[Openid-specs-fapi] FW: FAPI question - FS-ISAC / FAPI Security Model Convergence Proposal

Nat Sakimura nat at sakimura.org
Tue Sep 5 23:57:50 UTC 2017

Forwarding this to the FAPI list on behalf of Anoop

*From: *"Mahalaha, Anil" <anil.mahalaha at fmr.com>
*Date: *Tuesday, August 22, 2017 at 2:01 PM
*To: *Anoop Saxena <Anoop_Saxena at intuit.com>, "Stephens, Clint" <
clint.stephens at citi.com>
*Cc: *"Cardinal, Don" <don.cardinal at bankofamerica.com>, "Chetuparambil,
Madhu" <Madhu_Chetuparambil at intuit.com>
*Subject: *RE: FAPI question - FS-ISAC / FAPI Security Model Convergence


My thoughts on the API part of FAPI

FAPI should make reference to DDA for API definition. Protocol (Get, Post),
Headers, RESTful API design, Resource names, etc. Given that FAPI is not
defining schema in their specifications they can just point out that schema
outlined in the DDA is for US only and serves as guidance to other Regions
wishing to define their own schemas. The benefit of FAPI pointing to DDA is
that it will reduce confusion for US adopters and enable other Regions to
leverage API definition work being done in the US. In the future if other
Regions standardize on their own schemas then we can include them in the
DDA Specifications and propose identifying the region in the URL path.







*From:* Saxena, Anoop [mailto:Anoop_Saxena at intuit.com]
*Sent:* Saturday, August 19, 2017 4:50 PM
*To:* Stephens, Clint
*Cc:* Cardinal, Don; Mahalaha, Anil; Chetuparambil, Madhu; Saxena, Anoop
*Subject:* Re: FAPI question - FS-ISAC / FAPI Security Model Convergence

Hello Clint,

Sounds good. Let’s review after completion of phase1 control consideration
document and share with FAPI team.

Also, we can discuss & explore with FAPI/OpenID connect group about unified
group effort. I am travelling week of 8/21, will connect with you on
unified group effort in the later part of the week or next week.



*From: *"Stephens, Clint" <clint.stephens at citi.com>
*Date: *Friday, August 18, 2017 at 10:48 AM
*To: *Anoop Saxena <Anoop_Saxena at intuit.com>
*Cc: *"Cardinal, Don" <don.cardinal at bankofamerica.com>, "Mahalaha, Anil" <
Anil.Mahalaha at fmr.com>, "Chetuparambil, Madhu" <
Madhu_Chetuparambil at intuit.com>
*Subject: *RE: FAPI question - FS-ISAC / FAPI Security Model Convergence


Hi. Regarding security model convergence, the position we’ve discussed is
to converge the FAPI security model into the FS-ISAC aggregation security
model given the similar content and use through absorption of the FAPI
documentation into the *Control Considerations* document. We are currently
updating the working group’s phase 1 *Control Considerations* document to
include new topics, the RFPs and updates to some of the phase 1 content.
The updated document should be ready for FS-ISAC review by 8/31.

I would propose that upon completion of a reviewed FS-ISAC draft of
the *Control
Considerations* document, the FAPI team review and propose changes to
ensure completeness and cohesiveness of that FS-ISAC document as we move
into a more permanent unified group effort, which would eliminate the need
to continue forward with the FAPI security model.

What’s your thoughts on this?



*From:* Saxena, Anoop [mailto:Anoop_Saxena at intuit.com
<Anoop_Saxena at intuit.com>]
*Sent:* Thursday, August 10, 2017 8:06 PM
*To:* Mahalaha, Anil; Cardinal, Don; Stephens, Clint [CCC-OT];
Chetuparambil, Madhu
*Subject:* FAPI question

Hello Anil/Clint/Don,

Thank you for inviting me to API Sub-committee. Great to see lot of
engagement in discussion today.

I missed few meetings and not sure if we landed on any recommendation.

1.      Use of security profile from FAPI

a.      What was the decision here?

2.      Data (DDA)

a.      If I recall, this is a different region and decided to keep


Anoop Saxena

*Intuit | simplify the business of lifetm*
o: 818-436-8524        m: 8182974282


Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170905/51d7c34d/attachment.html>

More information about the Openid-specs-fapi mailing list