[Openid-specs-fapi] (Draft) FAPI WG Meeting Notes (2016-09-20)

Nat Sakimura nat at sakimura.org
Tue Sep 27 01:55:32 UTC 2016


Sorry to have taken so long to produce this note.

As usual, the linked and pretty printed version is available here:

Feedback/Correction/etc. are sought.



FAPI WG Meeting Notes (2016-09-20)
Date & Time: 2016-09-20 23:00 UTC
(16:00 PDT, 00:00+1d UK, 01:00+1d Denmark, 08:00+1d JST)
Location: GoToMeeting https://global.gotomeeting.com/join/321819862

1.   Roll Call
2.   Adoption of the Agenda
3.   External Org Relationships
3.1.   UK Implementation Entity (Dave)
3.2.   EBA Consultation (Dave)
3.3.   Federal Reserve of Minnesota (John)
3.4.   OFX (Anoop, Nat)
4.   Working Draft 01
4.1.   Review Results (John)
5.   Issues
5.1.   #16 Client Authentication (John)
5.2.   #29 Draft Split (Nat)
5.3.   #28 International names for retirement savings account names 
5.4.   #30 Hanging Paragraph in 5.2 (Nat)
5.5.   #31 5.2 - te - More fine grained scope needed (Nat)
6.   Events
6.1.   Pre-IIW (John)
6.2.   Pre-IETF (Nat)
7.   AOB
7.1.   How to communicate back the partial errors to the client (Anoop)
7.2.   Next Call
The meeting was called to order at 14:05 UTC.

1.   Roll Call
Present: Nat, John, Dave, Edmund, Henrik, Anoop, Ryan
Regrets: Sascha
Guest: Eric @ Plaid.

2.   Adoption of the Agenda
OIX added.

3.   External Org Relationships
3.1.   UK Implementation Entity (Dave)
Fdata <http://fdata.org.uk/>is the main voice of fintech community while 
IE is top 9 banks.

They are making subgroups on standard, data, infrastructure.

Dave was in their meeting yesterday and presented verbally in addition 
to the liaison letter that FAPI WG is working internationally to create 
an international standard, and about its expertise.

Hopefully, IE can make the liaison relationship more official in their 
advisory board or/and different working group.

Continue to update the group.

Split of the current draft into security and data scheme would be useful 
as different WGs will be looking at separate aspects.

John was talking to the UK Cabinet office and eIDAS making aware of FAPI 
given their involvement in iGov.
Given the acceptance of OpenID Connect in the commercial sector, they 
will shift to it from SAML in the long run.
They understand that IE liaising with us and try to get on the same page 
on OAuth and Connect will be beneficial.
Hopefully, this will influence IE as well.

3.2.   EBA Consultation (Dave)
Dave has started the draft at 

 From FAPI point of view, it would be wise to limit some of the answers 
and concentrate on the topics that we can add the most value.
Q.7 and Q.8 Common and secure open standards communication
Work in progress draft, will fresh out and send it out to the list.

We still have two to three weeks before we send it out.

NOTE: UK IE is set up as a response to different legislation (CMA), but 
the view of the room is that whatever the standard they create will be 
in-line with the guidance from EBA.

EBA consultation put some arbitrary limits such as they want "strong 
customer authentication once a month".
 From FAPI point of view, we probably do not want such an arbitrary limit 
on the refresh token.
Note: mix up authentication and authorization quite a bit.
It is also related to eIDAS.

Collaborative editing welcome.

Once it is in a good shape, Dave will send it around for the final 

WG members are invited for collaborative editing.
Dave to send out the final draft to the WG for review when it is ready.

3.3.   Federal Reserve of Minnesota (John)
No updates on Minnesota.
Neither John nor Paul has heard about it.
Will try to follow up after this week's conference is over.

3.4.   OFX (Anoop, Nat)
We had an enquiry about the membership (of WG or OIDF) from them to the 
chair's list and will have the first call in half an hour.
Expect that it will be the introductions of each other. Real discussion 
probably will sart next week.
Intuit is participating in OFX as well. Intuit and Microsoft are some of 
the founding members.

OFX went quiet for sometime but re-invigorated lately.

About 6 to 8 months back, DDA OAuth based implementation came out.

Some of the banks felt that they already have big OFX infrastructure and 
replacing it new with REST based service is a big investment -> can we 
update the OFX specs to include a token based aggregation of data.
First bank to pick it up was the Chase Bank (about 6 to 8 months ago).
Implemented OAuth and OFX.
They defined spec in such a way that token can be any token (OpenID 
Connect, OAuth, JWT, etc.)

It is not REST based nor JSON based. It is SOAPy, that it has special 
header in XML. Does not comply with any REST based principles.

Specification can be downloaded from http://ofx.net/downloads.html

Many of the banks that Anoop talked to except Chase Bank wanted to 
remove the complexity from the implementation of that kind of APIs and 
one of the reason for DDA got traction in FS-ISAC was the complexity of 

Nat pointed out that in other industries, the XML/SOAP paradigm became 
so out of fashion that Nat and John had to start creating signature 
format standard for JSON from scratch instead of relying on XML DSig.

