Clone wiki

fapi / FAPI_Meeting_Notes_2019-08-07_Atlantic

FAPI WG Meeting Notes (2019-08-07)

Date & Time: 2019-07-31 14:00 UTC

Location: GoToMeeting

The meeting was called to order at 14:05 UTC.

1.   Roll Call

1.1.   Attending:

  1. Nat Sakimura
  2. Dima Postnikov
  3. Rob Otto
  4. Stuart Low
  5. Torsten Lodderstedt
  6. Erick B Tedeschi
  7. Joseph Heenan
  8. Dave Tonge
  9. Anthony Nadalin

1.2.   Regrets:

  1. Anoop Saxena

2.   Adoption of the Agenda (Nat)

  • Added External Organizations

3.   External Organizations

3.1.   Australia

The callers discussed for about a half an hour on the diffs between FAPI etc. and the Australian standard draft CDS. The outcome of the discussion was that we probably need to understand the reason for the deviations. As the next step, we decided to send a private email to the chair and other relevant people as the WG to them asking for the reasons for the deviations. Nat will create a google document for the draft letter and interested WG members are invited to comment on it. Please ping Nat to join the editing group.

4.   Pull requests

4.1.   PR #131 first proposal to integrate JARM as equal option (Torsten)

Some concerns were raised for this pull request. Two of the main ones were:

  1. code being returned in the query parameter may not be desirable from security point of view;
  2. Too many optionalities in the response type. This causes multiplied number of test cases.

For 1., Torsten pointed out that there is no security downside for using query parameter for the authorization response. Then, Joseph pointed out of the WPAD Attack in which both request and response can be obtained. Nat pointed out that ID Token leakage is a privacy issue but Authorization code leakage in FAPI case is not a big problem as Authorization code in our case is sender constrained as there is no public client.

For 2., Torsten agreed to reduce the optionality.

There is a conflict right now and this also needs to be fixed.

Torsten will fix the PR and ping the WG for the final review.

5.   AOB

5.1.   FAPI CIBA Implementer's Draft

Pre-vote is starting but the official vote will only start next week.

5.2.   Next Call

  • We will deal with:

PR #134 FAPI-RW: Apply cipher restrictions to < TLS 1.3 *

PR #129 First cut of an advice document *

PR #113 FAPI-R: Clarify authorization code reuse requirements *

and others.

The meeting was adjourned at 15:02 UTC.