3.1.   IIW Workshop

Presentations are now available at https://openid.net/openid-foundation-workshop-at-cisco/.

Meeting recordings will be posted shortly.

3.2.   FDX Summit

4-6 Oct.

Lukas, Chris, Joseph, Mike made presentations

Had meeting with FDX board members

Looking to build a certification framework wit FAPI

Problem is not certification but banks, FIs, and data access platorms/aggregators dont see value or reason to move away from basic OAuth implementation

Need to convince them to adopt FAPI.

FAPI is part of their stardards but there are not requirment for adoption

Should setup conversation with CISO/security architects from banks/FIs and OIDF

Need to convinve key players of why FAPI should be adopted before talking about certification

Joseph/Mike meets w/FDX monthly

FDX is going through RFP process for certification

Will coordinate about setting up a meeting with Chris and FDX

Lukas suggested hosting a webinar for FDX memebers about benefits of FAPI compliance and certification

Joseph will do FAPI presentation in upcoming FDX summit in the spring at DC.

Can also consider a stand alone workshop about FAPI certification and conformance

3.3.   Upcoming OIDF/Industry Events

MikeL will update OIDF and other industry events to the OIDF website.

Please send any 2024 industry event recommendations to MikeL at mike.leszcz@oidf.org.

3.4.   ISO SC27 WG5

In the process of planning for next meeting in April, 2024

Please send information about events that may coincide with that time to Nat to avoid minimize conflicts.

4.1.   SAMA

Have been discussing moving from FAPI1 to FAPI2. May introduce the requirement in KSA 2.0 standards for Payment Initiation next month

Abduleh has some points of concern:

1. Readiness of OIDF for certifying FAPI2 compliance
2. Amount of changes between FAPI1 and FAPI2
3. Adoption rate fo SPs for FAPI compliance. Banks would rely on vendors to provide compliane if mandated. Would like to gage the maturity of market.

If SAMA decides to migrate, the implementation mandate will be gradually rolled out and adjusted according to ecoystem feedback

1. Certifications for FAPI2/AU ConnectID are already available and there are certified implementations.
2. FAPI2 is an improvement of FAPI1 but there are not additional risks, simplifies implentation and is more mature.

• Has attacker model analysis to additional assurance
• One caveat, FAPI2 does not have identity/authentication session management.
• So adopters need to add them back in at security or data layer.
• No normative changes are expected between now and the final draft.
• Final review period is 60 days so expecation is that final draft will be released in Q1 2024.

3. There are certified vendors on the certifications page.

Will need to have some definition of the identity/authentication component to be put into FAPI 2 in order to be fully secured

Since identity is decoupled from FAPI2, it is more flexible to do identity/authentication but adopter will need to do that part now.

The approach will be to keep FAPI1 at the moment but annouce that there will be an update that will migrate to FAPI2

Another approach to lessen the impact of migration is to adopt the FAPI2 requirements in FAPI1 now. e.g. code flow only, PAR, PKCE

4.2.   Brazil

Confirmed recertification milestones for 2024

Open Finace recerts will be Feb-Apr 2024

OPIN recerts will be May-July 2024