Wiki
Clone wikifapi / FAPI_Meeting_Notes_2022-06-01_Atlantic
FAPI WG Meeting Notes (2022-06-01)
- Date & Time: 2022-06-01T14:00Z
- Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- Self: https://bitbucket.org/openid/fapi/wiki/edit/FAPI_Meeting_Notes_2022-04-13_Atlantic
Agenda
- 1. Roll Call (Nat/Dave)
- 2. Adoption of Agenda (Nat)
- 3. Events (Nat)
- 4. Internal Liaison (Nat)
- 5. External Organizations (Nat)
- 5.1. Australia (Mike L.)
- 5.2. Brazil (Mike L.)
- 5.3. Berlin Group (Daniel)
- 5.4. Canada (Gail)
- 5.5. EU DIW ARF (Gail)
- 5.6. FDX (Rifaat)
- 5.7. GAIN (Dima)
- 5.8. IETF OAuth WG (Rifaat)
- 5.9. ISO/TC68 (Nat/Dave)
- 5.10. The Middle East and North Africa (Chris)
- 5.11. Mexico (Gail)
- 5.12. Nigeria (Mike)
- 5.13. OECD (Nat)
- 5.14. UK (Chris)
- 5.15. USA (Gail)
- 6. Specs (Dave)
- 7. PRs (Dave)
- 8. Issues (Dave)
- 9. AOB (Nat)
The meeting was called to order at 14:__ UTC.
1. Roll Call (Nat/Dave)
- Attending:
- Bjorn Hjelm
- Dave Tonge
- David Januchowski
- Dima
- Gail Hodges
- Joseph Heenan
- Kosuke Koiwai
- Lukasz Jaromin
- Mike Leszcz
- Nat Sakimura
- Takahiko Kawasaki
- Brian Campbell
- Danillo Branco
- Don Thibeau
- Filip Skokan
- Regrets:
- Guest:
3. Events (Nat)
3.1. Identiverse (Mike)
- F2F FAPI meeting Wednesday 6/22 normal meeting time
- Remote attending available.
4. Internal Liaison (Nat)
4.1. Certification (Joseph/Mike)
- Norway Health Group testing FAPI 2.
- Paypal
- Discussed interoperability challenges in implementing FAPI in various jurisdictions
- Indicated they will move onto FAPI 2
- Testing FAPI 2 tests
- Will have meeting later
4.2. Security Analysis
- Questions from analysis team:
- Which commit to analysing?
- Contact points?
- Use Mailing list
5. External Organizations (Nat)
5.1. Australia (Mike L.)
- Work of FAPI 2.0 security analysis on the way @ U. Stuttgart.
- Gail was introduced to South Wales University of Australia who will help with the analysis
5.2. Brazil (Mike L.)
- Still trying to finalize CIBA for Open Banking.
- Outreach Workshops for Open Insurance in July and August
- Will cover specs and conformance testing and submission
- Phase 2 certifications to start in September 2022
- Working on finalizing recommendation changes to certification program requested by Brazil and Saudi
5.4. Canada (Gail)
- Discussed Feedback response for FAPI 2 on Canadian OB policy requirements
- https://docs.google.com/document/d/1-99-DU_B24NjywHpD_zS-Ga5FLoXgghRaL0DB91PvB0/edit
- Accessible and inclusive for all accredited system participants without requiring additional arrangements (such as bilateral contracts)
- FAPI specs are open and do not require contracts for usage
- Add that specs are IPR protected to protect implementors from getting sued
- Enable a positive consumer experience without overly onerous steps that the consumer must follow to realize the benefits of open banking
- FAPI only defines the wire protocol
- Ecosystems define the user experience guidelines
- FAPI supports a range of user experiences
- Enable the safe and efficient transfer of data among system participants
- Specs are formally verified
- Certification program verifies implementations
- Serves as an *informal*, global defense against the global threat of criminal networks and rogue nation states…
- Capable of evolving with technological change to keep pace with the rapidly evolving sector
- Add that FAPI is expanding breath of capabilities (e.g. Grant Management, CIBA, Dynamic Client Registration)
- Mention various OIDF work (GAIN, Open Data/Health, Verifiable Credentials, etc…)
- Canadian Participants can join OIDF to participate in work
- Sufficiently flexible to enable the development of new and innovative products
- FAPI specs do not only apply to OB and Finance but to others (Insurance, telecom, health, etc…)
- Can explore options for others applications
- Compatible and interoperable with international approaches
- Specs are inherently compatible
- Leading security profile selected by most markets
- Core specs enable cross border use cases
- Add links to OpenID for Identity Assurance
5.6. FDX (Rifaat)
- Discussions on step-up authentication.
- Mentioned the draft about it @ OAuth WG.
5.8. IETF OAuth WG (Rifaat)
- DPoP shepherd writeup being done.
- Some implementation feedback to be incorporated.
5.12. Nigeria (Mike)
- Follow up call to be scheduled for June 15 or 16.
5.13. OECD (Nat)
- n/a
5.14. UK (Chris)
- n/a
5.15. USA (Gail)
- n/a
6. Specs (Dave)
6.1. Addressing "User Interface Hijack attack" in FAPI 2? (Nat)
- https://lists.openid.net/pipermail/openid-specs-fapi/2022-May/002619.html
- Provide incentives for ecosystems to adopt FAPI 2 if addressed
- Discuss on list and next call
6.4. FAPI 2 Attack, Baseline and Advanced (Daniel)
- Name change PR.
6.5. JARM (Dave)
- https://openid.bitbucket.io/fapi/openid-fapi-jarm.html
- Need feedback before last call for final draft.
7. PRs (Dave)
7.1. To be merged
- PR #334 - Restructure FAPI2 baseline
- PE
#339- Issue 499c- https://bitbucket.org/openid/fapi/pull-requests/339
- Add references in introduction to Messsage Signing, CIBA, Grant Mangement and RAR
- PR #338 - change user to resource owner
7.2. Under discussion
8. Issues (Dave)
8.1. # 479 -- Change to the naming of FAPI (Dave)
- Just moving to "FAPI"
- FAPI 2 Baseline ==> FAPI 2 Security Profile
- FAPI 2 Advanced ==> FAPI 2 Message Signing
etc.
PR is to be created.
Updated