Wiki
Clone wikifapi / FAPI_Meeting_Notes_2022-04-21_Pacific
FAPI WG Agenda & Meeting Notes (2022-04-21)
Date & Time: 2020-04-22 01:00 UTC 17:00 PST (5pm) a Location: GoToMeeting https://global.gotomeeting.com/join/321819862
Agenda
The meeting was called to order at 01:00 UTC.
1. Roll Call (Anoop)
- Attending: Nat, Dima, Ed, Mark, Anoop.
- Regrets:
Agenda/notes:
- Reviewed Atlantic notes
- Update from Australia
- Election in May. From Operation perspective - Care taking mode. BAU mode. Security research will continue with Australian research group working with Stuttgart group.
- Issue #469. Version profile. In Atlandtic call this has been discussed there is a different point of view. If there is different POV then we should update the issue.
- How is transition between supporting FAPI profiles? Mark to review and provide input.
- Change name of FAPI Issue
#479. - There is push back on name proposal . The concern/sentiment was - it already provides a level of financial grade even a finanacial entity can implement. They did not want yet another name change. More constructive was explaination of financial grade level. Fortified means something but not concrete as Financial Grade - which explain as fianancial grade level. - FAPI1Adv - Issue # 494
- It may cause interoperability issue, Not prohibited in spec to return only the subset it could expand the scope at its indescretion.
- Expected : The spec should generate an error when subset is returned. Not to return scope that has not been asked.
- Issue # 493 - Certification query. For FAPI2, support of DPop, RFC 8705 but we expand to DPoP it creates a complexity.
- FAPI2 test suite is available now and few issues needs clarification & is in worked on.
- Issue 492 (PR #327) - Security hole in Java for ECDSA and it is pretty serious. You can bypass security signature. Java version after 15 and oralce release hot fix (It coule be releated).
- Liasions :
- Lot of action in the Middle East. Starting require continuous testing/certification. 3rd patry certification.
- Mark PoV - This should be norm and good to see some other jurisdiction are making it requiring it. The role different industry position that will support ongoing re-testing against FAPI.
- Rotating key with every certification test and Log should reflect. Conitnuous certification is hard and should we Redact the logs. Certification team is looking into it.
- The meeting was adjourned at 01:48 UTC.
2. Next Call
Next call will be an Pacific Call. Next Pacific call will be in two weeks (05-05-2022 @ 5pm PST) UTC - 05-06-2022 1:00 AM.
Updated