3.1.   OAuth Security Workshop

Rome April 10-12

All details here: https://oauth.secworkshop.events/osw2024

The certification team is meeting on Monday and Tuesday.

Tuesday meeting will discuss certification with Federation editors for the federation spec.

May also discuss ConnectID with Dima.

3.2.   OIDF Workshop at Google

on Monday, April 15th in Sunnyvale – registration now open and required: https://openid.net/registration-oidf-workshop-monday-april-15-2024/

3.3.   The OpenID Foundation DCP working group

WG is hosting a hybrid meeting on Friday, April 19, 2024 after IIW Spring 2024. The meeting will allow for in-person and virtual participation and will be hosted at Google in Sunnyvale, CA (address and meeting room to be confirmed).

Note that registration is only required if you are attending in-person:

https://www.eventbrite.com/e/openid-foundation-dcp-working-group-hybrid-meeting-tickets-841453930357?aff=oddtdtcreator.

Please register if you are planning to participate in-person so we can plan accordingly.

3.4.   Identiverse

May 28-31, Las Vegas

OIDF has a meeting room available for use for the duration of the event

Any working groups wanting to hold a F2F meeting should contact Mike Lescz to coordinate.

FAPI WG will hold F2F

Identiverse agenda has been announced on the website

3.5.   EIC

Berlin, bcc Berlin Congress Center

June 4 - 7, 2024

https://www.kuppingercole.com/events/eic2024

3.6.   OIDC Calendar

OIDF calendar on website is current: https://openid.net/calendar/

4.1.   EU Large Scale Pilot

The Large Scale Pilot Potential will have an event April 3, 2024 1500 CET brief on the interop event, which OIDF DCP WG/ Cert team are supporting for OID4vp / OID4VCI

Still accepting participants but will need Excel form

Details available at https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20240325/000231.html

4.2.   ISO PAS Spec Process

Working on progressing the publicly available specs (PAS) process for FAPI 1 and 2.

Need someone to contract for the work to prepare reports for the ISO process.

Interested parties contact Gail.

https://lists.openid.net/pipermail/openid-specs-fapi/2024-March/003077.html

4.3.   OF & OPIN Brasil

Continuing to process high volume of Brazil OF and OPIN recertifications requests

4.4.   UAE

Received initial specs for security and authorization standards

Joseph and Mike will discuss

Will connect with Radiam and Ozone teams after reviewing them

Will provide update on April 15 board meeting at Google

4.5.   Certification Program

There is no DPOP certification available for FAPI 2.0 to date

Will provide update on mailing list

Certification team is looking for a Java developer to join team

https://openid.net/certification-program-recruiting-java-developer/

Interested parties should contact Mike or Joseph

4.6.   ISO/IEC JTC 1/SC 27/WG 5

• Liaison statement is to be sent.
• Info about FAPI 2 that it is close to final. FAPI 2.0 drafts weren’t sent due to draft status but links to them have been sent.
• Also mentioned that it is getting adopted in some jurisdictions and growing number of implementations and certifications

4.7.   CIBA and Decompled Flow (Jacob)

Some banks especially in Sweden are changing the way they are allowing sessions to be started to authenticate using BankID to mitigate fraud

Many TPPs have used decoupled flows in apps to integrate with the banks using CIBA

Authentication request ID and tokens can and is phished a lot

This is being restricted by EID vendor, so need to present auto start token to the TPP

There is no way to communicate this using CIBA without breaking standard

Need ways on how to mitigate

Need some way for CIBA to communicate token to the client

Starting an app is outside scope of spec

Can possibly send a nonce or other information from the TPP app to CIBA to put into authentication request

Will file issue for discussion

PSD2 is vague on decoupled flow

It would be good to add the app to app recommendation in the Implementation Guidelines doc

5.1.   481 - add requirment for PKCE challenge

https://bitbucket.org/openid/fapi/pull-requests/481

Related to #682 - Clarify allowed use of state and required CSRF protection in FAPI 2.0 SP

shall generate the PKCE challenge specifically for each authorization request and securely bind the challenge to the client and the user agent in which the flow was started

5.2.   474 - Fixing #638 - Add some more text to Introduction

https://bitbucket.org/openid/fapi/pull-requests/474

Updated PR from feedback

Dima will review

5.3.   475 - First draft for MTLS ecosystems

https://bitbucket.org/openid/fapi/pull-requests/475

Dima reviewed feedback

Need to check with Joseph to standardize response to Ralph

6.1.   nonce discussion (Peter)

https://bitbucket.org/openid/fapi/issues/674/length-of-nonce-tested-in-op-conformance

Peter discussed the proposed state and nonce values with TDA in UK

Had feedback regarding using JWT as state value and whether 512 length is enough

Lengths up to 512 must be accepted, longer values may be rejected

Not enough to support JWT values especially for RSA signatures

Some security platforms may have limits on value lengths

Defining an arbitrary length is pointless and may cause more harm

Conformance suite tests for lengths but would like the tests to be covered by normative text

Tests issue a warning but would like guidance to aid implementations and ecosystems

Need further discussion and feedback

https://bitbucket.org/openid/fapi/pull-requests/481 https://bitbucket.org/openid/fapi/pull-requests/474 https://bitbucket.org/openid/fapi/pull-requests/476 Above is merged PR for State and Nonce values length