3.1.   OIDF Workshop

Monday, October 28, probably at Cisco

Details to follow

3.2.   Working Group Meetings

Monday morning and Friday during the IIW week.

WGs that want to hold hybrid meetings should contact Mike Lescz.

Mike will notify WG of the deadline for requests

3.3.   IETF

July 20 - 26.

3.4.   2025 Events

Planning for 2025 events and update of OIDF calendar

Send 2025 events information to mike.leszcz@oidf.org

3.5.   OIDF calendar

OIDF calendar on website is current: https://openid.net/calendar/

4.1.   CFPB

Gail, Joseph, and Elizabeth met with CFPB last week for standard setting organization pre-filing meeting.

CFPB understood challenges regarding interoperability and security implications

Have impression that CFPB would like OIDF to apply as standard setting organization.

Draft rules does not limit the breadth or depth of what a SSO needs to do.

Gail highlighted the foundation’s concern around risks of a technical body becoming a regulated entity. CFPB has acknowledged the concern.

Gail noted that we can apply in such a way as to avert such concerns.

Tom Smedinoff (OIDF counsel) is involved to ensure there are no issues.

Follow-up meeting on July 15 to complete pre-filing discussion and emphasize certification

Overall, positive impression

4.2.   Canada

Gail, Joseph, and Mike had call with Open Banking Canada team yesterday

Current public guidance is to have a single standards body unlike CFPB

Will make introduction to Elcio Calefi (OIDF board) from Chicago Advisory Partners to learn more about Brazil’s approach

Joseph clarified that Canada wants a single standard, not necessarily a single standards body

4.3.   Chile

• Coordinating outreach workshop. Details to be shared.

4.4.   UAE

• UAE profile getting firmed up
• Joseph and Domingoes is completing the scoping for the development of the UAE profile

4.5.   Swiss Open Banking

• Intro Meeting scheduled for this Friday with SFTI

5.1.   PR 493 - typ in request objects

PR #493

Text looks reasonable

Concern that people might think they can reject empty typ or other correct values

Will be merged

Need guidance for FAPI1 - Joseph will create issue

5.2.   PR 496 - remove grant management and other non final specs

PR #496

Text is out of sync with current version

Will notify Dave to update

5.3.   PR 502 (Access token privilege restriction):

PR #502

Approved

5.4.   PR 503 - client impersonation

PR #503 Looks good, needs more review

5.5.   PR 504 (CORS wording):

PR #504 Approved pending no objections

5.6.   PR 499 - Fixes #637 FAPI1 hanging paragraphs

PR #499

Need to add new clause numbers due handing paragraphs as required by ISO directives

Joseph suggested to use 5.2.2.0 for new clause number to avoid renumbering other clauses but will create inconsistent numbering styles

But may affect security analysis text

Nat will confirm if there is any effect

It will be submitted as ISO PAS so may have some leeway

May have implications for other entities/publications referencing specific parts of specs

Updating new clause number lowers risk of getting rejected by ISO

Will update to 5.2.2.0 to avoid renumbering other clauses

Nat Will check clause numbers in FAPI2

5.7.   PR 506 - Fixes #700 - Remove the list of four ciphers for TLS 1.2 and move to BCP195

PR #506

Looks good

There is a possibility of 2 new ciphers being permitted and clients might not support it

Can possibly discourage new ciphers in conformance test

5.8.   PR 507- FAPI-CIBA - Removes the list of four ciphers for TLS 1.2 and move to BCP195

PR #507

Joseph would like keep text consistent to what is in FAPI 2

Created #703 - Tweaks to BCP195 language

Need to update text from “latest version of BCP195” to “BCP195”

5.9.   Issue 702: Normative text within security considerations

Issue #702

Discussed moving normative requirements out of security considerations section

• For 6.4, it was proposed to move to subclause 5.4.
• For 6.3, probably the same place.

5.10.   Issue 704 - Consider recommendations from Cyber Safety Review Board report

Issue #704

Report came out of the US government as a result of Microsoft security issue

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

Attacker got private keys used for signing access/refresh tokens to get access to accounts

Report specifically asks OIDF to take action in Recommendations 11, 12, 13 , e.g. develop/update profiles regarding Key rotation, Key scope, Credential Linking

FAPI2 does not mention key scopes

Rotation is only mentioned for refresh tokens not keys

Need to review document for further discussions

5.11.   Issue 696

Issue #696 Need to update link to formal analysis for FAPI 2.0

5.12.   Issue 684 Message Signing Discussion

(Issue #684)

• Debated how to address interoperability issues with content type headers for JARs
• Need to balance compatibility with existing implementations vs. promoting best practices
• No clear resolution - Filip requested more input on PR 493, especially from Joseph