1.   Roll Call (Nat)

• Attendees: Mike Leszcz, Dave Tonge, Takahiki Kawasaki, Joseph Heenan, Nat Sakimura, Kosuke Koiwai, Arnaud Bruyer, Paulo Moraes, Lukas Jaromin, Victor Lu, Craig Borysowich, Dima
• Regrets:

2.   Adoption of agenda (Nat)

• Adopted as is.

3.   Events (Mike L.)

4.   Liaison/Ext Org (Mike)

5.   PRs (Nat)

• PR #428 - Baseline: Clause 7.4.1 Talks about security issues with authorization requests and responses but incorrectly refers to encrypting authorization 'responses' not requests.
  • Accepted.

6.   Issues (Nat)

• #610 - Ability for AS to reject requests that have suspicious state/nonce or other params
  • It’s oK for AS to reject suspicious parameter values if As can pass conformance tests
  • Parameter values should accept base 64 URL character set
  • There is no guidance for state/nonce length
  • Conformance suite OP and RP tests do not test for non-URL safe characters
  • Conformance suite requires 128 character state value to be accepted
  • There is an additional test for a 384 byte state value that allows any outcome except a truncated state in the response. There was some pushback since there is no normative text for such a length.
  • Changed the component to Deployment advice.
• #249 - certification clarification request: acr_values_supported in discovery
  • No change needed
  • Closed
• #475 - certification: FAPI2-Baseline - is OpenID Connect support optional?
  • Conformance suite supports with and without OpenID Connect. It does not do the full OIDC test, unlike FAPI1 tests.
  • Closed.
• #490 - Request for suggestions for tests for FAPI2-Baseline RP/client testing
  • To schedule an agenda item in two weeks with Brian, Filip, Joseph, etc.
  • Joseph will schedule an overview of current FAPI2 tests - probably the week after next week
• #495 - Certification: Requirements for alg support in RPs/OPs
  • Added Ed25519 alg to specs
  • It would be good to have a WG consensus on it.
  • If we do it, should it be a new column in the certification page or not?
  • There is questionable value in listing them on certification page
  • Do we want to encourage more support for EdDSA?
  • Need more discussion
• #469 - Add protocol version and variant identifier
  • There were discussions about putting it into DCR/DCM
  • Originally, arised out of Australia considering DCR/DCM for ConnectID but not moved forward with Federation
  • Keep it on the backlog
• #457 - Create JSON Schema for Grant Management Specification
  • Keep it on the backlog
• #433 - Track FAPI-compliant RP libraries
  • Better to keep list on the website instead of issue tracker
  • Could encourage some development with monetary incentives
  • Certification page will make it easier to filter for SDKs
  • Currently, most certified RPs are banks which are not useable as libraries
  • Very short list of SDKs. Leave it open for now.

7.   AOB (Nat)

Chris had questions on FAPI certification for KSA standards

There are current tests for KSA open banking standard for account information but there is another design pattern called service request, which is a different type of consent , to be published in the Payments Initiation spec.

Will it need an update to the certification suite?

Is the FAPI profile sufficient or does the FAPI profile require changes?

Brazil has different certifications for accounts and payments

Conformance suite assumes that if AS has passed for a particular scope/consent that it will be able to do so for others.

Conformance suite does not do exhaustive test of all possibilities

As long as Banks are using same certified AS as the one for accounts, then there is no specific need to recertify for payments as long as there were no changes made to the AS

The same probably holds for certified RPs

The meeting adjourned at 14:55.