Wiki
Clone wikifapi / FAPI_Meeting_Notes_2024-02-07_Atlantic
FAPI WG Agenda & Meeting Notes (2024-02-07)
- Date & Time: 2024-02-07 14:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
- 1. Roll Call (Dave)
- 2. Adoption of agenda (Dave)
- 3. Meeting Minutes Using Zoom Start Summary
- 4. Events (Mike L.)
- 5. External Orgs & Liaisons (Mike L.)
- 6. FAPI 2.0 PRs &Issues (Dave)
- 6.1. PR 458 attempt to clarify and improve mtls-everywhere interoperability
- 6.2. PR 468 Add Joseph to the FAPI2 SP & MS authors list
- 6.3. PR 463 Fixes #653 - Update abbreviated terms
- 6.4. PR 466 Addresses #672 - inconsistent capitalization
- 6.5. Issue 658 allow use of a future fully specified JWS algorithm identifier for EdDSA w/ Ed25519
- 6.6. Issue 659 No normative statement on id_token encryption
- 6.7. Issue 658 Inconsistent capitalization of "Client"
- 6.8. Issue 673 Additional author(s) for FAPI2
- 6.9. Issue 665 Reference PAR in 5.3.1.1 (12)
- 6.10. Issue 651 Avoid "should be" and "shall be" where possible
- 6.11. Issue 639 FAPI 2.0 Title Change - Add Part 1, Part 2, etc...
- 7. Other Issues & PRs (Dave)
- 8. AOB (Dave)
The meeting was called to order at 14:05 UTC.
1. Roll Call (Dave)
- Attendees: Filip Skokan, Joseph Heenan, Rifaat Shekh-Yusef, Anoop, Brian Campbell, Dima Postnikov, Dave Tonge, Marcus Almgren, Takahiko Kawasaki, Bjorn Hjelm, Kosuke Koiwai
- Regrets:
2. Adoption of agenda (Dave)
- Adopted as is.
3. Meeting Minutes Using Zoom Start Summary
Mike discussed using Zoom’s Start Summary for WG meeting notes
Will create new roles so recordings and meetings can be accessed by co-hosts
Tends to record incorrect information and misses important information like PR/issue numbers being discussed
Still needs manual review and corrections.
Summaries are not suitable for meeting minutes as is.
4. Events (Mike L.)
4.1. OAuth Security Workshop 2024 (Daniel)
Submissions are open.
Deadline: 11th February for early submissions.
https://oauth.secworkshop.events/osw2024
The next deadline is March 10 for submissions.
4.2. EIC (Joseph)
The call for presentation closes on Jan 31.
Joseph and Daniel have made submissions for FAPI2.
4.3. OpenID Foundation Workshop (Mike)
April 15 @ Google.
Working to confirm logistics with Google.
Will publish and promote announcement and registration as soon as all details are sorted.
4.4. Authenticate 2024
Call for speakers is open from now until March 4, 2024
4.5. IETF 119
https://www.ietf.org/how/meetings/119/ March 16-22, 2024. Brisbane, Australia - Brisbane Convention Centre Topics:
- SD-JWT,
- VC
- Transaction Tokens
- Attestation documents
- CEDAR profile for RAR
- ...
5. External Orgs & Liaisons (Mike L.)
5.1. Brazil (Mike)
Certification team is processing high volume of recertification requests.
5.2. SAMA
Joseph and Mike will have a call tomorrow regarding update on OIDF FAPI2 status and SAMA transition plans to FAPI2
5.3. Security Analysis (Marcus)
Next phase of security analysis
Shared Signals and Grant Management
Would like GM to be as close as possible to final before starting analysis
Plan to start around May - July timeframe
Marcus would like to know if there are any concerns regarding starting analysis on GM ID2
Not sure if there are any implementations of the spec
May change once implementations begin
6. FAPI 2.0 PRs &Issues (Dave)
6.1. PR 458 attempt to clarify and improve mtls-everywhere interoperability
- PR 458 https://bitbucket.org/openid/fapi/pull-requests/458
- Waiting for feedback from Ralph
- Ralph stated that it’s breaking change
- It’s contracting the AU ConnectID profile spec
- Dima will investigate
- Should not break anything since PR is just rewording current text
- Current text is guidance for client whereas PR is guidance for server
- Will merge next week if no objections
6.2. PR 468 Add Joseph to the FAPI2 SP & MS authors list
- Approved. To be merged.
6.3. PR 463 Fixes #653 - Update abbreviated terms
- PR #463
- Need to change OP to authorization server in FAPI2 specss
6.4. PR 466 Addresses #672 - inconsistent capitalization
- PR #466
- We need to check "client" is always used in the sense of OAuth client and if that is the case, add it to the terms and definition.
- Specs pull definitions from RFC6749 so should not need to redefine terms
6.6. Issue 659 No normative statement on id_token encryption
#659- Clarify that ID token encryption is not required in FAPI2
- Joseph will propose the change in the text in the table.
- Assigned to Dave
6.8. Issue 673 Additional author(s) for FAPI2
#673- Issue fixed
- Resolved
6.9. Issue 665 Reference PAR in 5.3.1.1 (12)
- Needs clarification on whether PAR should also be mentioned in to sentence in 5.3.1.1
- “If using DPoP,” => “If using DPoP and PAR,”
- PAR is mandatory so no need to add it
- DPoP explicitly requires PAR authorization code binding
- There are conformance tests waiting for merge
- Clients are not required to support DPoP to the PAR endpoint but AS is required to support DPoP at PAR endpoint
- Related to previously discussed
#503 - No need to adjust text
- For ecosystems there is uncertainty in requiring AS to support DPoP at PAR but not requiring clients to support DPoP as it forces AS to implement functionality that will not be used.
- This is a separate issue.
- Should create a new issue if desired.
6.10. Issue 651 Avoid "should be" and "shall be" where possible
#651- 5.7.3 is unclear who is responsible for shall requirement
- Further discussion required
6.11. Issue 639 FAPI 2.0 Title Change - Add Part 1, Part 2, etc...
#651- Add Part number to titles of various FAPI2 specs
- Brian opposed as we may have documents that will not be completed resulting in impression of incompleteness of specs
- Also parts will not be finished at the same time
- Will not do.
- Closed
7. Other Issues & PRs (Dave)
Gail would like feedback from Ander’s email re: EY View of Open Banking
https://lists.openid.net/pipermail/openid-specs-fapi/2024-February/003054.html
Updated