3.1.   OBIE: The use of sub and the token refresh (Anoop)

Currently, Open Banking UK is filling ID Token's sub with the intent ID, which is of course ephemeral. Anoop had a question on the impact of this onto the access token refresh.

A user may have multiple accounts at a bank and at the time of the user re-authentication, he may choose another account then he has used previously, which results in a new access token that is associated with a different account. If ASPSP can accept id_token_hint this problem can be mitigated somewhat but Anoop was not sure of the status.

Nat suggested Anoop create a ticket on this issue on the FAPI issues tracker.

3.2.   STET and FAPI (Anoop)

Intuit has started working on the STET integration and asked STET. It is good to see that they are moving to OAuth rather than a proprietary one but the course is not clear if they are moving to FAPI was they start the Read & Write API. (Currently, they seem to be doing Read Only.)

Anoop believes that we should be pushing STET more towards the direction. He will get in touch with Dave Tonge and Torsten Lodderstedt on this issue.

3.3.   AMEX (Anoop)

AMEX is using OAuth 1.0a HMAC Token right now. Anoop is trying to pursuade them to switch to FAPI and asked Nat what are the advantages of FAPI over OAuth 1.0a HMAC Token.

Nat pointed out several of them randomly as:

1. FAPI has a formal security proof so it is future unknown attack proof while OAuth 1.0a HMAC Token is not.
2. FAPI MTLS has bindings to TLS Channels while OAuth 1.0a HMAC is purely application layer.
3. FAPI is public key crypto based so it has "non-repudiation" property while OAuth 1.0a HMAC does not.
4. OAuth 1.0a is obsoleted long time ago.
5. FAPI has a conformance test suite including many negative tests to test the security of the implementations.

4.1.   Next Call

Next call will be an Atlantic Call. Next Pacific call will be in two weeks.

• The meeting was adjourned at 23:48 UTC.