1.   Roll Call (Nat)

• Attending:
  • Bjorn Hjelm
  • Chris Michael
  • Daniel Fett
  • Dave Tonge (Moneyhub)
  • Dima Postnikov
  • Filip Skokan (Okta)
  • Naohiro Fujie(OIDF/OIDFJ)
  • Nat Sakimura
  • Ralph Bragg
  • Takahiko Kawasaki
  • Brian Campbell (Ping Identity)
  • Craig Borysowich
  • Pieter Kasselman
• Regrets:
• Guest:

2.   Adoption of Agenda (Dave/Nat)

• Events
• External Organizations
• PRs
• Issues

3.   Events (Mike L.)

4.   External Orgs & Liaisons (Mike L./Chris)

5.   Security Analysis (Daniel)

Stuttgart Security Analysis is due to be finished by the end of this week.

Have some questions regarding DPoP.

Nonce mechanism protects against reply but there are weaker options available such as not rotating nonce after every request/response.

How should this be modeled? If nonce is not rotated after every request/response then there is replay probability.

Assuming nonce is rotated, then there is strong protection against replay but will add text stating that for practical reasons, weaker mechanisms such as not rotating nonce can be used.

Should put a security consideration in the final version of analysis. Daniel will double check.

Australia DSP is completing the contract for Work Package 2 of the Security Analysis, including DCM, CIBA,and signing. Awaiting delivery of Stuttgart work before awarding next contract. Will start work at the start of November for six months.

OIDF is looking for co-funding partners for Work package 3 to start Spring 2023, to cover Grant Management, OIDC for IDA and SSE

Australia DSP also asked for a brief on certification capability.

6.   Open Data Cross Borders Whitepaper (Dima)

Dima is updating the draft after discussions and will distribute it to the list when it is ready.

7.   PRs

• PR #377 - Reduced attacker model
  • Dave will review and merge
• PR #370 - Addressing issue #531 - Adding normative references clause in FAPI_2_0_Security_Profile.md
  • Dave will review and merge
• PR #376 - FAPI2SP: Correct request_uri lifetime value in comparison table
  • Dave will review and merge
• PR #379 - FAPI2SP: Rework lower limit on request_uri expires_in
  • Dave will review and merge
• PR #378 - FAPI2SP: Add text about further profiling
  • Some regions may profile FAPI 2.0 Security profile to make it incompatible or weaken some options that will * invalidate Security Analysis still believing it is secure.
  • Propose to add consideration regarding profiling.
• PR #375 - improvements to http sig wording
  • Need to address feedback before merging
  • Used fapi-2-request and fapi-2-response for signature naming convention
  • The rest is specific profiling of HTTP signature draft
• PR #308 - Add login hint token type registry values to CIBA
  • Add standard mechanism to store metadata token types
  • Need to address additional comments from Joseph before merging
• PR #347 - scope and resource clarifications
  • Taka and Filip to review
  • Additional comments to be addressed
  • Should issue WG last call for additional comments.

Security Profile will be ready for public review once PRs are merged.

Possibly, HTTP Signature will be ready for First ID

Possibly, Grant Management will be ready for 2nd ID.

8.   Issues

• #522 - optional ID Token signature validation for code flow
  • Security Analysis outcome is expected to consider the signature validation as optional
  • Joseph is using that as input to incorporate that as part of certification tests.
  • Depending on final outcome of analysis, will need language to state signature validation requirements.
  • OIDC ID Token signature validation is optional for code flow when ID Token is returned from token endpoint. TLS server validation is used to validate the issuer.
  • Awaiting Security analysis outcome. Assigned to Filip to follow up.
• #546 - lower limit on request_uri lifetime in FAPI2 may be too short
  • Related to PR #379 - to be merged after review
• #547 - Make clear if there's items where we would expect ecosystems to make choices?
  • Related to PR #378 - to be merged after review
• #543 - Browser swap attack explained on 2022-09-28
  • Related to PR #377 - to be merged after review
• #545 - FAPI2SP vs FAPI1 table has incorrect value for request_uri lifetime
  • Related to PR #376 - to be merged after review
• #539 - Access token lifetime
  • Related to PR #374- Dima will review PR and merge.
• #544 - FAPI1 vs FAPI2 blog post should be updated
  • Update post regarding differences between FAPI 1.0 and 2.0 after public review.
• #534 - Authorization Request Leaks lead to CSRF
  • Resolved with PR #367
• #531 - Insert "2. Normative references" to comply with ISODIR2
  • Resolved with PR #370
• #523 - Rotation of Refresh token - Compromised client highlighted by AU - CDR Independent review
  • Awaiting feedback from the Australian team but will close for now.
  • Will discuss with Australia on the coming Friday call.
• #465 - Align the chapter etc. structure to FAPI 1
  • Close due to duplicate issue
• #506 - Explict security target
  • Attacker model is for the security profile.
  • Will need a delta of the attacker model for other specs.
  • Will reassign to other CIBA spec.
• #449 - Field name and type for resources
  • Awaiting implementer feedback. Filip and Taka will review.
• #439 - Grant Management API Query Response expiration and issued at
  • Awaiting implementer feedback. Filip and Taka will review.
• #520 - Versioning for first draft of FAPI2-Advanced
  • Joseph proposed the message signing spec keep the same numbering in sync as the baseline security profile.
  • Having a different implementer’s draft number is not an issue and numbers should not be skipped

The call adjourned at 15:15