Clone wiki

fapi / FAPI_Meeting_Notes_2023-03-15_Atlantic

FAPI WG Agenda & Meeting Notes (2023-03-15)

Date & Time: 2023-03-15T14:00Z
Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Self: https://bitbucket.org/openid/fapi/wiki/edit/FAPI_Meeting_Notes_2023-03-15_Atlantic

Agenda

1. Roll Call (Dave/Nat)
2. Adoption of Agenda (Dave/Nat)
3. Mini-kick off of FAPI2 Workpackage 2 project (Gail/Marcus)
4. Events (Mike L)
5. Internal Liaisons
6. External Orgs & Liaisons (Mike L.)
- 6.1. Brazil
- 6.2. Saudi
7. Draft Updates
- 7.1. FAPI 2 Msg Signing (Dave)
- 7.2. All other drafts: Put "draft" in the title (Nat)
8. PRs (Dave)
9. Issues (Dave)
- 9.1. FAPI2SP: Note about client assertion audience looks misleading
- 9.2. FAPI2SP appears to permit response_types "id_token", "id_token token" and "none"
10. AOB (Nat)

The meeting was called to order at 14:02 UTC.

1. Roll Call (Dave/Nat)

Attending: Nat, Gail, Joseph, Mike, Tim, Aaron, Brian, Daniel, Dave, Filip, Geroge, Justin, Marcus, Kosuke, Pedram, Kelley, Pieter, Dima
Regrets: Chris
Guest:

2. Adoption of Agenda (Dave/Nat)

Adopted as presented as draft agenda.

3. Mini-kick off of FAPI2 Workpackage 2 project (Gail/Marcus)

Scope is FAPI CIBA, Dynamic Client Registration (including Australian variant) and FAPI 2.0 Message Signing (including JARM, JAR. jIR, HttpSiG)
Meeting at 8 AM CET.

4. Events (Mike L)

Workshop on 1 PM Apr. 17. Details to be published this week.

5. Internal Liaisons

n/a

6. External Orgs & Liaisons (Mike L.)

6.1. Brazil

No material updates.
Certification request continues to come in.

6.2. Saudi

KSA FAPI Profile Framework is not publicly available yet. Quality control is being performed.
This caused problems for parties that wanted to comply with the profile.
Good news is that it seems it is possible to publish FAPI-specific components at openid.net. It will be confirmed shortly.

7. Draft Updates

7.1. FAPI 2 Msg Signing (Dave)

Package was sent to the foundation secretary.
Question was raised whether the title should have "Draft" or "Implementer's draft"
- It should be "Draft" because it has not been voted on.
The draft will be updated and sent to the foundation secretary again.

7.2. All other drafts: Put "draft" in the title (Nat)

Editors, please make sure that your draft has "draft" or "Implementers draft #" in the title.
Also, please make sure to put warning text.

8. PRs (Dave)

Apart from one PR that we are parking until HTTP signature is settled, there is no standing PR.

9. Issues (Dave)

9.1. FAPI2SP: Note about client assertion audience looks misleading

~~#579~~
https://bitbucket.org/openid/fapi/issues/579/fapi2sp-note-about-client-assertion
Normative sentences should not go into Note.
We wanted to leave options open for CIBA and Token Endpoint.

9.2. FAPI2SP appears to permit response_types "id_token", "id_token token" and "none"

~~#577~~
https://bitbucket.org/openid/fapi/issues/577/fapi2sp-appears-to-permit-response_types
Brian's wording was discussed.
It was pointed out that while it is rejecting the response types quoted, it does not others.
Adding parameters (esp. tokens) would create a new authentication protocol and nullify the security analysis.
In view of this, it was suggested to lock it down to response_type=code while making it conditional that future extensions, such as CIBA, can be made. (They need a fresh security analysis and we are doing that in FAPI2 Workpackate 2 sponsored by the AU government.)
Filip came up with wording that sounded reasonable. He will put it in this ticket.

10. AOB (Nat)

none

The call adjourned at 14:59

Updated 2023-03-15