FAPI WG Meeting Notes (2019-08-07)
Date & Time: 2019-07-31 14:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- 1. Roll Call
- 2. Adoption of the Agenda (Nat)
- 3. External Organizations
- 4. Pull requests
- 5. AOB
The meeting was called to order at 14:05 UTC.
- Nat Sakimura
- Dima Postnikov
- Rob Otto
- Stuart Low
- Torsten Lodderstedt
- Erick B Tedeschi
- Joseph Heenan
- Dave Tonge
- Anthony Nadalin
- Anoop Saxena
- Added External Organizations
The callers discussed for about a half an hour on the diffs between FAPI etc. and the Australian standard draft CDS. The outcome of the discussion was that we probably need to understand the reason for the deviations. As the next step, we decided to send a private email to the chair and other relevant people as the WG to them asking for the reasons for the deviations. Nat will create a google document for the draft letter and interested WG members are invited to comment on it. Please ping Nat to join the editing group.
Some concerns were raised for this pull request. Two of the main ones were:
- code being returned in the query parameter may not be desirable from security point of view;
- Too many optionalities in the response type. This causes multiplied number of test cases.
For 1., Torsten pointed out that there is no security downside for using query parameter for the authorization response. Then, Joseph pointed out of the WPAD Attack in which both request and response can be obtained. Nat pointed out that ID Token leakage is a privacy issue but Authorization code leakage in FAPI case is not a big problem as Authorization code in our case is sender constrained as there is no public client.
For 2., Torsten agreed to reduce the optionality.
There is a conflict right now and this also needs to be fixed.
Torsten will fix the PR and ping the WG for the final review.
Everybody in the call agreed that this is good to go. Nat will merge the PR right after the call.
The PR was approved and will be merged in right after the call.
Pre-vote is starting but the official vote will only start next week.
- We will deal with:
PR #134 FAPI-RW: Apply cipher restrictions to < TLS 1.3 * https://bitbucket.org/openid/fapi/pull-requests/134/
PR #129 First cut of an advice document * https://bitbucket.org/openid/fapi/pull-requests/129/
PR #113 FAPI-R: Clarify authorization code reuse requirements * https://bitbucket.org/openid/fapi/pull-requests/113/
The meeting was adjourned at 15:02 UTC.