Wiki
Clone wikifapi / FAPI_Meeting_Notes_2023-12-06_Atlantic
FAPI WG Agenda & Meeting Notes (2023-12-06)
- Date & Time: 2023-12-06 14:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
The meeting was called to order at 14:04 UTC.
1. Roll Call (Nat)
- Attendees: Robert Gallagher, Nat Sakimura, Mark Andrus, Peter Stanley, Brian Campbell, Joseph Heanan, Justin Richer, Gail Hodges, Mark Haine, Dave Tonge, Bjorn, Kosuke Koiwai, Mike Leszcz
- Regrets:
2. Adoption of agenda (Nat)
- 2024 FAPI plans were added.
3. CFPB Response (Mark)
https://lists.openid.net/pipermail/openid-specs-fapi/2023-October/002970.html
CFPB requested comments on Implementation for rules relating to Section 1033 of the Consumer Financial Protection Act of 2010.
Final date for comments is 12/31/2023
Have 146 questions they would like addressed.
Comments being prepared on https://docs.google.com/spreadsheets/d/14x6BOqO8l5-yjk0qm1m6aaDwjqpseLgMTCIx_Rd036I/edit#gid=0
Asked to clarify definition of standard-setting body and its characteristics but didn’t get an answer
A question was asked if we should ask for the second category of standard-setting body e.g. technical standards body (OIDF) distinct from a rulemaking entity that might aggregate different standards. But it was pointed out in the call that OIDF/FAPI is well positioned as a standard-setting body and we should not need the second category.
CFPB is trying to set rules without defining specific technical standards or technologies Probed benefits of possible catchphrase that embodies FAPI without mentioning FAPI e.g phishing resistant multi factor authentication = FIDO
Mark suggested “globally interoperable, secure authorization, multiparty communication protocol” Standards setting body definition was taken from OMB Circular A-119 https://www.whitehouse.gov/wp-content/uploads/2017/11/Circular-119-1.pdf
Qualified standard setting body organizations produce qualified industry standards. So OIDF might fit.
Gail points to some requirements regarding operational due process for participants in the ecosystem that OIDF does not meet
OIDF could be the QSSO which produces standards (FAPI)
Qualified Industry standard attributes : openness, balance, due process, an impartial appeals up process, consensus, transparency
Document mentions secure exchange of information between user, third-party and data provider but did not mention about communications protocols
CFPB is trying to come up with a workable framework which will include protocols
Other questions of interest :
- Does the standards body do conformance and certification?
- Definition and requirements for appeals process, but this is not relevant to standards creation
- Identity, verification, and information will be required
- Entity metadata for data providers and TPPs in the ecosystem
User experience * Cost and availability of software for delivering lifecycle of standards - how to move forward
Please fill in the sheets with your name by next Monday.
4. 2024 FAPI WG Plans
FAPI2 Baseline moving to Final
FAPI2 MSG Signing moving to Final
Promote GM to ecosystems
Align FAPI-CIBA to FAPI2
Submit FAPI1 & FAPI2 to ISO
Publish FAPI2 implementation and deployment advice doc
Publish a multi-spec advice document (how to integrate multiple specs in industry deployments - best practices)
Message Signing spec requires known implementations to move forward
Security Analysis Work Package 3
Government Support - CFPB, Canada
LATAM engagement
SE Asia Engagement
OECD
5. Events (Mike L.)
5.1. Annual Board Meeting in Japan and workshop
- https://openid.net/registration-oidf-workshop-tokyo-2024/
- Board meeting on Jan 18. prior to OIDF Japan Summit
- Workshop that afternoon.
- Virtual participation is possible.
5.2. SIDI Hub Summit (Gail)
- If anyone is interested in a recap presentation on the Sustainable & Interoperable Digital Identity (SIDI) Hub Summit from Paris last week just let me now. gail@oidf.org
- 91% of the invitees to the Summit agreed in the exit poll agreed we needed to continue the conversation into 2024. We are seriously considering conversations on 5 continents next year plus dedicated calls, culminating in G20 related work hostsed by Brazil
6. Liaison/Ext Org (Mike/Chris)
6.1. Open Finance Brasil (Mike)
- Call tomorrow regarding re-certification
- Coordinate 24 plans.
7. PRs (Dave)
- PR #440 - add text about clock skew
- Awaiting feedback from Mark
- PR #450 - Change references to RFC7525 to BCP195
- Added reference without year to reference the latest version
- PR #438 - attempt to clarify code phishing attack in fapi1
- 3 attacks require strong attacker
- injection of stolen access token replay
- DPoP proof replay
- Authorization request leaks leading to CSRF
- Attacks requiring a misconfigured token endpoint are mitigated by issuer discovery so requirement for discovery should be mentioned
- Add text from FAPI1 Part 2 regarding misconfigured endpoints mitigated by using metadata into 8.3.2
- PR #442 - improve wording around which grant and response types are supported
- Updated note that code flow was analyzed against attacker model in security analysis but does support other grant types
- Need feedback regarding wording
- Should mentioned that FAPI-CIBA and others that have been analyzed at the time of writing
8. Issues (Dave)
8.1. # 631 - shall vs shall only
- https://bitbucket.org/openid/fapi/issues/631/shall-vs-shall-only
- If removed only, is bear access tokens allowed?
- Agreed that being prescriptive is the goal and removing would not be the way.
- Dave will do another pass to see if we can have alignment.
9. AOB (Nat)
The meeting adjourned at 15:00.
Updated