Wiki
Clone wikifapi / FAPI_Meeting_Notes_2024-01-17_Atlantic
FAPI WG Agenda & Meeting Notes (2024-01-17)
- Date & Time: 2024-01-17 14:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
The meeting was called to order at 14:04 UTC.
1. Roll Call (Nat)
- Attendees: Nat Sakimura, Joseph Heenan, Brian Campbell, Daniel Fett, Filip Skokan, George Fletcher, Kosuke Koiwai, Mark Andrus, Matt Belanger, Peter Stanley, Peter Wallach, Robert Gallager, Victor Lu, Kelley Burgin, Bjorn Hjelm, Dave Tonge, Dima Posnikov, Matt Belanger, Rifaat Shekh-Yusef
- Regrets:
3. Events (Mike L.)
3.1. OIDF Hybrid Workshop in Tokyo
Tokyo, Japan on Thursday, January 18, 2024
https://openid.net/registration-oidf-workshop-tokyo-2024/
In-person registration is full, virtual attendance is still available.
3.2. OpenID Summit Tokyo 2024
https://www.openid.or.jp/summit/2024/en/
Friday, January 19, 2024, 10:00 - 18:00
4. External Orgs & Liaisons (Joseph)
4.1. OBIE
Ceasing FAPI 1.0 RW ID-2 Certification at the end of the next year.
We probably can close https://bitbucket.org/openid/fapi/issues/570/deprecation-removal-of-fapi-1-implementers
4.2. Columbia
Mandating FAPI 2 Security Profile. It came out last year.
5. FAPI 2.0 Issues (Dave/Nat)
5.2. PR #455 - Renumber attackers, fix editorial stuff
https://bitbucket.org/openid/fapi/pull-requests/455
May be external dependency on attacker numbering and attacker numbers are mentioned in security analysis but refers to one specific version of the spec
Changes were made to attacker model in response to analysis
Suggested to add note in attacker model stating that analysis was based on previous version of the attacker model
Added table to point out differences in the attacker model
Text starting on line 335 does not seem to be explicit enough.
Joseph is going to add comments
5.4. Issue #670 - Use of FAPI with mandatory MTLS
https://bitbucket.org/openid/fapi/issues/670/use-of-fapi-with-mandatory-mtls
Various ecosystems are mandating use of MTLS everywhere
Conformance suite has ecosystem specific tests
Goal is to move away from developing ecosystem specific tests and standardize methods
If a new variant is created, it will work like the current way; vendors will test to make sure it works for each ecosystem
Currently, if non-plain FAPI profile is selected, MTLS is used everywhere and will pull in ecosystem specific tests
May not be addressed with just creating a new variant
Goal is to make it easier for new ecosystems and not make more divergence
If would be beneficial to have some note/guidance in implementation advice what to watch out for if you want to choose certain approaches/variants
Expand section on MTLS everywhere and make recommendations when MTLS everywhere is selected
Filip will create PR
5.5. Issue #659- No normative statement on id_token encryption
- https://bitbucket.org/openid/fapi/issues/659/no-normative-statement-on-id_token
- Discussed if ID Token encryption should just cause a warning.
- Filip and Brian argued that the line should be removed.
7. AOB (Nat)
The meeting adjourned at 14:__.
Updated