Wiki
Clone wikifapi / FAPI_Meeting_Notes_2024-02-21_Atlantic
FAPI WG Agenda & Meeting Notes (2024-02-21)
- Date & Time: 2024-02-2114:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
- 1. Roll Call (Dave)
- 2. Adoption of agenda (Dave)
- 3. Events (Mike L.)
- 4. External Orgs & Liaisons (Mike L.)
- 5. FAPI 2.0 PRs &Issues (Dave)
- 5.1. PR #438 - attempt to clarify code phishing attack in fapi1
- 5.2. PR #472 - remove keyword can from note
- 5.3. PR #463 - Fixes #653 - Update abbreviated terms
- 5.4. #675 - update refs for HTTP Message Signatures & Digest Fields
- 5.5. #632 - Security profile for CAMARA
- 5.6. #646 - NOTE in 5.2.1 has "can"
- 5.7. #652 - CIBA is not in bibliography nor abbreviations
- 5.8. #653 - Add MTLS and DPoP etc. to 4. Abbreviations
- 5.9. #670 - Use of FAPI with mandatory MTLS
- 5.10. #674 - length of nonce tested in OP conformance tests
- 5.11. #570 - Deprecation & removal of FAPI 1 Implementer's Draft conformance certification tests/programme
- 5.12. #660 - Define requirements for OpenAPI FAPI securityScheme type
- 5.13. #630 - Android Carrier OpenID API
- 5.14. #638 - Add some more text to Introduction
- 5.15. #565 - Add privacy consideration
- 6. AOB (Dave)
The meeting was called to order at 14:05 UTC.
1. Roll Call (Dave)
- Attendees: Nat, Mike, Rifaat, Dima, Joseph, Bjorn, Lucas, Michael, Kosuke
- Regrets:
2. Adoption of agenda (Dave)
- Adopted as is.
3. Events (Mike L.)
3.1. OAuth Security Workshop 2024 (Daniel)
April 10 - 12, Rome.
Final call for speakers is open until March 10th. All details here:
3.3. OpenID Foundation Workshop (Mike)
April 15, 12:30 - 16:00 @ Google.
Monday, April 15th in Sunnyvale – registration now open
https://openid.net/registration-oidf-workshop-monday-april-15-2024/
3.4. The OpenID Foundation DCP WG meeting
DCP Working group is hosting a hybrid meeting on Friday, April 19, 2024 after IIW Spring 2024.
The meeting will allow for in-person and virtual participation and will be hosted at Google in Sunnyvale, CA (address and meeting room to be confirmed). Note that registration is only required if you are attending in-person:
Please register if you are planning to participate in-person so we can plan accordingly.
3.5. Authenticate 2024
Call for speakers is open from now until March 4, 2024
https://authenticatecon.com/authenticate-2024-call-for-speakers/
3.6. Identiverse
May 28 - 30 Las Vegas
OIDF may host working group meetings if there is interest
Mike will reach out to WG chairs
3.7. IETF 119
https://www.ietf.org/how/meetings/119/ March 16-22, 2024. Brisbane, Australia - Brisbane Convention Centre https://datatracker.ietf.org/meeting/119/agenda
4. External Orgs & Liaisons (Mike L.)
4.1. Berlin Group
Anders sent updates regarding openFinance - Workplan 2024
https://lists.openid.net/pipermail/openid-specs-fapi/2024-February/003062.html
4.2. Brazil (Mike)
Certification team is processing high volume of recertification requests.
Open Insurance recertifications are starting
4.5. CAMARA Project (Axel)
Identity and Consent Management Special Group is discussing taking part in FAPI 2.0 SP. The meeting is at 16:00.
https://github.com/camaraproject/IdentityAndConsentManagement/issues
This is separate from KYC Group.
5. FAPI 2.0 PRs &Issues (Dave)
5.1. PR #438 - attempt to clarify code phishing attack in fapi1
Joseph will compare with wording from FAPI2
5.4. #675 - update refs for HTTP Message Signatures & Digest Fields
HTTP Message Signatures and Digest Fields are now RFC 9421 and RFC 9530
Need to update references to the RFCs
Assigned to Dave
5.5. #632 - Security profile for CAMARA
Camara Identity Consent Management is considering to follow FAPI 2 (Camara issue #121) approach or Mobile Connect (Camara issue #113) as the basis for the Camara OIDC profile
Some Camara members want to copy chunks of OIDC and other specs into their spec instead of specifying which parts of the specs to use or not use. It’s simple right now, but when PKCE and DPoP and others get added, it will get complex
Original presentation to Camara was the OIDF will be responsibility for the profile rather than they develop one. Joseph and Bjorn added their comments to the issue 121 Other WG members should weigh in
5.9. #670 - Use of FAPI with mandatory MTLS
Waiting for feedback from Dima and Ralph
Previous PR canceled
Will need new text
5.10. #674 - length of nonce tested in OP conformance tests
Conformance tests are using arbitrary length for nonce (10 character)
Some implementations use longer values
Filip suggested 64 for nonce
Current certified servers may not pass new tests
Recommend specific length instead
Other tests also issue warnings where spec is not clear
Preference is to be explicit in specs if warnings are issued
5.11. #570 - Deprecation & removal of FAPI 1 Implementer's Draft conformance certification tests/programme
OBIE has agreed with deprecating ID2 by the end of the year and will move to FAPI1 Final
Will mark ID2 conformance tests as deprecated in the front-end and will delete at the end of the year
Issue closed
5.12. #660 - Define requirements for OpenAPI FAPI securityScheme type
Ask Lucas what action to take in regards to OAI
Camara project defines their spec in OAI standards so it may be easier for Camara to adopt FAPI
5.13. #630 - Android Carrier OpenID API
Replica of MODRNA WG issue #215
Will leave open and wait to see if it’s still relevant
Bjorn will reach out to Axel
5.14. #638 - Add some more text to Introduction
Introduce FAPI 2.0 as comprising the Attacker Model, Message Signing and Security Profile
Second part of PR might be addressed by the Attacker Model
Nat will confirm
Brian is opposed to “supposed to be used in conjunction with OIDC” - not helpful
Which Session management spec to use is unknown
Purpose is to list assumption of security analysis to make realistic expectations
Maybe copy text from Attacker Model
Dima suggested changing wording to “end-user authentication session management are out of scope”
Nat will create revise wording
Dima suggested also mentioning FAPI2 Trust Framework
Brian suggested add wording that end-user authentication/session management is assumed to be done correctly
Listing documents in FAPI 2.0 is problematic because they are changing and some have not progressed
Should list them in a living document instead of the specification
Updated