3.1.   OpenID Foundation Mountainview Workshop (Mike)

April 25 @ Google.

Link: https://openid.net/2022/03/22/registration-open-for-openid-foundation-workshop-at-google-monday-april-25-2022/

Hybrid

Registration needed and is closing in a few days: https://openid.net/2022/03/22/registration-open-for-openid-foundation-workshop-at-google-monday-april-25-2022/

FAPI Presentation Deck needed.

3.2.   OpenID Foundation Berlin Workshop (Mike)

May 10, Tue.

https://www.kuppingercole.com/sessions/5048/1

3.3.   OSW 2022 (Daniel)

May 4 - 6 @ Trondheim

In-person only

https://oauth.secworkshop.events/osw2022

OIDF and Microsoft sponsored the event.

Tickets are still available.

Presentation slots are still available.

5.1.   Australia (Gail/Mike L.)

n/a

5.2.   Brazil (Mike L.)

n/a

5.3.   Berlin Group (Daniel)

Follow up meeting has not happened but wrote that they would like to discuss some FAPI technical items.

Regulators in Israel asked BG for a localized version of OB standards for their 1st phase open banking implementation. (Account info)

Looking to align second phase Payment initiation with both BG and FAPI.

Global Open Finance Technical Working Group is planning a meeting on May 5. Dave and Gail will be presenting on behalf of OIDF.

Meeting Agenda:

• Global Open Finance Technical Standards Work Group Meeting- Member Presentation:
• OpenID Foundation presentation on Open Banking, Open Data and Financial-grade APIs
• OpenID Foundation Whitepaper on Open Banking
• International movement towards Open Banking, Open Finance, and secure, consent driven access to all user data.
• Financial-Grade API (FAPI) Working Group’s experience with Open Banking ecosystems internationally
• Process of standards development, user experience, consent flow, security research Attack and threat model, mathematical proofs, testing implementations
• The role of conformance testing in driving out inefficiency and improving security
• Selected studies in implementation (UK, Australia, Brazil).
• What did we learn?
• Questions and comments
• Member Presentation: Berlin Group Story of Berlin Group and PSD2 Structure, Governance, standards development,
• Specifications rather than implementation From PSD2 to Open Finance - scope of thinking
• Exploring relationship with FAPI Questions and Comments

Interested parties can contact Brian.Costello@ed.ac.uk for more information.

5 May from 11:00 AM – 13:00 PM BST.

5.4.   FDX (Mike L.)

• n/a

5.5.   GAIN (Mike L.)

CG meeting is going well. Next one is tomorrow.

• Discussions on how participants can discover each other.

Speaking at Identity Week London Now, EIC, Identiverse, etc.

5.6.   ISO/TC68 (Nat/Dave)

• n/a

5.7.   The Middle East and North Africa (Chris)

Israel: see BG.

Saudi:

• Work is progressing on the localized standard.
• Waiting for the project to officially kick off.
• 1st standard to come in June.
• Very strong regime of certification.

Bahrain is updating their standards

UAE, Oman, Qatar, etc. would be following soon.

5.8.   Mexico (Gail)

• n/a

5.9.   Nigeria (Mike)

In the process to schedule a second call.

5.10.   OECD (Nat)

Will have the 3rd ministerial meeting in December.

A lot of accumulated cyber issues.

Call for contribution for privacy enhancing technology by April 27.

5.11.   UK (Chris)

Published ver. 3.1.10 -- final version to be published under CMA order.

What happens to OBIE, Open Finance, etc. is not known yet.

Starting to look at FAPI2

• Need incentive/rationale to uprade

5.12.   USA (Gail)

n/a

6.1.   Grant Management (Dima)

Dima working on issues

6.2.   FAPI DCR/M (Dynamic client registration and Management) (Joseph)

No updates in spec.

Brazil is using subject dn in DCR but changing CA later this year.

When clients switch certs and they change the subject DN to an invalid subject DN, they will lose control of the client until it’s manually recovered.

Need to consider possible solutions (2 phase commit?).

May want a conformance check to cover this scenario

Ralph discussed some workarounds using non-explicit string matching with certain attributes in the DN (RDN component matching)

Another option is to NOT bind the management token to the client as TLS client authentication

• Token endpoint authentication mechanism remains exact string match
• Binding of management token as a credential is done on the components of the RDN
• There are no specs that require binding of registration management tokens

A certain PKI provider has unreliable OCSP connections. Many banks plan to switch soon. Brazil PKI providers all use a slightly different DN.

Need to have a dedicated session for this problem.

6.3.   Advanced authorization (Dima)

Working on issues

6.4.   FAPI 2 Attack, Baseline and Advanced (Daniel)

• Perhaps look at the open issues at OSW.

6.5.   JARM (Brian)

• PR is being prepared.