Wiki
Clone wikifapi / FAPI_Meeting_Notes_2023-10-18_Atlantic
FAPI WG Agenda & Meeting Notes (2023-10-18)
- Date & Time: 2023-10-18 14:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
The meeting was called to order at 14:03 UTC.
1. Roll Call (Nat)
- Attendees: Nat, Mike, Bjorn, Brian, Chris, Daniel, Kosuke, Lukas, Robert, Peter, Abdulelah Alanqry
- Regrets:
2. Adoption of agenda (Nat)
- Adopted as is.
- FDX Seminar Summit update
- Saudi Arabia updates
3. Events (Mike L.)
3.1. IIW Workshop
Presentations are now available at https://openid.net/openid-foundation-workshop-at-cisco/.
Meeting recordings will be posted shortly.
3.2. FDX Summit
4-6 Oct.
Lukas, Chris, Joseph, Mike made presentations
Had meeting with FDX board members
Looking to build a certification framework wit FAPI
Problem is not certification but banks, FIs, and data access platorms/aggregators dont see value or reason to move away from basic OAuth implementation
Need to convince them to adopt FAPI.
FAPI is part of their stardards but there are not requirment for adoption
Should setup conversation with CISO/security architects from banks/FIs and OIDF
Need to convinve key players of why FAPI should be adopted before talking about certification
Joseph/Mike meets w/FDX monthly
FDX is going through RFP process for certification
Will coordinate about setting up a meeting with Chris and FDX
Lukas suggested hosting a webinar for FDX memebers about benefits of FAPI compliance and certification
Joseph will do FAPI presentation in upcoming FDX summit in the spring at DC.
Can also consider a stand alone workshop about FAPI certification and conformance
3.3. Upcoming OIDF/Industry Events
MikeL will update OIDF and other industry events to the OIDF website.
Please send any 2024 industry event recommendations to MikeL at mike.leszcz@oidf.org.
3.4. ISO SC27 WG5
In the process of planning for next meeting in April, 2024
Please send information about events that may coincide with that time to Nat to avoid minimize conflicts.
4. Liaison/Ext Org (Mike/Chris)
4.1. SAMA
Have been discussing moving from FAPI1 to FAPI2. May introduce the requirement in KSA 2.0 standards for Payment Initiation next month
Abduleh has some points of concern:
- Readiness of OIDF for certifying FAPI2 compliance
- Amount of changes between FAPI1 and FAPI2
- Adoption rate fo SPs for FAPI compliance. Banks would rely on vendors to provide compliane if mandated. Would like to gage the maturity of market.
If SAMA decides to migrate, the implementation mandate will be gradually rolled out and adjusted according to ecoystem feedback
- Certifications for FAPI2/AU ConnectID are already available and there are certified implementations.
- FAPI2 is an improvement of FAPI1 but there are not additional risks, simplifies implentation and is more mature.
- Has attacker model analysis to additional assurance
- One caveat, FAPI2 does not have identity/authentication session management.
- So adopters need to add them back in at security or data layer.
- No normative changes are expected between now and the final draft.
- Final review period is 60 days so expecation is that final draft will be released in Q1 2024.
- There are certified vendors on the certifications page.
Will need to have some definition of the identity/authentication component to be put into FAPI 2 in order to be fully secured
Since identity is decoupled from FAPI2, it is more flexible to do identity/authentication but adopter will need to do that part now.
The approach will be to keep FAPI1 at the moment but annouce that there will be an update that will migrate to FAPI2
Another approach to lessen the impact of migration is to adopt the FAPI2 requirements in FAPI1 now. e.g. code flow only, PAR, PKCE
4.2. Brazil
Confirmed recertification milestones for 2024
Open Finace recerts will be Feb-Apr 2024
OPIN recerts will be May-July 2024
5. PRs (Dave)
- PR #435 - Add note on identity and session management
- Fix for
#619- Authentication property of FAPI 2.0 - PR points out the limits of the attacker model, no session management and authentication
- Security analysis done without the assumption that OIDC will be used in conjunction and that is reflected in the Security Profile
- Analysis covers cases with and without the use of OIDC
- Analysis does not make assumptions about the kinds of user authentication used at the AS
- Review/feedback is welcome
- Fix for
- PR #436 - Add text on conformance testing
- Joseph to review latest updates to PR
- PR #449 - fixes
#624- "client's misconfigured token endpoint" is confusing- Brian will review
- PR #448 - fixes
#616- Add errata changes- Editorial, Skipped
- PR #445 - fixes
#612- Hanging paragraph in 5.1- Editorial, Skipped
- PR #446 - fixes
#611- Moved 8.3.5 to 8.3.4- Editorial, Skipped
- PR #441 - make note around audience param clearer
- Dave will review comments and update PR
- PR #439 - adjust scope to make clear its not just clientS
- Dave will change "RESTful API" text to something else
- PR #440 - add text about clock skew
- Awaiting Dave to update PR
- PR #437 - move MTLS Protection of all endpoints to SP
- Related to
#557- [FAPI 2.0] Move "MTLS Protection of all endpoints" from [Message Signing] to [Security Profile] - Awaiting approval from Joseph
- Related to
- PR #444 - add clause around message integrity
#594- Value of JARM for non-repudiation- WG to review and approve
- Daniel pointed out a typo
- PR #443 - add security considerations around non repudiation limitations
- Additional reviews requested
- PR #442 - improve wording around which grant and response types are supported
#577- FAPI2SP appears to permit response_types "id_token", "id_token token" and "none"- Additional reviews requested
Updated