1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi

Wiki

Clone wiki

fapi / FAPI_Meeting_Notes_2023-11-01_Atlantic

View History

FAPI WG Agenda & Meeting Notes (2023-11-01)

The meeting was called to order at 14:03 UTC.

1.   Roll Call (Nat)

  • Attendees: Domingos, Nat, Brian, Dima, Bjorn, Joseph, Victor, Kosuke, Chris, George
  • Regrets:

3.   Events (Mike L.)

3.1.   IETF Prague

We are cancelling the FAPI call as it collides with OAuth WG.

Joseph and Nat are going to be there.

4.   Liaison/Ext Org (Mike/Chris)

4.1.   SAMA

About to publish standard for Payments Initiation. Sticking to the same security profile for now. FAPI1 Adv + PAR.

There will be associated notes for people to get ready to FAPI2?

5.   PRs (Dave)

  • PR #441 - make note around audience param clearer
    • Look goods
  • PR #442 - improve wording around which grant and response types are supported
    • Awaiting response from Daniel and Dave
  • PR #440 - add text about clock skew
    • Awaiting correction for typos
  • PR #438 - attempt to clarify code phishing attack in fapi1
    • Awaiting Joseph and other’s review
  • PR #439 - adjust scope to make clear it's not just clients
    • May add others and add note about sessions
    • Will merge
  • PR #444 - add clause around message integrity
    • Awaiting typo correction
  • PR #435 - Add note on identity and session management
    • Awaiting update from Daniel for comments
  • PR #417 - ciba refactor to support FAPI2
    • Nat proposed to accept PR and rebase work on PR
    • The PR is essentially a rewrite so accept PR and start new discussions on new text
  • PR #443 - add security considerations around non repudiation limitations
    • Awaiting further reviews
    • There is a typo in “real-word” and “gurantees” and inconsistent hyphenation

6.   Issues (Dave)

  • #570 - Deprecation & removal of FAPI 1 Implementer's Draft conformance certification tests/programme
    • Joseph will add updates and ask for feedback from OBIE
    • Assigned to Joseph
  • #628 - Send acceptance of the report by U Stuttgart for WP2
    • Resolved. Nat has signed the letter.
  • #627 - Proposed change to invalid redirect url test in all FAPI conformance suites
    • Attacks were found for redirect_uris that include extra characters in the path
    • Joseph proposed changes to detect and reject such urls
    • Similar tests have been made to Connect tests
    • OIDC mandates exact matching so these types of attacks don’t work but OAuth has not such mandates redirect_uri identifies an authentic client so restrictions should be imposed
    • Will make explicit text in FAPI2 specs
    • Formal analysis did not find such attacks but maybe controls in FAPI2 prevented them
    • WG agreed to updating conformance tests
  • #609 - CIBA - Make clear limitation of binding message
    • Previously, discussed referring to OAuth Cross Device draft but it’s still a pretty new spec for normative reference
    • Make an informative reference to the the draft information page (https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/)
    • Nat proposed linking to a specific section in a specific version of the draft but it’s not ideal. If newer versions exist, look for comparable sections in the latest version.
  • #594 - Value of JARM for non-repudiation
    • Will discuss in next call
  • #596 - Non Repudiation
    • Will discuss in next call
  • #577 - FAPI2SP appears to permit response_types "id_token", "id_token token" and "none"
    • Skipped
  • #579 - FAPI2SP: Note about client assertion audience looks misleading
    • Skipped
  • #603 - Require servers to allow for clock skew
    • Skipped
  • #562 - Scope needs clarification
    • Skipped
  • #457 - Create JSON Schema for Grant Management Specification
    • Skipped

7.   AOB (Nat)

Review 2024 WG Objectives

https://docs.google.com/presentation/d/1JYpgQJDR853CzGTlLU14qmE_i88t3zHt/edit#slide=id.p9

Should put version numbers on FAPI 2 Baseline and Message Signing

What plans are for Grant Management? Looks stalled, no commitments from ecosystems to use it so far

Is WG still interested in working on it? Spec will not progress alone, needs ecosystem support.

Australia is still interested but there is no timeline.

Camara Project has a work stream related to identity and consent.

The intent is to promote GM as the baseline standard to build their consent.

Camara project needs more education regarding GM.

GM should be applicable to their use case.

Instead of progressing GM to final, change to Promote GM to ecosystems.

Should we delay Security Analysis on GM? It’s better to do analysis on versions closer to final as spec may change.

Dima will confirm plans with CDI in Australia. AU has asked for analysis.

Funding for different tasks should use current year funding levels

The meeting adjourned at 15:00.

Updated