Wiki
Clone wikifapi / FAPI_Meeting_Notes_2022-04-27_Atlantic
FAPI WG Meeting Notes (2022-04-27)
- Date & Time: 2022-04-27T14:00Z
- Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- Self: https://bitbucket.org/openid/fapi/wiki/edit/FAPI_Meeting_Notes_2022-04-27_Atlantic
Agenda
- 1. Roll Call (Nat/Dave)
- 2. Adoption of Agenda (Nat)
- 3. Events (Nat)
- 4. Internal Liaison (Nat)
- 5. External Organizations (Nat)
- 5.1. Australia (Mike L.)
- 5.2. Brazil (Mike L.)
- 5.3. Berlin Group (Daniel)
- 5.4. EU DIW ARF (Gail)
- 5.5. FDX (Rifaat)
- 5.6. GAIN (Dima)
- 5.7. IETF OAuth WG (Rifaat)
- 5.8. ISO/TC68 (Nat/Dave)
- 5.9. The Middle East and North Africa (Chris)
- 5.10. Mexico (Gail)
- 5.11. Nigeria (Mike)
- 5.12. OECD (Nat)
- 5.13. UK (Chris)
- 5.14. USA (Gail)
- 6. Specs (Dave)
- 7. PRs (Dave)
- 8. Issues (Dave)
- 9. AOB (Nat)
The meeting was called to order at 14:__ UTC.
1. Roll Call (Nat/Dave)
- Attending:
- David Januchowski
- Filip Skokan
- Joseph Heenan
- Elizabeth Garber
- Nat Sakimura
- Dave Tonge
- Takahiko Kawasaki
- Brian Campbell
- Lukasz Jaromin
- Dima Postnikov
- Craig Borysowich
- Domingos Creado
- Chris Michael
- Michael Palage
- Bjorn
- Regrets:
- Guest:
3. Events (Nat)
3.1. OSW 2022 (Daniel)
May 4 - 6 @ Trondheim In-person only
https://oauth.secworkshop.events/osw2022
Event is now sold out
3.2. EIC/OpenID Foundation Berlin Workshop (Mike)
May 10, Tue.
5. External Organizations (Nat)
5.6. GAIN (Dima)
Group is still forming
Looking at different options for trust management
- How to trust participants from different ecosystems
- How to determine the level of trust and level of participation in the network
FAPI is used together with eKYC for identity assurance
5.7. IETF OAuth WG (Rifaat)
Call for adoption for the Step Up Authentication draft by Brian and Vittorio
5.12. OECD (Nat)
- n/a
5.13. UK (Chris)
- n/a
5.14. USA (Gail)
- n/a
6. Specs (Dave)
6.1. Grant Management (Dima)
Will work on issues at OSW and EIC
8. Issues (Dave)
8.1. #493 - certification query: supply of TLS client certs & use of mtls_endpoint_aliases
#493 - certification query: supply of TLS client certs & use of mtls_endpoint_aliases
It’s about mtls_endpoint_aliases and how that works and certification
It’s problematic when used with ecosystems and PAR
In UK, banks all have MTLS protected endpoints
FAPI required MTLS sender constraining at the token endpoint
There are doubts on when mtls_endpoint_aliases should be used if MTLS is required on top of private key JWT
Client behavior is not defined
Some view that MTLS is just a transport layer and the client should not need to care
If there is a need to use MTLS and non-MTLS endpoints, there is no need to use mtls_endpoint_aliases
Problem can be solved by mtls offload proxies
Not sure how to implement the conformance test due to uncertainty
Current 3 FAPI ecosystems are requiring MTLS everywhere, will be problematic if each uses different approach for using mtls_endpoint_aliases
Should be treated as transport layer
Should FAPI 2 Advance have a use case for using MTLS everywhere and add a note on how to interpret the use of mtls_endpoint_aliases?
Joseph will summarize the issue and draft a PR with note.
8.2. #495 - Certification: Requirements for alg support in RPs/OPs
#495 - Certification: Requirements for alg support in RPs/OPs
Should certification reflect support for the various algs? Doing so will allow discovery of problems with various algs but will make certification tables unwieldy. There will be a presentation problem.
If certifying for Eddsa, will have to support DPOP, private_key_jwt and OpenID
Google has a crypto test suite with tests vectors for testing correct implementation
Could add some of those tests into the certification suite.
Should FAPI tests the JOSE specs as much as possible?
Doing so could add lots of complexity.
There is no clear line of distinction on what should be tested at which level.
Should the certification suite be responsible for testing them?
Joseph and his team to investigate and summarize the issue.
Testing every possible combination is impossible but maybe a few select tests.
Updated