Wiki
Clone wikifapi / FAPI_Meeting_Notes_2023-06-14_Atlantic
FAPI WG Agenda & Meeting Notes (2023-06-14)
Date & Time: 2023-06-14 00:00 UTC Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
The meeting was called to order at 00:00 UTC.
1. Roll Call (Dave)
- Attendees: Dave, Gail, Mike, Victor Lu, Chris Michael, Dima, Justin, Brian, Nat
- Regrets:
Default Agenda
2. Events
2.2. IETF
July 22-28, 2023. San Francisco, USA https://www.ietf.org/how/meetings/117/
2.3. EIC OIDF Workshop
Presentation is published - https://openid.net/wp-content/uploads/2023/06/OIDF_Workshop-at-EIC_FINAL_2023-05-09.pdf
The next OIDF workshop will be prior to Fall IIW on Monday, October 9, 2023, in Mountain View, California.
3. Liaison/Ext Org
3.3. Brazil
Continue to process OpenFinance certifications.
Elcio Calefi from Chicago Advisory Partners was at Identiverse and discussed the ongoing adoption of FAPI and certification.
Normal recertification is expected.
OPIN - still a few phase 1 certifications trickling in.Currently, in discussion with the OPIN board on recertification requirements.
Anticipate updates by next week and Q3 recertifications.
3.4. AU
ConnectID - In discussion for direct funding for ConnectID OP & RP tests and pricing bundles.Will be finalizing in the next two weeks.
3.5. OB Canada
Mark Hain and Gail spoke with the OB lead last week. Finalizing analysis and working on the write-up.
3.6. Asia
Deciding on which Asian countries to visit prior to the OpenID Japan meeting on Jan 19, 2024
Anyone with information on prospective markets may contact Gail.
3.7. Latam
Also discussing with Chicago Advisory Group and central bank regarding a roadshow
3.8. The University of Stuttgart & Australian Treasury
Will have a meeting next Monday regarding the scope of work for Package 3
Gail sent via Chat
FYI these are the components in Work Package 3.0, which would not start until after Work Package 2.0 is complete. I want to ensure we have an idea of the high-level scope and approach and identify any co-funding partners interested in this work.
o FAPI-Grant Management o Security Event Token (SET) [RFC8417] o OpenID Shared Signals and Events Framework Specification 1.0 - draft 01 o OpenID Continuous Access Evaluation Profile 1.0 - draft 02 o OpenID Connect for Identity Assurance 1.0
Only Grant Management is relevant to FAPI WG
Need to discuss with regulators if there are concrete plans for each of the specs (SET, CAEP, IdA), otherwise security analysis will be difficult.
Need to setup a subgroup across working groups to work on strategic direction before beginning analysis
3.9. Website
WG page is outdated
Old site content was moved over.
New issues can be filed at https://docs.google.com/spreadsheets/d/1xBvK2hgB7eTjLVkdEa39dSmN61bacmDF/edit?usp=sharing&ouid=109991067428230720221&rtpof=true&sd=true
Issues are currently being resolved.
Need to update the WG charter or add an explanation regarding the direction taken
4. PRs
- PR #420 - Add draft to FAPI 2 SP title
- editorial
- PR #417 -ciba refactor to support FAPI2
- Not ready yet, need to address feedback
- PR #411 - attempt at clarifying request-response binding
- Jusin to review feedback and approve. Message Signing removed the whole section on HTTP signing and agreed to use IETF HTTP signatures spec.
- Just signing the request and response is insufficient for binding. Need to sign all relevant parameters.
5. Issues
#604- Please put "Draft" in the title of drafts- Will leave open
- Waiting for PRs for all specs
#603- Require servers to allow for clock skew- Allowing for clock skew is not required but is desirable for interoperability
- Adding to specs would be good for interoperability
- Filip recommended Conformance test issue warnings for clock skew but may result in interoperability problems
- Should allow for several minutes of clock skew.
- Should be general so as not to be specific to DPoP
- It is common to reject future iat within some tolerance. Spec doesn’t have normative language so should not be done.
- Private Key assertions do not use iat
- Adding some general guidance on reasonable clock skew is a good idea
- Conformance suite should issue failure if clock skew is not allowed to increase interoperability
- Iat clock skew problem is more likely to manifest than exp so that can be highlighted as an example
- A note makes sense but may be ignored if not made a requirement
- Skew duration should take into context the validity period
- Conformance suite can determine the minimum successful clock skew for tests
- Can copy phrasing from DPoP spec
- #487 - RS must check x-fapi-interaction-id is an UUID or IP address Interaction ID was removed but is mentioned in implementation advice
- Removed from security profile since it’s not related to security
- Put into errata for FAPI1 and then put into implementation and deployment advice for FAPI2
- Clients send value but no normative text on servers to check it
- Shall check for UUID format, log the value, and send back in response
- Add shall log the value
- Victor asked
- my beginner question. I Found this thread about jwt parsing complexity concern. How to respond if discussion about x.509 and jwt parsing complexity security concerns come up ? https://news.ycombinator.com/item?id=16159301
- Asked how to counter argument on why JWTs are bad
- Victor will file new issue
6. Next Call
The next call will be a Pacific Call.
Updated