FAPI WG Meeting Notes (2020-10-28)

Agenda

The meeting was called to order at 14:03 UTC.

1. Roll Call

There will be Keynote at OIDF Workshop today focused on FAPI with panelists (Nat Sakimura, Don Cardinal, Anoop Saxena)
Looks at practical next steps forward
Serve members by avoiding duplication of efforts in regards to how FDX uses FAPI and current requirements for people to become members of both orgs
Set closer collaboration for FAPI 2.0 with FDX

Taskforce: Banks only. Now other FIs including insurance.
Advisory board: Francis sits here.
Published open findings of the framework
Berlin Group Next Gen
Tool is renamed to Open Finance RP Framework
Broadening the scope beyond banking to include financial assets , bankable assets
Berlin group is structured into 2 main groups,
- task force, was limited to banks, now open for insurances and all financial institutes
- Advisory board, constituted of the markets
  - Francis is a member
  - Will be renamed to Open Finance Advisory Board, includes service providers, TPPs, and other market players
- Press releases coming out
- Francis will keep track
- Going towards sharing more than just banking data
- Still have problem of authorization and API mixed into single interface
  - Francis putting pressure to split it
  - FAPI can be reused for other areas instead of reinventing everything
- Don asked if OIDF can be member or observer of board
  - Francis will address this with 2 chairs
- Board has quarterly meetings
  - Members elect 10 board members
  - OIDF can join as member now and be eligible for board for 2021-2022 term
  - Francis will invite Don to the next session
- Francis asked if OIDF proposed liaison agreement to Berlin group
  - Agreement was proposed earlier pre-Covid, still no response
  - Francis will attempt to get agreement through the board instead of task force
  - Don volunteered Torsten to join discussions

OBE signature profile coming out.
They did not accept base64url encode payload proposal.
OBE talking about detached signatures, and RFC 7797 encodes the payload but OBE signing digest headers only
WG has a working document regarding requirements for signing compile dby Joseph
WG decided to make draft for non-repudiation
Will need initial draft for adoption
Stuart asked if we should have a separate profile for non-repudiation or make it part of FAPI 2.0
Might be better to have a profile that can be referenced from FAPI 2.0
Brian suggested to keep it simple and prevent scope creep.
Current available signing standards don’t seem to meet requirements or still work in progress
Dave, Francis, and Brian will be coming up with a signature draft for the WG to consider.

Consent revocation proposal adds a lot of complexity. There is no standards to built upon.

https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/247
Big 4 banks and recipients going into Phase 2 of consumer data sharing
- Includes new products
- Tweaks to information security profile
- Joint accounts
- Still finalizing consultation, looks very complex
  - No existing technical standards available to achieve goals
    - Intermediaries
    - Cascading consents (communicating consents via third parties)
- OAC conformance testing
  - Joseph has CDR version of test on production and certification
- Joseph still finalizing Australian response letter
  - Still don’t know where to send it
  - Might be better to do open letter and CC the chair

issue ~~#330~~ - potentially misleading language WRT JWT ATs - language is confusing
- Suggested removing "opaque"
- Intent is tat AT is not to be consumed by clients
- remove "opaque" and reword note, make it similiar to RFC 6749 language that AT is usually opaque to clients
- No PR yet
issue ~~#317~~
- Reassigned to Dave

The meeting was adjourned at 15:00 UTC.