Anoop pointed out that more and broader participation would be good 
especially if they can contribute and adopt the standard.

4.   Working Draft 01
WD1 Financial Services – Financial API - Part 1: Read Only APIs

4.1.   Review Results (John)
The text in clause 6 is good but we should leave TLS option as well.

Problem is that there is no good reference document to point to.

John talked to Brian that perhaps he can start drafting an IETF 
It will be a small document.
Nat pointed out that IETF process will take a long time while we want to 
publish at least the security section of FAPI specs early as we have 
challenging timeline that we may want to include the text in the initial 
spec. Once IETF process is done, we can take the text out and reference 

John pointed out that perhaps we can create a separate OpenID Connect 
Mutual TLS Authentication Method document so that from the FAPI point of 
view, it will just be the change of the reference.

Brian already has written it down so John needs to dig it up. It should 
be relatively quick.

Once we have the draft, we can insert it in the requirements.

It is related to #16.

John suggested that for client authentication, the option would be:
Mutual TLS + JWT; or
JWT + Token Binding
Nat pointed out that it might be better to consider it in the Read-Write 
access timeline as we have less time pressure as Token Binding is still 
young. For read only access, it probably would suffice to do Mutual 
TLS+Basic or JWT client authn only.

5.   Issues
5.1.   #16 Client Authentication (John)
issue #16

Mutual Auth TLS profile not defined anywhere for token endpoint. We 
probably need to do ourselves.

Client auth JWT (secret, private key) can also be used, so it is either 
of them.
Nat has suggested a text for this bit on #16.
We probably should not allow Basic auth only.

John volunteered to craft text.

John to come up with the additional text to be applied and do a pull 

5.2.   #29 Draft Split (Nat)
issue #29
Per the result of the Atlantic call last week, the split of the draft is 
suggested as recorded in #29.
The call participants agreed that 5 parts structure as below would be 
good. * part 1: Read Only API Security * part 2: Open Data API * part 3: 
Protected Resource Data API * part 4: Read Write API Security * part 5: 
Read Write Data API
Incorporate branch issue/26 into the current master branch, and then do 
the split.
During the time, we can continue reviewing the current WD esp. on the 
Read only security so that we can go quickly to the implementer's draft 
vote on the part 1.

5.3.   #28 International names for retirement savings account names 
issue #28

Dave pointed out that this is a tricky area where we have to cover vast 
array of products.
e.g., while trying to come up with a strawman Dave started wondering 
whether it would make sense to have interest in a single field as they 
now seem to depends on the account balance.
Nat pointed out that it is easier with the concrete account data as it 
can talk about the "currently applicable interest rate" but when it 
comes to "open data", it would be difficult.

NRI's team is also looking through the investment account data and they 
started feeling that some refactoring is needed.

Nat wanted to have a separate call for DDA-Customer-ID with Anoop.

5.4.   #30 Hanging Paragraph in 5.2 (Nat)
issue #30 : Editorial
disposition suggested in the ticket.

5.5.   #31 5.2 - te - More fine grained scope needed (Nat)
issue #31 : technical
Currently we have only one scope FinancialInformation.
Nat suggested that perhaps we need more fine grained ones?
Dave pointed out that he has use cases for just asking for account 
balance and separately the transactions details. They are two clear 
different scopes.
Nat pointed out that from the collection minimization point of view, it 
would also be good to have sub-scopes.
It is not suggesting to ditch the current scope, but is just suggesting 
that we need to have more granular ways to specify the access target.

6.   Events
6.1.   Pre-IIW (John)
Location fixed (VM Ware). We will have time allocated. Likely to be 20 
Sascha is in the process of preparing a presentation. It should be ready 
for review next week.
John will see Don tomorrow to ask for the est. of time and agenda.

* Develop a presentation for the occasion (Lead by Sascha) in two weeks.

6.2.   Pre-IETF (Nat)
Not yet.

* Nat will get in touch with them and get back to the list.

7.   AOB
7.1.   How to communicate back the partial errors to the client (Anoop)
While implementing DDA, Anoop et al. came across a new use case. 
Sometimes, when banks are returning data, some of the sub-system may not 
be available temporarily and results in partial results. For example, 
the Bank's credit card system may be on maintenance mode and the bank 
may not be able to return data on credit card while it can return 
everything else. It is just a temporary error. We have not defined 
anything on this. Bank needs to communicate it back to the client. e.g., 
yesterday I returned 5 accounts but today I am returning only 3. Hoever 
do note delete the 2 as it is only temporarily unavailable. When we come 
back, I might be able to return them.
Anoop can come up with suggested text.

Nat to create a ticket and assign it to Anoop.

7.2.   Next Call
2016-09-28 14:00 UTC
(07:00 PDT, 15:00 UK, 16:00 Denmark, 23:00 JST)
The meeting adjourned at 23:55 UTC.

More information about the Openid-specs-fapi mailing list