Clone wiki

fapi / FAPI_Meeting_Notes_2019-08-28_Atlantic

FAPI WG Meeting Notes (2019-08-28)

Date & Time: 2019-08-28 14:00 UTC

Location: GoToMeeting

The meeting was called to order at 14:05 UTC.

1.   Roll Call

1.1.   Attending:

  1. Brian Campbell (Ping Identity)
  2. Dave.Tonge (Moneyhub)
  3. Dima Postnikov
  4. Don Thibeau
  5. Joseph Heenan
  6. Kosuke Koiwai (KDDI)
  7. Nat Sakimura
  8. Stuart Low
  9. Torsten Lodderstedt (

2.   Adoption of the Agenda (Nat)

Follwoing two items has been added specifically.

  • Pull request 137 (Torsten)
  • Outreach (Don)

3.   Outreach Activities (Don)

Two white papers are being prepared Dummies guide for FAPI and Self-certification. The draft should be ready in one or two weeks.

Joint white-paper with Financial Data Exchange (FDX) It will be discussed in FDX developer conference on Sept. 11 and 12. FDX has invited OIDF members to join FDX. Folks who want to join FDX should email Don.

Micro site "all things fapi" has been created. Next week, OIDF EC will be reviewing it.

FAPI will be the key topic for OpenID Foundation Workshop in Mountain View on Sept. 30. at Verizon HQ. New members like Akamai and Ebay will be attending it. Workshop agenda is available on Eventbrite.

4.   Pull request 137 (Torsten)

There were some discussion around whether alg=none should be used or separate parameter such as request_raw to send unsigned request. The reason for not using alg=none is to avoid propagating the public perception about the insecurity of JWT.

Also, there was some discussion around whether it should be raw=form encoded or base64url encoded if a separate parameters were to be used.

It seemed everybody was on the fence and as we could not reach a definitive conclusion on it, it was decided that just to accept the pull request as is and come back to the issue later with more implementation experiences.

5.   External Organizations

5.1.   Australia (Dima/Stuart)

  • Response letter was received on August 27 and forwarded to LC on Aug 28.
  • Some of their reading of security analysis seems to be misguided.
  • The letter also is almost exclusively talking about the security analysis and not about interoperability and the compatibility with existing infrastructure.
  • There was some concern expressed on the WTO Technical Barrier to Trade issues on creating and mandating a national standard that is incompatible with international standards.
  • Nat asked Don to involve certification team to do more in-depth analysis and drafting of the response. The certification team will have a call this Friday and Joseph will brief them of it.
  • The topic will be discussed again in the next Pacific call.

5.2.   Open Banking (Dave)

  • 6 month extension to enforcement of RTS granted in the UK
  • It seems to be replicated all over the EU.

6.   AOB

6.1.   FAPI CIBA Profile Implementer's Draft

Dave informed the group that the draft passed the vote. Now it is an implementer's draft.

Joseph asked Brian to run the CIBA test against the CIBA test suite.

The meeting was adjourned at 15:04 UTC.