3.1.   Identiverse (Mike)

• F2F FAPI meeting Wednesday 6/22 normal meeting time (8AM local time) in Summit 2 room.
• Remote attending available via normal GotoMeeting conference link.
• Nat, Joseph, Mike, Riffat, Dave, Brian
• There will be an Open Banking Discussion Panel

3.2.   IETF 114

July 23-29, 2022. Philadelphia, USA

https://www.ietf.org/how/meetings/114/

Some works being discussed : * SD-JWT (selective disclosure JWTs) * Multi-subject JWTs

3.3.   IIW

Nov. 15 - 17

3.4.   OIDF Workshop

Nov. 14

3.5.   Authenticate Seattle

Oct. 17 - 20

Mike and Gail will attend

3.6.   FDX Meeting

Oct. 17 -19 @ Dallas

3.7.   IETF 115 London

5 Nov 2022 - 11 Nov 2022

3.8.   Money 2020 Las Vegas

End of October in Las Vegas

Big Payments conference

3.9.   Identity Week Asia

September 6-7 2022

https://www.terrapinn.com/exhibition/identity-week-asia/index.stm

Nat will be speaking about Open Banking

4.1.   Security Analysis

• Need to get an update offline from Gail.

4.2.   Certification (Joseph/Mike)

• n/a

5.1.   Australia (Mike L.)

• Sorting out contractual issues for security analysis.
• Australia will fund their part of their security proof work from July to end of Sept
• Review of model approach in mid-July to share concerns/issues with proof work

5.2.   Brazil (Mike L.)

• Open Insurance (66 orgs) certification in August.
• Open Banking recertification (approx 200) from Sept. till Dec. 13.
  • DCR certification required.

5.3.   Berlin Group (Daniel)

• N/A

5.4.   Canada (Gail)

• Three calls by now to address their questions.
• Making an introduction to thought leaders.
• Vittorio and Riffaat meeting next Monday.

5.5.   EU DIW ARF (Gail)

• N/A

5.6.   FDX (Rifaat/Joseph)

• Process of reviewing FAPI security profile internally going on.
• Some documents they want to work on security and step-up authentication.

5.7.   GAIN (Dima/Joseph)

• GAIN presentation / meeting 11 AM and 1 PM today at Summit 2.

5.8.   IETF OAuth WG (Rifaat)

Current draft agenda ideas

• OAuth 2.1
• Browser-based application
• Step up authentication
• GitHub and token theft
• Multi-subject JWT
• SD-JWT
• Security BCP
• DPoP

5.9.   ISO/TC68 (Nat/Dave)

• New working group is setup for Natural Person Identifier convened by Patrick Curry, maybe relevant to eKYC group

5.10.   The Middle East and North Africa (Mike L.)

• Meeting with Open Banking Saudi Arabia (SAMA/Central bank) on June 21 at Identiverse.
  • Discussed FAPI 1 vs 2.0
  • Conformance and certification
  • Exploring different certification models
• Another meeting is scheduled for 9 AM tomorrow @ Summit 2.
• DFC call next week to discuss SAMA progress.

5.11.   Mexico (Gail)

• n/a

5.12.   New Zealand (Gail)

• Call on June 15. to discuss FAPI and 3rd party certification.
• NZ Gov working towards consumer data rights legislation to be published later this year.
• After that, third-party certifications could come in.

5.13.   Nigeria (Mike)

• They were not prepared to review USSD use cases at this time.
• Having a follow-up in July.
• They have legislation policy from the central bank but it’s not very detailed yet.

5.14.   OECD (Nat)

• n/a

5.15.   UK (Chris)

• n/a

5.16.   USA (Gail)

• n/a

7.1.   Grant Management (Dima)

• There are now a couple of PRs and Issues.
• Couple of issues left before going to implementer's draft.

7.2.   FAPI DCR/M (Dynamic client registration and Management) (Joseph)

• N/A

7.3.   FAPI 2 Attack, Baseline and Advanced (Daniel)

• Name change PR etc. is yet to be created.

7.4.   JARM (Dave)

• https://openid.bitbucket.io/fapi/openid-fapi-jarm.html
• Need feedback before last call for final draft.

7.5.   Addressing "User Interface Hijack attack" in FAPI 2? (Nat)

• https://lists.openid.net/pipermail/openid-specs-fapi/2022-May/002619.html
• Provide incentives for ecosystems to adopt FAPI 2 if addressed
• Discuss on list and next call

8.1.   To be merged

• PR #341 - clarify scopes
  • Related issue #441

8.2.   Under discussion

• PR #322 – Pull in key management clauses
  • Pull in language from FAPI 1 regarding jwks_uris
• PR #315 - FAPI2 iss + JARM
  • Added clarifying text for returning iss when using JARM
• PR #342 – No Authorization Response encryption is required
  • Need feedback from Ralph.
• PR #343 - Change name from baseline to security profile
  • Remove Financial-grade from the name and just use FAPI
  • Change the Baseline name to Security Profile and add references to other specs.
  • The text “we recommend” feels informal.

9.1.   #496 clock sync and FAPI2 baseline (Jacob/Dave)

Three Options:

1. jti
   • jti approach will introduce a large skew.
2. challenge
   • Challenge is the most secure but needs a new spec.
3. HTTP date header
   • HTTP header may be good but will need to explicitly mention that it wont prevent pre-generation of assertions
   • Client resends assertion after seeing error and checking the date header