Wiki
Clone wikifapi / FAPI_Meeting_Notes_2023-07_05_Atlantic
FAPI WG Agenda & Meeting Notes (2023-07-05)
Date & Time: 2023-07-05 14:00 UTC Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
The meeting was called to order at 14:00 UTC.
1. Roll Call (Nat)
- Attendees: Justin, Nat, Michael, Dima, Brian, Lukasz, Bjorn, Ralph, Kosuke, Joseph, Mike
- Regrets: Dave, Chris
2. Adoption of agenda (Nat)
- Adopted as is.
3. Events (Nat)
- OSW Submission Deadline == July 2.
- IETF San Francisco is coming up in the last week of July.
4. Liaison/Ext Org (Mike)
4.1. EU
- PSD3 announced. Emphasis on interoperability. ETSI or Berlin Group?
- Inquire standards groups regarding interoperability compliance with PSD3.
- But still early in process
- Security profile needs to be solved but unknown how much of it will be left to standards bodies and how much is left to ETSI
- Ask Dave for update next week
5. Brazil
- Looking at federation closely. Perhaps 2024.
- Will make decision in the next 10 weeks
- If decided, then Federation will be required in 2024
- Security WG Looking at dropping fragments and go to form post only: may be cookie problem arise?
- There is a proposition paper mandating some version of FIDO into the Brazil security specs
- Feedback should be made to banks and provider clients
- Challenge has been on how to leverage credentials issued by TPPs and device bindings of keys
- There’s a fundamental disconnect on what is required, but contract is required
- If contract is required, bank should not be part of authentication journey between TPP and customer
5.1. Australia
- Received directed funding from ConnectID.
- Certification team is updating processes to move forward with the 50 RP certifications by end of the week
6. Drafts Updates
- kindly vote for FAPI Grant Management. We need votes to quorate. https://openid.net/foundation/members/polls/319
- There are only 56 votes, need some more to meet quorum
7. Issues (Nat)
Dealt with the following issues
#153- Add level of assurance to scope- Should close without any action
- #223 - Need of a customer unique/immutable identity as part of ID Token
- Will reach out to Anoop to confirm whether this is still needed
- #293 - PKCE & Nonce Security Considerations
- PKCE is mandatory in FAPI2
- For FAPI1, encourage use of PKCE in deployment and implementation advice
- But should word it as strongly as allowable in errata
- #327 - Dynamic Client Registration & Management
- To be put into implementation and Deployment advice doc
#409- MTLS References should be updated- Will be updated in errata
- #434 - Certification Team Query: error messages shown by OPs
- The Certification team would like advice on what is acceptable for error messages for certification.
- Currently, messages must not be factually incorrect but may not be suitable for end users and takes time to figure out.
- Need concrete text for FAPI2 or Advice doc
#451- FAPI 1 - Authors' Addresses: Edmund's name is missing- Opened and Skipped
#458- FAPI1 Part1: not clear as to which auth flows are supported- Changed milestone to errata
- Need text proposal
#443- Missing Discovery Metadata for login_hint types and login_hint_token type: backchannel_endpoint_login_hint_token_values_supported- Brazil will only us id_token_hint so there is no longer need for this in Brazil
- #282 - FAPI 2.0: x-fapi-* headers
- Useful to have some headers standardized
- Related to #487 - RS must check x-fapi-interaction-id is an UUID or IP address
- Put in Implementation advice
- Need to collect content for Implementation and Deployment Advice doc
- #429 - FAPI Certification with Lodged Intent or RAR - User Consent vs Technical Process Certification.
- Could require people to upload authorization screen images to check if they’re showing Grant details but may not be practical
Updated