Clone wiki

fapi / FAPI_Meeting_Notes_2020-10-21_Atlantic

FAPI WG Meeting Notes (2020-10-21)

The meeting was called to order at 14:03 UTC.

1.   Roll Call

  • Attending: Nat, Kosuke, Don, Ralph, Daniel, Joseph, Stuart, Brian, Francis, Steiner Dave, Brian, Bjorn, Dave, Dima
  • Regrets:
  • Guest:

2.   Adoption of Agenda (Nat)

  • Events
  • External Orgs
  • PRs

3.   Events

3.1.   IIW (Nat)

It is going on this week. Lots of sessions around decentralized identity.

3.2.   FDX/OIDF (Don)

You are not required to register for the workshop as a presenter but welcome to do so: This is a direct link to the virtual workshop session:

Workshop will provide workgroups progress and summaries of activities.

There will be Keynote focused on FAPI with panelists (Nat Sakimura, Don Cardinal, Anoop Saxena)

3.3.   IdentityNorth (Nat)

Will be on 10/28-10/29, mostly about distributed decentralized identity

4.   External Organizations

4.1.   Berlin Group (Francis)



4.2.   ETSI (Torsten/Dave)

There was a meeting to discuss draft which was attended by one person.

4.3.   Australia (Stuart)

  • Treasury is taking over Rule’s responsibility from the ACCC and some of the registers components.
  • Daniel MaAuliffe- OpenBanking Product owner inside the Treasury seems to be listening.
  • The big four mentoring meeting - doesn’t look like any of them will meet 100% of the requirements for November deadline. * There are exemptions until Feb 2021 for PAR
  • Intuit is officially a data recipient by ACCC - requires (ASAE) 3150
  • Only a 5th bank - Rachel Australia Bank will meet requirements
  • There's consultation on the next round of rules that's going to alleviate or soften the accreditation.
  • May draft an open letter to them.

5.   PRs (Dave/Nat)

  • pull request #199
    • editorial / accepted
  • pull request #200 regarding returning PII in ID Token
    • Encryption is not encourages, claims can be returned in the back channel
    • Encryption is abd for third parties
    • Change to "should not return PII in ID Token, but if you do, then you should encrypt"
  • pull request #198 - unclear TLS ciphersuites language
    • Joseph concerned about new text.
    • BCP195 had recommended and permitted ciphers
    • Don’t want to allow not permitted ciphers
    • Old text allows only BCP195 permitted ciphers whereas new text allows non-permitted ciphers.
    • Old disability/accessibility software may be using old ciphers which will limit their access.
    • To be continued...
  • pull request #197 - added BCP195 reference links
    • Accepted
  • issue #329 - Rename FAPI Titles
    • Most support for changing to Part 1: Baseline and Part 2: Advanced
    • Keeping "Part 1" and "Part 2" since they will be submitted to ISO which will require putting these in the titles
    • Daniel concerned that Part 1 Advanced is closer to FAPI 2.0 Baseline
  • pull request #163 - mix-up mitigation
    • Not sure whether to go with isser parameter or new mechanism
    • OAuth WG proposing mix-up mitigation proposal draft
    • Can either standardize at OAuth or FAPI WGs
  • issue #330 - potentially misleading language WRT JWT ATs - language is confusing
    • Suggested removing "opaque"
    • Intent is tat AT is not to be consumed by clients
    • remove "opaque" and reword note, make it similiar to RFC 6749 language that AT is usually opaque to clients

6.   Drafts progress

6.1.   FAPI 2.0 Baseline (Daniel)

  • Need to bring in more reviewers.

6.2.   FAPI 2.0 Advanced (Daniel)

  • Main sticking point is signatures. #309.
  • ETSI and OBIE discussion is relevant.

8.   AOB

The meeting was adjourned at 15:00 UTC.