1.1.   Attending:

1. Nat
2. Bjorn
3. Brian
4. Daniel
5. Dave
6. Dima
7. Ian Lowe
8. Joseph
9. Kousuke
10. Rob Otto
11. Torsten
12. Mark Haine
13. Nick Cuthbert

1.2.   Regrets:

3.1.   Swift Conference/FAPI F2F

• Around Feb. 18. FAPI F2F. Don is finalizing.
• Likely to be 17th.
• FAPI and eKYC F2F.
• Tony is securing the room.

3.2.   Identiverse Presentation Submission

• Due date: January 10.

4.1.   OAuth JAR (Nat)

• Merge is bad.

• client_id and response_type - interop. Perhapss add a note?

  • Add a note suggesting for backward compatibility, add these and match.

4.2.   OAuth PAR (Torsten)

• WG adopted PAR.

4.3.   OAuth RAR (Torsten)

• Please cast +1 to the OAuth thread.
• Need to develop Roadmap to include PAR and RAR.

4.4.   #163 Security Model (Daniel)

• https://docs.google.com/document/d/1Lo2LCV5eV7iVGbsM0C7i3pL1nWRftfqjpfFCx5Q3Pds/edit#heading=h.u85w4jb6qchc
• https://docs.google.com/spreadsheets/d/1PtG4f-Svils7wHBa7cGaZubbh-6lGifce38c_oShSss/edit#gid=550739163

WG discussed the initial text created by Daniel.

• https://bitbucket.org/openid/fapi/issues/163/more-description-of-the-security-model
• https://docs.google.com/spreadsheets/d/1PtG4f-Svils7wHBa7cGaZubbh-6lGifce38c_oShSss/edit

They generally agreed that the attacker model is about right. Daniel also pointed out that there is one attack that we do not have a solution for. (PKCE chosen text attack.)

WG members are invited to make comments on the document and the ticket. If it is a concrete change proposal to the document, it should go to the document itself. If it is a more general discussion, it should go to ticket #163.