FAPI WG Meeting Notes (2019-04-10)
Date & Time: 2019-04-10 14:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- 1. Roll Call
- 2. Adoption of the Agenda (Nat)
- 3. External Organizations
- 4. Testing & Certification
- 5. Draft Status (Nat/Dave)
- 6. Events
- 7. Issues
- 8. AOB
The meeting was called to order at 14:05 UTC.
- Nat Sakimura (NRI)
- Anoop Saxana (Intuit)
- Dave Tonge (Moneyhub)
- Bjorn Hjelm (Verizon)
- Brian Campbel (Ping)
- John Heaton-Armstrong (Radium)
- Joseph Heanan (FinTech Labs)
- Torsten Lodderstedt (YES)
- Adopted as is.
Anoop asked about STET's status as Intuit is now integrating with STET and found that their API is not as expected. Torsten explained that we have contacted them and they are fixing the security issues by aligning to the security BCP but not OpenID Connect as they are not providing customer identities.
John pointed out that ID Token does not necessarily mean the provision of customer identities as sub can be filled by something like 'consent ID' (previously Intent ID) as in Open Banking UK. Then, it acts as a detached signature. He also noted that an advantage of using ID Token as a detached signature is that as soon as Banks become wanting to provide customer identity, it can instantaneously, and he is seeing that coming.
Some of the banks having problems with eIDAS certs.
- ETSI changing the spec.
- QTSP's lengthy and tiresome process for getting the certs.
- QTSPs are not checking the "currentness" of the information on the certs. OB Directory is checking them.
- Organization identifier number changes as the organization obtains new licence making it difficult to map to a previously obtained consent.
Instead, OB is checking the currentness and reflects them in the protocol.
So, moving from OB certs to eIDAS poses significant risk to the UK Banks and FCA is allowing it.
Also, the performance by the implementations is problematic. They tend to be slow (like taking several seconds) and screen scraping seems to be much faster. The performance guidance was not in the requirements from the government and as a programme pushed by the government, banks did not proactively fill the gap. If it were on their own, it would have been considered to be impacting customer experience but it did not.
- Dave is sending reminders to them but there has been no response.
- 2 providers got certified, Authlete (Full) and Forgerock (Not MTLS)
- Torsten asked for a link in the FAPI page.
- [ACT] Nat to add the link.
- RP testing is partially open. Still "beta" till June.
- Nat asked if there is any marketing material on it.
- [ACT] Joseph told that he may be able to provide a short silent video.
- Finalizing attaker model. It is expected to take another week.
- Torsten introduced a blog post quoting this in LinkedIn.
- Torsten etc. are writing a Medium post to solicit more information. They have not come to a conclusion on how to consolidate various approaches found in the wild. Writing on Medium hopefully attracts more comments.
- Nat pointed out that there is no IPR protection in the comments acquired that way and an appropriate way needs to be sought.
Nat was reporting a bit of problem as it falls within the 10-consecutive days holiday in Japan and ticket prices are skyrocketing.
There will be a certification team meeting. Also, there will be hands-on sessions on the tests.
- Issues will be dealt with in the next week's "issues" call.
- John created a blog post on the use of sub in ID Token used in Open Banking.
- There is other information as well.
- Any comments are much appreciated.
- Atlantic "Spec" call next week.
The meeting was adjourned at 15:00 UTC.