Wiki
Clone wikifapi / FAPI_Meeting_Notes_2023-03-29_Atlantic
FAPI WG Agenda & Meeting Notes (2023-03-29)
- Date & Time: 2023-03-29T14:00Z
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
- Self: https://bitbucket.org/openid/fapi/wiki/edit/FAPI_Meeting_Notes_2023-03-15_Atlantic
Agenda
- 1. Roll Call (Dave/Nat)
- 2. Adoption of Agenda (Dave/Nat)
- 3. Events (Mike L)
- 4. Internal Liaisons
- 5. External Orgs & Liaisons (Mike L.)
- 6. Draft Updates
- 7. PRs (Dave)
- 8. Issues (Dave)
- 8.1. Proposed new FAPI certification test: private_key_jwt client authentication assertion where aud contains multiple values (Filip)
- 8.2. private_key_jwt audience requirements (Filip)
- 8.3. FAPI2SP appears to permit response_types "id_token", "id_token token" and "none" (Dave)
- 8.4. FAPI CIBA (Dave)
- 8.5. FAPI2MS: Rejection of non-JAR/non-JARM requests (Filip)
- 8.6. Network Layer Protections restrict use of more recent TLS 1.2 cyphers
- 9. AOB (Nat)
The meeting was called to order at 14:02 UTC.
1. Roll Call (Dave/Nat)
- Attending: Nat Gail, Mike, Dave, Bjorn, Craig, Dima, Domingos, Filip, George, Kelley, Kosuke, Takahiko
- Regrets:
- Guest:
2. Adoption of Agenda (Dave/Nat)
- Adopted as presented as draft agenda.
3. Events (Mike L)
3.1. OpenID Foundation Workshop (Mike)
- Registration page is now open.
3.2. Events are now in the Foundation Google Calendar (Mike)
- In the new website, it is going to be a single source.
4. Internal Liaisons
4.1. NIST SP800-63-4ipd Comments
- Mark is leading the discussion. Several meetings.
- Deadlines were postponed to April 14.
- Nat has provided a few comments pointing to FAPI as a good practice for security - security is typically not composable and has to take the protocol as a whole with an appropriate security model and analysis to go with.
- Link to the comment sheet that OIDF is compiling:
5. External Orgs & Liaisons (Mike L.)
5.1. Open Finance Brazil
- They have seen some progress on CIBA spec.
5.2. Open Insurance Brazil
- Recertification - good progress.
5.3. Saudi Arabia (Mike)
- Increase on testing activities
- Six KSA fintech are FAPI RP certified
- Eight KSA Server testing (6 banks + alpha)
- KSA
- OP Testing: https://openid.net/certification/fapi_op_testing/
- RP Testing: https://openid.net/certification/fapi_rp_testing/
5.4. OECD
- Online public consultation on the draft OECD Recommendation on the Governance of Digital Identity
- Gail created a draft letter:
6. Draft Updates
6.1. Message Signing (Dave)
- Dave has sent the fixed Implementer's draft documents to Mike J.
6.2. Grant Management (Dima)
- Dave is creating a submission package now.
7. PRs (Dave)
- Apart from one PR that we are parking until HTTP signature is settled, there is no standing PR.
- Request/Response binding fix is waiting for IETF result next week.
8. Issues (Dave)
8.1. Proposed new FAPI certification test: private_key_jwt client authentication assertion where aud contains multiple values (Filip)
- https://bitbucket.org/openid/fapi/issues/403/proposed-new-fapi-certification-test
- related to
#501 - see https://bitbucket.org/openid/fapi/issues/403/proposed-new-fapi-certification-test as well.
- Filip is going to record the result of the discussion in the ticket.
8.2. private_key_jwt audience requirements (Filip)
- https://bitbucket.org/openid/fapi/issues/581/private_key_jwt-audience-requirements
- Agreed that the PR is OK.
- Nat to confirm with Torsten.
8.4. FAPI CIBA (Dave)
- https://bitbucket.org/openid/fapi/issues/580/fapi-ciba
- Discussed the changes it needs for supporting FAPI2.
- Whether signing is required or not should be based on whether the base profile requires signing (e.g., FAPI2 Message Signing + CIBA should require it, while FAPI2 Security Profile + CIBA should not.)
- 5.2.2.6
- Assigned to Filip.
8.6. Network Layer Protections restrict use of more recent TLS 1.2 cyphers
- Moving to TLS 1.3 removes the restrictions on the cyphers.
- However, the certification suite does not support TLS 1.3.
- Nat to create an issue on the tracker regarding this.
Updated