FAPI WG Agenda & Meeting Notes (2023-11-15)

CFPB recently published their rules – shared spreadsheet to collect feedback for CFPB: https://docs.google.com/spreadsheets/u/4/d/14x6BOqO8l5-yjk0qm1m6aaDwjqpseLgMTCIx_Rd036I/htmlview.
Feedback due 12/14/23
Two calls scheduled:
- EU & US focussed slot - 17th November – 16:30 GMT – 11:30 EST – 08:30 PT
- EU & Asia focussed slot – 16th November – 10:30 GMT – 19:30 JST – 21:30 Aus
Please get in touch with Mark for the call-in info.
Lukasz: Who would be the Standard Setting Bodies(SSB) that are recognised by CFPB? OIDF, FDX? OIDF should consider being a recognized SSB.
Joseph: SSB probably means FDX. Probably looking for a SSB that sets up ecosystem wide rules and not individual standards organizations that don’t provide a complete set of rules and governance and operational processes.

Many organizations have asked for extension to the comments deadline (Dec 30) but no extension has been granted yet. * If leaning towards FDX which then uses FAPI, is that fine or should we be concerned? * If FAPI is not strongly mandated for all members, then OIDF should be recognized to give clear guidance for a * security model. * Having a recognized SSB is better than banks coming up with their own profiles. * CFPB is looking for a open standards body so there may be comments in this regards from FDX which is a paid members organization. * Interested members should join the schedule calls to discuss and provide feedback * Contact Mark Haines for an invite to the meetings.

4.5. IETF/OAuth (Rifaat)

Scope questions of OAuth as some of the VC related work may belong to new proposed WG that had BoF.
- SPICE/WHIMSE BoF.
Adopted and discussed SD-JWT, SD-JWT-VC, attestation-based client authentication, OAuth Status List.
Browser based app discussion. New authors joining to help this documentation. Significantly improved.
Discussed 2 new documents Transaction tokens and Identity chaining. They’re about workloads and how to secure transactions or interactions between components.

** Good support for adopting the document. Official call for adoption in the ML.

5. PRs (Dave)

PR #444 - add clause around message integrity
- ~~#594~~ - Value of JARM for non-repudiation
- The typo needs to be fixed.
- JARM moved to MS spec is is useful for more than just non-repudiation
- JARM is not needed to meet security goals in the attacker model but can enable some attacks to be detected earlier
- Need feedback on wording
- Change “may” to “might”
- Odd to say primary goal of JARM is non-repudiation but have features that don’t provide non-repudiation
- There are not enough details in the JARM token to be useful (e.g. what was requested, consent).
- Non-repudiation with JARM is tenuous
- JARM currently only signs the authorization response
- JARM doesn’t give non-repudiation but there are other security benefits
- One option is to remove JARM. Other is to keep it but need to work on wording about message integrity and give examples of attacks that can be detected.
- FAPI2 Baseline goal is to reach security goals with message signing
- Message Signing references JARM for non-repudiation but seems like it doesn’t make sense
- Message integrity sounds like a key goal for Message signing rather than non-repudiation
- Dave asks whether we should remove JARM.
- One of the justifications for JARM in MS was to provide an upgrade path from FAPI1 where some ecosystems are using JARM. JARM is optional in Brazil.
- Dave will solicit feedback from ML on whether to remove JARM.
- Create a new issue for removing JARM for discussion and link to ~~#594~~.
PR #442 - improve wording around which grant and response types are supported
- Waiting for updates
- Don’t want to be very specific about grant types because we want to be usable by extensions
- Make clear in authorization code flow that we require code in the response type
PR #443 - add security considerations around non repudiation limitations
- Need to fix typos
- Does not provide non-repudiation guarantees for sequences of messages nor front-channel authorization requests
- Difficult to link a signed message to a real world identity
- Change “this specification” to “this document” according to ISO rules
- Brian suggested to discuss JARM limitations here instead of removing JARM
- Will get feedback on removing JARM on the ML and link to the various issues/PRs

Dima suggested feedback that banks use existing bank authentication and then consider whether improvements are necessary.

Anyone with feedback or interested in reviewing the response should contact Dima.

7.2. Message Signing Name

Lukas asked whether MS spec should be changed to Non-Repudiation since NR seems to be an objective.

Non-repudiation is difficult to define while message signing is a technical method.

MS introductory text needs some reworking.

The meeting adjourned at 15:00.

Wiki

fapi / FAPI_Meeting_Notes_2023-11-15_Atlantic

FAPI WG Agenda & Meeting Notes (2023-11-15)

1. Roll Call (Nat)

2. Adoption of agenda (Nat)

3. Events (Mike L.)

3.1. Annual Board Meeting in Japan and workshop

4. Liaison/Ext Org (Mike/Chris)

4.1. Australia (Dima)

4.2. Open Finance Brasil (Mike)

4.3. SAMA

4.4. CFPB

4.5. IETF/OAuth (Rifaat)

5. PRs (Dave)

6. Issues (Dave)

7. AOB (Nat)

7.1. AU CDR Consultation

7.2. Message Signing Name