[Openid-specs-fapi] FAPI Security Profile 1.0 Parts 1 & 2 Final Preview

Wed Feb 3 02:15:20 UTC 2021

Hi Brian,

Thank you for your review and comments. I've put in a PR at
https://bitbucket.org/openid/fapi/pull-requests/231.
Please review the change to see if that addresses your concerns.

Thank you.

-- Edmund

On Fri, Jan 29, 2021 at 1:39 PM Brian Campbell <bcampbell at pingidentity.com>
wrote:

> There are still a few remnant uses of "read-only" and "read and write" and
> similar that don't seem to align with the later breaking change to classify
> the documents as baseline and advanced. I suspect this could be rather
> jarring to a reader that isn't familiar with the history of the naming.
>
> In baseline:
> "This document is Part 1 of FAPI Security Profile 1.0 that specifies the
> Financial-grade API and it provides a profile of OAuth that is suitable to
> be used in the access of read-only financial data and similar use cases. A
> higher level of security profile is provided in Part 2, suitable for read
> and write financial access APIs and other similar situations where the risk
> is higher. " is maybe okay because of the "and similar..." qualifications
> but
> "obtain OAuth tokens in a secure manner for read-only access to protected
> data"
> "use tokens to read protected data from REST endpoints."
> "Read-only access is generally viewed to pose a lower risk than the write
> access and as such, the characteristics required of the tokens are
> different and the methods to obtain tokens are explained separately."
> "Read-only access is a lower risk scenario compared to the write access;
> therefore the protection level can also be lower."
> "shall verify that the scope associated with the access token authorizes
> the reading of the resource it is representing"
> don't really make sense in the context of a document that isn't supposed
> to be about read-only
> also the grammar check in my email doesn't like "to the write"
>
> In advanced:
> "provides a profile of OAuth that is suitable to be used for high risk
> access (read or write), for example, read access to highly sensitive data
> or write access to financial data (also known as payment initiation)." and
> "For example, read and write access to a bank API has a higher financial
> risk than read-only access." are maybe ok because they are given as
> examples rather than absolutes
> but
> "Read and write access carries higher risk; therefore the protection level
> required is higher than read-only access."
> looks like it just wasn't updated with the change from read and write to
> advanced
>
>
>
>
>
> On Wed, Jan 27, 2021 at 4:22 AM Edmund Jay via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
>> Dear WG members,
>>
>> Attached are the Final preview version of the rendered HTML of the FAPI
>> Security Profile 1.0 Parts 1 and 2.
>>
>> Your comments and feedback are much appreciated.
>>
>> Thank you.
>>
>> -- Edmund
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20210202/5a112946/attachment-0001.html>