Wiki
Clone wikifapi / FAPI_Meeting_Notes_2024-01-10_Atlantic
FAPI WG Agenda & Meeting Notes (2024-01-10)
- Date & Time: 2024-01-10 14:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
The meeting was called to order at 14:04 UTC.
1. Roll Call (Nat)
- Attendees: Mike Leszcz, Dave Tonge, Brian Campbell, Lukasz Jaromin, Chris Michael, Filip Skokan, Peter Wallach, Kosuke Kowai, Joseph Heenan
- Regrets:
3. Events (Mike L.)
3.1. OIDF Hybrid Workshop in Tokyo
Tokyo, Japan on Thursday, January 18, 2024
https://openid.net/registration-oidf-workshop-tokyo-2024/
In person registration is full, virtual attendance is still available
3.2. OpenID Summit Tokyo 2024
https://www.openid.or.jp/summit/2024/en/
Friday, January 19, 2024, 10:00 - 18:00
4. External Orgs & Liaisons (Mike L.)
4.1. Open Finance Brasil
Standardizing on a single profile. Open for a few banks and RPs for testing purposes. If it goes well, it will be open to the public.
5. FAPI 2.0 Issues (Dave/Nat)
To finish the draft off, we need to close the loose ends.
5.1. ID Token Encryption
#659 - No normative statement on id_token encryption
Fix the table by just saying no ID Token in the front channel.
Table is intended to be informative
Certified implementations may not be interoperable due to differences of support for ID Token encryption
Too restrictive to prohibit encryption
Limits the use of FAPI as baseline for other profiles
For migration from FAPI1 to FAPI2, encryption needs to be disabled
May want certification test to fail for implementations returning encrypted ID Tokens
Not prohibiting encryption would mean that certification tests will need to accept encrypted ID Tokens
Add some text regarding interoperability problems if encrypted ID Tokens are returned
5.2. TLS connections in Security Profile
Reported by Axel Nenker in ML - https://lists.openid.net/pipermail/openid-specs-fapi/2024-January/003003.html
Suggested
“All TLS connections between web browsers, clients, authorization servers, and resource servers shall be protected against network attackers."
should read
"All network connections between web browsers, clients, authorization servers, and resource servers shall be protected against network attackers."
Joseph stated that suggestion would be wrong.
6. Other Issues & PRs (Dave/Nat)
6.1. PRs
#454- add text around enforcement of one-time use of require_uri#635- one-time use of request_uri causing error- https://bitbucket.org/openid/fapi/pull-requests/454
- Request objects and JAR has been in use for years, why did this problem surface now?
- But one time use of JAR was not a requirement and was not tested.
- PAR requirement is more stringent than JAR
- Problem may arise due to the link with the request_uri is being rendered somewhere
- Could also be some proxy that is preloading links
- The problem may be implementation specific that occurs on the client side which invalidates the request_uri
- Add note
- Dave will update
6.2. Issues:
#657- Fix sentence fragments- Attacker description contains sentence fragments
7. AOB (Nat)
- Elections for 2024 Community Representative
- All members in good standing may vote
- 2 corporate representative seats are available
- Candidate statements and election details have been sent to corporate members
The meeting adjourned at 14:__.
Updated