1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi

Wiki

Clone wiki

fapi / FAPI_Meeting_Notes_2023-06-14_Atlantic

View History

FAPI WG Agenda & Meeting Notes (2023-06-14)

Date & Time: 2023-06-14 00:00 UTC Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09

The meeting was called to order at 00:00 UTC.

1.   Roll Call (Dave)

  • Attendees: Dave, Gail, Mike, Victor Lu, Chris Michael, Dima, Justin, Brian, Nat
  • Regrets:

Default Agenda

2.   Events

2.2.   IETF

July 22-28, 2023. San Francisco, USA https://www.ietf.org/how/meetings/117/

2.3.   EIC OIDF Workshop

Presentation is published - https://openid.net/wp-content/uploads/2023/06/OIDF_Workshop-at-EIC_FINAL_2023-05-09.pdf

The next OIDF workshop will be prior to Fall IIW on Monday, October 9, 2023, in Mountain View, California.

3.   Liaison/Ext Org

3.1.   Saudi

Finished phase 1certifications

Will discuss phase 2 in a call with them next week

3.3.   Brazil

Continue to process OpenFinance certifications.

Elcio Calefi from Chicago Advisory Partners was at Identiverse and discussed the ongoing adoption of FAPI and certification.

Normal recertification is expected.

OPIN - still a few phase 1 certifications trickling in.Currently, in discussion with the OPIN board on recertification requirements.

Anticipate updates by next week and Q3 recertifications.

3.4.   AU

ConnectID - In discussion for direct funding for ConnectID OP & RP tests and pricing bundles.Will be finalizing in the next two weeks.

3.5.   OB Canada

Mark Hain and Gail spoke with the OB lead last week. Finalizing analysis and working on the write-up.

3.6.   Asia

Deciding on which Asian countries to visit prior to the OpenID Japan meeting on Jan 19, 2024

Anyone with information on prospective markets may contact Gail.

3.7.   Latam

Also discussing with Chicago Advisory Group and central bank regarding a roadshow

3.8.   The University of Stuttgart & Australian Treasury

Will have a meeting next Monday regarding the scope of work for Package 3

Gail sent via Chat

FYI these are the components in Work Package 3.0, which would not start until after Work Package 2.0 is complete. I want to ensure we have an idea of the high-level scope and approach and identify any co-funding partners interested in this work.

o FAPI-Grant Management o Security Event Token (SET) [RFC8417] o OpenID Shared Signals and Events Framework Specification 1.0 - draft 01 o OpenID Continuous Access Evaluation Profile 1.0 - draft 02 o OpenID Connect for Identity Assurance 1.0

Only Grant Management is relevant to FAPI WG

Need to discuss with regulators if there are concrete plans for each of the specs (SET, CAEP, IdA), otherwise security analysis will be difficult.

Need to setup a subgroup across working groups to work on strategic direction before beginning analysis

3.9.   Website

WG page is outdated

Old site content was moved over.

New issues can be filed at https://docs.google.com/spreadsheets/d/1xBvK2hgB7eTjLVkdEa39dSmN61bacmDF/edit?usp=sharing&ouid=109991067428230720221&rtpof=true&sd=true

Issues are currently being resolved.

Need to update the WG charter or add an explanation regarding the direction taken

4.   PRs

  • PR #420 - Add draft to FAPI 2 SP title
    • editorial
  • PR #417 -ciba refactor to support FAPI2
    • Not ready yet, need to address feedback
  • PR #411 - attempt at clarifying request-response binding
    • Jusin to review feedback and approve. Message Signing removed the whole section on HTTP signing and agreed to use IETF HTTP signatures spec.
    • Just signing the request and response is insufficient for binding. Need to sign all relevant parameters.

5.   Issues

  • #604 - Please put "Draft" in the title of drafts
    • Will leave open
    • Waiting for PRs for all specs
  • #603 - Require servers to allow for clock skew
    • Allowing for clock skew is not required but is desirable for interoperability
    • Adding to specs would be good for interoperability
    • Filip recommended Conformance test issue warnings for clock skew but may result in interoperability problems
    • Should allow for several minutes of clock skew.
    • Should be general so as not to be specific to DPoP
    • It is common to reject future iat within some tolerance. Spec doesn’t have normative language so should not be done.
    • Private Key assertions do not use iat
    • Adding some general guidance on reasonable clock skew is a good idea
    • Conformance suite should issue failure if clock skew is not allowed to increase interoperability
    • Iat clock skew problem is more likely to manifest than exp so that can be highlighted as an example
    • A note makes sense but may be ignored if not made a requirement
    • Skew duration should take into context the validity period
    • Conformance suite can determine the minimum successful clock skew for tests
    • Can copy phrasing from DPoP spec
  • #487 - RS must check x-fapi-interaction-id is an UUID or IP address Interaction ID was removed but is mentioned in implementation advice
    • Removed from security profile since it’s not related to security
    • Put into errata for FAPI1 and then put into implementation and deployment advice for FAPI2
    • Clients send value but no normative text on servers to check it
    • Shall check for UUID format, log the value, and send back in response
    • Add shall log the value
  • Victor asked
    • my beginner question. I Found this thread about jwt parsing complexity concern. How to respond if discussion about x.509 and jwt parsing complexity security concerns come up ? https://news.ycombinator.com/item?id=16159301
    • Asked how to counter argument on why JWTs are bad
    • Victor will file new issue

6.   Next Call

The next call will be a Pacific Call.

Updated