4.1.   OAuth Security Workshop 2024 (Daniel)

Submissions are open.

Deadline: 11th February for early submissions.

https://oauth.secworkshop.events/osw2024

The next deadline is March 10 for submissions.

4.2.   EIC (Joseph)

The call for presentation closes on Jan 31.

Joseph and Daniel have made submissions for FAPI2.

4.3.   OpenID Foundation Workshop (Mike)

April 15 @ Google. Details to be published next week.

5.1.   Brazil (Mike)

The Certs team is deeply involved in the next round of certification.

6.1.   PR 458 attempt to clarify and improve mtls-everywhere interoperability

• PR 458 https://bitbucket.org/openid/fapi/pull-requests/458
• Related to Issue #670
• Lengthy discussion. It seems there are mTLS everywhere issue and other issues in #670.
• MTLS used everywhere and for different reasons : client authentication, token binding, system transport level security.
• MTLS sometimes used in conjunction with private key JWTs
• Will be helpful to have some guidance backed by security research as reference for ecosystems
• Clients are sometimes unaware that MTLS is required at PAR endpoint when using private key JWT, so they do not look for MTLS alias endpoints
• PR adjusts text so that servers must not use MTLS aliases for endpoints that wouldn’t need them, e.g. endpoints that only require client authentication but not token binding
• If an endpoints requires MTLS, it should not use MTLS alias
• Need to check with Ralph regarding whether this will break Brazil ecosystem
• Filip suggest data mining certifications to check if any certifications have this problem
• Joseph will add warnings to certification suite if MTLS aliases are being used inappropriately
• May need more guidance for certification profiles
• “MTLS everywhere” may have different meanings in different ecosystems
• Create a separate issue around use of MTLS everywhere

6.2.   PR 468 Add Joseph to the FAPI2 SP & MS authors list

• Approved. To be merged.

6.3.   PR 463 Fixes #653 - Update abbreviated terms

• PR #463
• Some of the abbreviations like "AS" has been removed from the main text so it should also be removed from the abbreviations.
• FAPI1 still contains AS, RS
• Message signing needs some updates
• Use consistent hyphens

6.4.   PR 466 Addresses #672 - inconsistent capitalization

• PR #466
• We need to check "client" is always used in the sense of OAuth client and if that is the case, add it to the terms and definition.
• ISO only allows capitalization at the start of sentences and proper names.
• Capitalization of keywords does not translate well to languages without capitalization (e.g. Japanese)
• Add client to definition

6.5.   Issue 658

• Issue #658
• Algorithm name draft not finalized
• Brian suggest using general algorith name instead of specific identifiers
• Filip to propose a language to account for it

6.6.   Issue 666 Requiring PAR for authorization code flow

• #666
• Spec allows AS for use for other purposes so should not be set to true
• Noop

6.7.   Issue 659 No normative statement on id_token encryption

• #659
• Clarify that ID token encryption is not required in FAPI2
• Joseph will propose the change in the text in the table.