit is now integrating with STET and found that their API is not as expected. Torsten explained that we have contacted them and they are fixing the security issues by aligning to the security BCP but not OpenID Connect as they are not providing customer identities.

John pointed out that ID Token does not necessarily mean the provision of customer identities as sub can be filled by something like 'consent ID' (previously Intent ID) as in Open Banking UK. Then, it acts as a detached signature. He also noted that an advantage of using ID Token as a detached signature is that as soon as Banks become wanting to provide customer identity, it can instantaneously, and he is seeing that coming.

3.2.   Open Banking (John)

Some of the banks having problems with eIDAS certs.

Problems include:

  • ETSI changing the spec.
  • QTSP's lengthy and tiresome process for getting the certs.
  • QTSPs are not checking the "currentness" of the information on the certs. OB Directory is checking them.
  • Organization identifier number changes as the organization obtains new licence making it difficult to map to a previously obtained consent.
  • etc.

Instead, OB is checking the currentness and reflects them in the protocol.

So, moving from OB certs to eIDAS poses significant risk to the UK Banks and FCA is allowing it.

Also, the performance by the implementations is problematic. They tend to be slow (like taking several seconds) and screen scraping seems to be much faster. The performance guidance was not in the requirements from the government and as a programme pushed by the government, banks did not proactively fill the gap. If it were on their own, it would have been considered to be impacting customer experience but it did not.

3.3.   Berlin Group (Dave)

  • Dave is sending reminders to them but there has been no response.

4.   Testing & Certification

  • 2 providers got certified, Authlete (Full) and Forgerock (Not MTLS)
  • Torsten asked for a link in the FAPI page.
    • [ACT] Nat to add the link.
  • RP testing is partially open. Still "beta" till June.
  • Nat asked if there is any marketing material on it.
    • [ACT] Joseph told that he may be able to provide a short silent video.

5.   Draft Status (Nat/Dave)

5.1.   CIBA FAPI Profile (Dave)

  • Finalizing attaker model. It is expected to take another week.

5.2.   TR Cross-Browser Payment Initiation Attack (Daniel/Torsten)

  • Torsten introduced a blog post quoting this in LinkedIn.

5.3.   TR Lodging Intent Pattern (Torsten)

  • Torsten etc. are writing a Medium post to solicit more information. They have not come to a conclusion on how to consolidate various approaches found in the wild. Writing on Medium hopefully attracts more comments.
  • Nat pointed out that there is no IPR protection in the comments acquired that way and an appropriate way needs to be sought.

6.   Events

6.1.   IIW (Apr 30 - May 2)

Nat was reporting a bit of problem as it falls within the 10-consecutive days holiday in Japan and ticket prices are skyrocketing.

6.2.   EIC (May 14 - 17)

There will be a certification team meeting. Also, there will be hands-on sessions on the tests.

7.   Issues

  • Issues will be dealt with in the next week's "issues" call.

8.   AOB


8.2.   Next Call

  • Atlantic "Spec" call next week.

The meeting was adjourned at 15:00 UTC.