3.1.   Identiverse (Mike)

• F2F FAPI meeting Wednesday 6/22 normal meeting time
• Remote attending available.

4.1.   Security Analysis

• Australian university awarded contract so that the second part of the security analysis can go ahead.
• Formal definition by U. of Stutgart is scheduled to be completed by end of June
  • Technical report by end of June
  • Presentation in mid-July
• Australian University will look at Grant Management and also apply security analysis to Australian CDR standard

4.2.   Certification (Joseph/Mike)

• Brazil – certificate issues.

5.1.   Australia (Mike L.)

5.2.   Brazil (Mike L.)

Brazil CIBA spec is still in the process of being finalized.

Scheduled to be finalized next week

Other milestones to be confirmed.

Open banking Brazil will start recertification for banks from September to December 15

Central bank is signaling annual recertifications for FAPI

There is a new test for the updating of TLS client subject DN in Dynamic Client Management endpoint. Only available for functional testing but not for generic testing due to requirement for 2 valid certificates.

Comparison rules for DN still need to be defined.

Access to Brazil sandbox is not open. Registration is only allowed for 10 countries but can be tested with specific configurations.

Open Insurance Brazil

66 institutions to be certified in September

OIDF will host a couple of outreach workshops in July and August to introduce FAPI and conformance certification

5.3.   Berlin Group (Daniel)

• N/A

5.4.   Canada (Gail)

5.5.   EU DIW ARF (Gail)

• n/a

5.6.   FDX (Rifaat)

5.7.   GAIN (Dima)

5.8.   IETF OAuth WG (Rifaat)

• JWK thumbprint was approved by IESG.
• DPoP – Brian is addressing the issues collected. After that, Rifaat will do the shepherd write-up.

5.9.   ISO/TC68 (Nat/Dave)

• n/a

5.10.   The Middle East and North Africa (Chris)

• Meeting with Open Banking Saudi Arabia during Identiverse.

5.11.   Mexico (Gail)

• n/a

5.12.   Nigeria (Mike)

• Follow-up call is scheduled for June 16.

5.13.   OECD (Nat)

• n/a

5.14.   UK (Chris)

• n/a

5.15.   USA (Gail)

• n/a

6.1.   Addressing "User Interface Hijack attack" in FAPI 2? (Nat)

• https://lists.openid.net/pipermail/openid-specs-fapi/2022-May/002619.html
• Provide incentives for ecosystems to adopt FAPI 2 if addressed
• Discuss on list and next call

6.2.   Grant Management (Dima)

• There are now a couple of PRs and Issues.

6.3.   FAPI DCR/M (Dynamic client registration and Management) (Joseph)

• N/A

6.4.   FAPI 2 Attack, Baseline and Advanced (Daniel)

• Name change PR etc. is yet to be created.

6.5.   JARM (Dave)

• https://openid.bitbucket.io/fapi/openid-fapi-jarm.html
• Need feedback before last call for final draft.

7.1.   To be merged

• PR #336 - rename update to merge
  • Need to sync with latest revision before merge
• PR #341 – Grant Management - clarify scopes related to #448 (one or more resource fields?)
  • Torsten had proposed some editorial text
• PR #340 – JARM security properties - Attempt to finesse some text in JARM so as to not overstate its security properties
  • Discussed by various members
  • There was intention to use the encryption part of JARM from Australia but the text seems to over promised on the security properties of using encryption alone
  • No protocol changes but to be honest about the security properties of JARM.
  • Would like to adjust text to reflect what security properties JARM provides by itself to give accurate representation and not do unneeded actions
  • More editorial changes like removing references that are not used.
  • It is possible to tidy up more but perhaps it is not worth investing the time.
  • Financial-grade text also removed to align with oncoming name change of spec
  • Dave is going to send out the last call email after merging it.

7.2.   Under discussion