[Openid-specs-fapi] Informal meeting note (2016-08-02)

Nat Sakimura nat at sakimura.org
Wed Aug 3 01:25:00 UTC 2016


A few of us had an informal meeting today. 

The meeting note is uploaded at

Below is the text copy but the above link has hyperlinks to the issues
and sources so if you are on the internet, following the above links
should make your life easier. 



FAPI WG Informal Meeting Note (2016-08-02)
Date & Time: 2016-08-02 23:00 UTC - 00:10 UTC
Location: GoToMeeting 
Attendees: Nat, Nov, Edmund 

Since the meeting invitation was not sent 
 to the list, this meeting is informal. 

1. Meeting notification and WG Page
2. New & Open Issues
3. AOB 

1. Meeting notification and WG Page
Nat apologized that as he did not send the meeting 
invitation properly to the list, this meeting is 

Edmund pointed out that the meeting URL is 
not properly put at the [WG page](https://openid.net/wg/fapi) that 
one has to dig into the meeting calendar to 
find the link. 

Nat updated the WG page on the fly and 
promised to send out the meeting invitation after the call. 

2. New & Open Issues
In the call, participants discussed the following issues 
listed in the [issue tracker](https://bitbucket.org/openid/fapi/issues) 

* issue #2: Accounts: Total Pages and Page does not make sense
* issue #4: Remove MessageFormat and references to it
* issue #7: Add "Open Data" data set
* issue #8: Should hard coded paths be avoided
* issue #10: Internationalization of strings
* issue #11: OAuth Profile should mandate RFC7636 (PKCE) for code flow
* issue #12: OAuth Profile should mandate per AS redirect URI for
Clients with session comparison
* issue #13: TLS 1.0 should be banned
* issue #14: Allowed Redirection Client URI is not a defined term
* issue #15: Client Authentication, not Client Authorization
* issue #16: Client Authentication -- Do we need TLS mutual
* issue #17: Incomplete sentence "In line with FFIEC (Federal Financial
Institutions Examination Council) guidance on Authentication to mitigate
security risks."
* issue #18: "Authorization token" is not a defined term in RFC6749
* issue #19: Remove or Improve OAuth Interactions Diagram
* issue #20: Meaning of the Surrogate Identifier Clause not clear
* issue #21: Residual Data clause should be generalized and moved to
privacy considerations
* issue #22: Undefined OAuth response parameter `user_id` appears in the
* issue #23: How do I find AccountID to use in transfer? 

The discussion results are recorded in each issue tickets. 
As far as the terminology is concerned, it was prevalent among the
that OAuth term should be used instead of creating something else. 

Some of the issue was related to the ambiguity etc. of 
the DDA spec that we are basing on. These (#17, #20, #22) was 
assigned to Anoop. 

3. AOB
Nat asked the participants to review the Editor's comments added 
to [Financial_API_WD_000.md](Financial_API_WD_000.md) 

Call adjourned at 00:14 UTC. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20160803/6da374f3/attachment-0001.html>

More information about the Openid-specs-fapi mailing list