1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi

Wiki

Clone wiki

fapi / FAPI_Meeting_Notes_2023-09-13_Atlantic

View History

FAPI WG Agenda & Meeting Notes (2023-09-13)

The meeting was called to order at 14:03 UTC.

1.   Roll Call (Nat)

  • Attendees: Nat, Joseph, Mike, Craig, Kyle, Lukasz, Robert, Peter Stanley, Peter Wallach, Kosuke, Mark Andrus, Bjorn, George, Venkatasubramanian
  • Regrets:

3.   Events (Mike L.)

3.1.   IIW Workshop

OIDF planning workshop prior to IIW on Oct 9 at Cisco in Mountain View, California. Need to register 1 week before the workshop.

Link: https://openid.net/registration-workshop-october-9-2023/

4.   Liaison/Ext Org (Mike/Chris)

4.1.   Brazil

  • Open Finance and Insurance -- Milestones coming week. Both OPs and RPs certifications starting in Feb-April 2024

4.2.   Australia

  • Minor changes to conformance suite

5.   PRs (Dave)

  • #431 - Proposal to fix Issue #617 - Security issue in the JWT Response for OAuth Token Introspection specification
    • Ensures that regular clients are not confused with RS acting as a client when calling the introspection endpoint to prevent information leakage related to the access token
    • Merged

6.   Issues (Dave)

  • #603 - Require servers to allow for clock skew
    • Decided Shall be no less than 10 seconds and should not be more than 60 seconds.
    • Ecosystems may adjust values maximum as necessary.
  • #490 - Request for suggestions for tests for FAPI2-Baseline RP/client testing
    • assigned to Joseph
  • #602 - "Client" is misleading in the context of signed introspection responses
  • #625 - Changes to introduction of http signing section
    • Assigned to Dave
  • #624 - " client's misconfigured token endpoint" is confusing
    • Use text suggestion from Daniel
    • Assigned to Nat
  • #623 - Replace reference to obsolete RFC7525 with BCP195
    • Replace obsoleted reference with BCP 195
    • Need to replace DPoP references also
    • Assigned to Daniel
  • #619 - Authentication property of FAPI 2.0
    • Should authentication be considered in security analysis and whether it needs to be addressed
    • Identity aspects are out of scope but it’s important to ensure proper user authentication
    • Clarify that Identity management layer is not part of FAPI2
    • Add text in intro and scope
  • #469 - Add protocol version and variant identifier
    • Priority lowered to minor
  • #457 - Create JSON Schema for Grant Management Specification
    • Priority lowered to minor
  • #549 - Network Layer Protections restrict use of more recent TLS 1.2 ciphers
    • Context of issue is no longer valid since updated TLS BCP does not recommend usage of some newly added ciphers
    • Mark as resolved, no action needed
  • #555 - Tracking: Implementers of FAPI 1.0 and FAPI 2.0
    • Add new implementations to the issue
  • #626 - DPoP reference needs to be updated to the RFC
    • assigned to Daniel

7.   AOB (Nat)

  • n/a

The meeting adjourned at 15:00.

Updated