1.   Roll Call (Nat)

• Attendees: Brian, Nat, Daniel, Takahiko, Peter, Kosuke, Bjorn, Dave, Domingos
• Regrets:

2.   Adoption of agenda (Nat)

• Adopted as is.

3.   Events (Mike L.)

4.   Liaison/Ext Org (Mike/Chris)

n/a

5.   PRs (Dave)

• PR #434 - Update DPoP references in FAPI 2 SP
  • Update to references to final spec
  • Need update to correct title
• PR #417 - ciba refactor to support FAPI2
  • Need to address comments in security analysis
• PR #435 - Add note on identity and session management
  • Fix for #619 - Authentication property of FAPI 2.0
  • The 2 attacks are out of scope for FAPI 2.0
  • PR points out the limits of the attacker model, no session management and authentication
  • FAPI 2.0 does not deal with identity problems
  • Brian pointed out that there are no Relying Parties in FAPI2. Daniel is going to fix the text.
  • Will need to add the text to the security profile also

6.   Issues (Dave)

• #623: Replace reference to obsolete RFC7525 with BCP195
  • Difficult to link to BCP due to lack of title, authors, publication date
  • People commonly link to the latest document in the BCP series
  • Some don’t mention relevant topics (ciphersuites) needed by FAPI
  • Need wording requiring the use of the latest BCP that updates the list of allowed/disallowed ciphers. Use the latest advice regarding ciphers in the BCP series.
  • Using the latest document is not favored
  • Daniel will create PR
• #612 - Is there any test items in 5.1 of FAPI 1 Advanced? (Hanging paragraph in 5.1)
  • Assigned to Edmund
• #611 - Can 8.3.5 of FAPI 1 Advanced moved to 8.3.4?
  • Assigned to Edmund
• #616 - Add section about errata changes
  • Assigned to Edmund
• #624 - " client's misconfigured token endpoint" is confusing
  • Assigned to Edmund
• #395: Unclear formatting in FAPI1-Baseline final client section
  • Assigned to Edmund
• #451 - FAPI 1 - Authors' Addresses: Edmund's name is missing
  • Assigned to Edmund
• #622 - Review FAPI1 security considerations for clarity
  • Dave will create PR
  • Tom has concerns with some wording
• #603 - Require servers to allow for clock skew
  • Discussed last week
    • shall for 10 seconds
    • should for 60 seconds (with note that ecosystems may want to adjust)
• #621 - FAPI CIBA
  • Needs update
• #608 - Make clear that requests and responses to resource servers don't have to be bound
  • Need to be resolved
• #625 - Changes to introduction of http signing section
  • Need to be resolved
• #604 - Please put "Draft" in the title of drafts
  • Assigned to Edmund
• #579- FAPI2SP: Note about client assertion audience looks misleading
  • Wording has already been discussed
• #577 - FAPI2SP appears to permit response_types "id_token", "id_token token" and "none"
  • require response_type=code
  • Dave will create PR
• #570 - Deprecation & removal of FAPI 1 Implementer's Draft conformance certification tests/programme
  • Leave open
• #597 - Add text about conformance testing to FAPI2
  • Add similar text from FAPI 1
  • Daniel will create PR
• #596 - Non Repudiation
  • Dave will create PR
• #594 - Value of JARM for non-repudiation
  • Waiting for PR
• #575 - Issue with http sig request/response binding
  • Already dealt with
• #565 - Add privacy consideration
  • Nat to provide PR
• #557 - [FAPI 2.0] Move "MTLS Protection of all endpoints" from [Message Signing] to [Security Profile]
  • SP does not require MTLS
  • When using TLS as a transport, AS should expect clients to call endpoints in the root of the server metadata and not those found in MTLS endpoint aliases
  • Some ecosystems use MTLS even when using private key JWT
  • Need update from Filip and Joseph
• #562 - Scope needs clarification
  • Current text seems to be for clients
  • Turn current text into bullet points
  • Add points for AS, RS, and attacker model

7.   AOB (Nat)

• n/a

The meeting adjourned at 15:00.