1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi

Wiki

Clone wiki

fapi / FAPI_Meeting_Notes_2022-04-21_Pacific

View History

FAPI WG Agenda & Meeting Notes (2022-04-21)

Date & Time: 2020-04-22 01:00 UTC 17:00 PST (5pm) a Location: GoToMeeting https://global.gotomeeting.com/join/321819862

The meeting was called to order at 01:00 UTC.

1.   Roll Call (Anoop)

  • Attending: Nat, Dima, Ed, Mark, Anoop.
  • Regrets:
Agenda/notes:
  • Reviewed Atlantic notes
  • Update from Australia
    • Election in May. From Operation perspective - Care taking mode. BAU mode. Security research will continue with Australian research group working with Stuttgart group.
  • Issue #469. Version profile. In Atlandtic call this has been discussed there is a different point of view. If there is different POV then we should update the issue.
    • How is transition between supporting FAPI profiles? Mark to review and provide input.
  • Change name of FAPI Issue #479. - There is push back on name proposal . The concern/sentiment was - it already provides a level of financial grade even a finanacial entity can implement. They did not want yet another name change. More constructive was explaination of financial grade level. Fortified means something but not concrete as Financial Grade - which explain as fianancial grade level.
  • FAPI1Adv - Issue # 494
    • It may cause interoperability issue, Not prohibited in spec to return only the subset it could expand the scope at its indescretion.
    • Expected : The spec should generate an error when subset is returned. Not to return scope that has not been asked.
  • Issue # 493 - Certification query. For FAPI2, support of DPop, RFC 8705 but we expand to DPoP it creates a complexity.
  • FAPI2 test suite is available now and few issues needs clarification & is in worked on.
  • Issue 492 (PR #327) - Security hole in Java for ECDSA and it is pretty serious. You can bypass security signature. Java version after 15 and oralce release hot fix (It coule be releated).
  • Liasions :
    • Lot of action in the Middle East. Starting require continuous testing/certification. 3rd patry certification.
      • Mark PoV - This should be norm and good to see some other jurisdiction are making it requiring it. The role different industry position that will support ongoing re-testing against FAPI.
      • Rotating key with every certification test and Log should reflect. Conitnuous certification is hard and should we Redact the logs. Certification team is looking into it.
  • The meeting was adjourned at 01:48 UTC.

2.   Next Call

Next call will be an Pacific Call. Next Pacific call will be in two weeks (05-05-2022 @ 5pm PST) UTC - 05-06-2022 1:00 AM.

Updated