3.1.   OAuth Security Workshop 2024 (Daniel)

April 10 - 12, Rome.

Final call for speakers is open until March 10th. All details here:

https://oauth.secworkshop.events/osw2024

3.2.   OIDF Shared Signals Interop at Gartner IAM

March 4th & 5th: https://openid.net/call-for-participation-demonstrate-interoperability-of-your-caep-implementations/

3.3.   OpenID Foundation Workshop (Mike)

April 15, 12:30 - 16:00 @ Google.

Monday, April 15th in Sunnyvale – registration now open

https://openid.net/registration-oidf-workshop-monday-april-15-2024/

3.4.   The OpenID Foundation DCP WG meeting

DCP Working group is hosting a hybrid meeting on Friday, April 19, 2024 after IIW Spring 2024.

The meeting will allow for in-person and virtual participation and will be hosted at Google in Sunnyvale, CA (address and meeting room to be confirmed). Note that registration is only required if you are attending in-person:

https://www.eventbrite.com/e/openid-foundation-dcp-working-group-hybrid-meeting-tickets-841453930357?aff=oddtdtcreator.

Please register if you are planning to participate in-person so we can plan accordingly.

3.5.   Authenticate 2024

Call for speakers is open from now until March 4, 2024

https://authenticatecon.com/authenticate-2024-call-for-speakers/

3.6.   Identiverse

May 28 - 30 Las Vegas

OIDF may host working group meetings if there is interest

Mike will reach out to WG chairs

3.7.   IETF 119

https://www.ietf.org/how/meetings/119/ March 16-22, 2024. Brisbane, Australia - Brisbane Convention Centre https://datatracker.ietf.org/meeting/119/agenda

4.1.   Berlin Group

Anders sent updates regarding openFinance - Workplan 2024

https://lists.openid.net/pipermail/openid-specs-fapi/2024-February/003062.html

4.2.   Brazil (Mike)

Certification team is processing high volume of recertification requests.

Open Insurance recertifications are starting

4.3.   SAMA

4.4.   Security Analysis (Gail)

4.5.   CAMARA Project (Axel)

Identity and Consent Management Special Group is discussing taking part in FAPI 2.0 SP. The meeting is at 16:00.

https://github.com/camaraproject/IdentityAndConsentManagement/issues

This is separate from KYC Group.

5.1.   PR #438 - attempt to clarify code phishing attack in fapi1

PR #438

Joseph will compare with wording from FAPI2

5.2.   PR #472 - remove keyword can from note

PR #472

Will merge after approvals

5.3.   PR #463 - Fixes #653 - Update abbreviated terms

PR #463

All comments resolved

Will merge

5.4.   #675 - update refs for HTTP Message Signatures & Digest Fields

#675

HTTP Message Signatures and Digest Fields are now RFC 9421 and RFC 9530

Need to update references to the RFCs

Assigned to Dave

5.5.   #632 - Security profile for CAMARA

#632

Camara Identity Consent Management is considering to follow FAPI 2 (Camara issue #121) approach or Mobile Connect (Camara issue #113) as the basis for the Camara OIDC profile

Some Camara members want to copy chunks of OIDC and other specs into their spec instead of specifying which parts of the specs to use or not use. It’s simple right now, but when PKCE and DPoP and others get added, it will get complex

Original presentation to Camara was the OIDF will be responsibility for the profile rather than they develop one. Joseph and Bjorn added their comments to the issue 121 Other WG members should weigh in

5.6.   #646 - NOTE in 5.2.1 has "can"

#646

fixed by PR #472

5.7.   #652 - CIBA is not in bibliography nor abbreviations

#652

fixed by PR #463

5.8.   #653 - Add MTLS and DPoP etc. to 4. Abbreviations

#653

fixed by PR #463

5.9.   #670 - Use of FAPI with mandatory MTLS

#670

Waiting for feedback from Dima and Ralph

Previous PR canceled

Will need new text

5.10.   #674 - length of nonce tested in OP conformance tests

#674

Conformance tests are using arbitrary length for nonce (10 character)

Some implementations use longer values

Filip suggested 64 for nonce

Current certified servers may not pass new tests

Recommend specific length instead

Other tests also issue warnings where spec is not clear

Preference is to be explicit in specs if warnings are issued

5.11.   #570 - Deprecation & removal of FAPI 1 Implementer's Draft conformance certification tests/programme

#570

OBIE has agreed with deprecating ID2 by the end of the year and will move to FAPI1 Final

Will mark ID2 conformance tests as deprecated in the front-end and will delete at the end of the year

Issue closed

5.12.   #660 - Define requirements for OpenAPI FAPI securityScheme type

#660

Ask Lucas what action to take in regards to OAI

Camara project defines their spec in OAI standards so it may be easier for Camara to adopt FAPI

5.13.   #630 - Android Carrier OpenID API

#630

Replica of MODRNA WG issue #215

Will leave open and wait to see if it’s still relevant

Bjorn will reach out to Axel

5.14.   #638 - Add some more text to Introduction

#638

Introduce FAPI 2.0 as comprising the Attacker Model, Message Signing and Security Profile

Second part of PR might be addressed by the Attacker Model

Nat will confirm

Brian is opposed to “supposed to be used in conjunction with OIDC” - not helpful

Which Session management spec to use is unknown

Purpose is to list assumption of security analysis to make realistic expectations

Maybe copy text from Attacker Model

Dima suggested changing wording to “end-user authentication session management are out of scope”

Nat will create revise wording

Dima suggested also mentioning FAPI2 Trust Framework

Brian suggested add wording that end-user authentication/session management is assumed to be done correctly

Listing documents in FAPI 2.0 is problematic because they are changing and some have not progressed

Should list them in a living document instead of the specification

5.15.   #565 - Add privacy consideration

#565

Nat will review PR #406