1.   Roll Call (Dave/Nat)

• Attending:
  • Ali Adnan
  • Brian Campbell
  • Chris Michael
  • Dave Tonge
  • Dima Postnikov
  • George Fletcher
  • Joseph Heenan
  • Kosuke Koiwai
  • Michael Palage
  • Mike Leszcz
  • Nat Sakimura
  • Domingos Creado
  • Lukasz Jaromin
  • Ralph Bragg
  • Rifaat Shekh-Yusef
  • Takahiko Kawasa
• Regrets:
• Guest:

2.   Adoption of Agenda (Dave/Nat)

3.   Events (Dave/Nat)

4.   External Organizations (Dave/Nat)

5.   Draft NISTIR8389 Cybersecurity Considerations for Open Banking Technology and Emerging Standards

https://docs.google.com/document/d/10GTmFGtyZO96CpigzvZ1kyl5rIqVqsjwfR9IMAay3yk/edit

Comments are Due March 3, 2022

Dima started working on a response.

Dima went over basic structure of document

Basic introduction on Open Banking

Described use cases, current state of various jurisdictions, UK, US, AU, India

People from these jurisdictions should review

Very small section on API security

OIDF can help with this section

Can talk about formal security analysis, OAuth 2 best security practices, best current practices

This section is very concerning since NIST papers are trusted sources of information around the world

Use cases are not comprehensive

Use cases have different importance in different markets

Doesn’t talk about alternatives to card payments and retail payments

Purpose, audience, and significance of the paper are unclear which makes if difficult to decide if it even warrants a response

Title mentions Cybersecurity Considerations but there is not much content regarding it

Response format will be decided depending on the amount of commentary.

WG previously discussed getting in touch with the authors.

Need more feedback from wider audience

Focus feedback on 7.3

6.   Response to OIDF Strategic Taskforce

The Strategic Task Force, a subset of the Board, is keen to learn more about how OIDF might support healthcare and IoT use cases. At least one market is considering FAPI for healthcare. IoT is another area where our standards might find traction. If you or one of your colleagues have experience and relationships in those domains please contact Gail (gail@oidf.org) and/or Mike Lescz(mike.leszcz@oidf.org), as we’re keen to see how we might add value to those domains.

Currently coordinating a call with Deb Bucci, former co-chair of HEART WG, regarding healthcare.

7.   Specs

8.   PRs (Dave/Nat)

• PR #305 - FAPI2 Baseline: Align the chapter etc. structure to FAPI 1
  • OK to merge
• PR #307 -Rework the TLS section re issue 461
  • Brian suggested we use wording from FAPI 1.0 regarding RFC7525 but it uses SHALL follow
  • Dave suggested that SHOULD be used instead.
  • Language is ambiguous and overreaching, but BCP itself doesn’t have any SHALLs.
  • Joseph mentioned that NIST does have a list of TLS recommendations/requirements that are more recent than the BCP.
  • https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF
  • Dave will change language back to SHALL follow.

9.   Issues (Dave/Nat)

• #469 - Add protocol version and variant identifier
  • Need more details on where the version and identifiers are sent, e.g. on every call, at registration etc..
  • Sounds like a version of API security instead of a version of the API. This might confuse people.
  • It’s needed so that appropriate verification methods can be invoked.
  • Might be easier just to document which FAPI version an API conforms to.
  • Building the conformance level into the messaging layer doesn’t seem like a good idea and might create interoperability problems.
  • Need more discussion and a concrete text proposal.
• #410 - FAPI and UMA 2.0
  • Perform analysis for using UMA with FAPI
  • UK Pensions Dashboard project is planning to use UMA
  • Can be used for delegated authorizations and step up authentication.
  • Can use existing acr claim to do step up authentication.

10.   AOB (Nat)

The call adjourned at 15:00 UTC