<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="moz-cite-prefix">Excellent points, we need to say
      something about metadata and discovery.</div>
    <div class="moz-cite-prefix"><br>
    </div>
    <div class="moz-cite-prefix">I also found that not all clients
      support the "infix"-type RFC8414 OAuth server discovery document
      URLs (Issuer <a class="moz-txt-link-freetext" href="https://example.com/foo/bar">https://example.com/foo/bar</a> →Metadata URL
      <a class="moz-txt-link-freetext" href="https://example.com">https://example.com</a><b>/.well-known/oauth-authorization-server/</b>foo/bar)
      and that the "postfix" style seems to be perceived as the default
      (Issuer <a class="moz-txt-link-freetext" href="https://example.com/foo/bar">https://example.com/foo/bar</a> →Metadata URL
      <a class="moz-txt-link-freetext" href="https://example.com/foo/bar">https://example.com/foo/bar</a><b>/.well-known/oauth-authorization-server</b>)
      although RFC8414 says otherwise.</div>
    <div class="moz-cite-prefix"><br>
    </div>
    <div class="moz-cite-prefix">If we want on-the-wire interop, we need
      to give more guidance on this.</div>
    <div class="moz-cite-prefix"><br>
    </div>
    <div class="moz-cite-prefix">Does anybody have specific experience
      with this from practice?<br>
    </div>
    <div class="moz-cite-prefix"><br>
    </div>
    <div class="moz-cite-prefix">-Daniel<br>
    </div>
    <div class="moz-cite-prefix"><br>
    </div>
    <div class="moz-cite-prefix">Am 07.06.20 um 15:18 schrieb Stuart
      Low:<br>
    </div>
    <blockquote type="cite"
      cite="mid:D042EC60-1DC6-4310-925E-30159F0F249E@biza.io">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      What about discovery documents? Are these in scope?
      <div class=""><br class="">
      </div>
      <div class="">Wondering if we should be aligning to <a
          href="https://tools.ietf.org/html/rfc8414" class=""
          moz-do-not-send="true">https://tools.ietf.org/html/rfc8414</a> and
        perhaps mandating Signed Metadata for Advanced?</div>
      <div class=""><br class="">
      </div>
      <div class="">Stu<br class="">
        <div><br class="">
          <blockquote type="cite" class="">
            <div class="">On 6 Jun 2020, at 7:40 pm, Ralph Bragg via
              Openid-specs-fapi <<a
                href="mailto:openid-specs-fapi@lists.openid.net"
                class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>>
              wrote:</div>
            <br class="Apple-interchange-newline">
            <div class="">
              <div dir="ltr" style="caret-color: rgb(0, 0, 0);
                font-family: Helvetica; font-size: 12px; font-style:
                normal; font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none;" class="">
                <div data-ogsc="" class="">
                  <div dir="ltr" class="">Another quick one, in the
                    bottom Section on Cryptography and Secrets In bass
                    line there is mention of “symmetric credentials”
                    being permitted. But I couldn’t see anywhere in the
                    requirements for AS that they should be supported. </div>
                  <div dir="ltr" class=""><br class="">
                  </div>
                  <div dir="ltr" class="">If there’s a need can it be
                    stated? (I’ll raise a ticket). Additionally for
                    advanced profile this clause, if it’s still
                    required, should be assymetric only no?</div>
                  <div dir="ltr" class=""><br class="">
                  </div>
                  <div dir="ltr" class="">Will raise a ticket on
                    advanced for that decision as well.</div>
                  <div class=""><br class="">
                  </div>
                </div>
              </div>
              <hr tabindex="-1" style="caret-color: rgb(0, 0, 0);
                font-family: Helvetica; font-size: 12px; font-style:
                normal; font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none; display: inline-block; width:
                748.71875px;" class=""><span style="caret-color: rgb(0,
                0, 0); font-family: Helvetica; font-size: 12px;
                font-style: normal; font-variant-caps: normal;
                font-weight: normal; letter-spacing: normal; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; text-decoration: none;
                float: none; display: inline !important;" class=""></span>
              <div id="divRplyFwdMsg" dir="ltr" style="caret-color:
                rgb(0, 0, 0); font-family: Helvetica; font-size: 12px;
                font-style: normal; font-variant-caps: normal;
                font-weight: normal; letter-spacing: normal; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; text-decoration: none;"
                class=""><font style="font-size: 11pt;" class=""
                  face="Calibri, sans-serif"><b class="">From:</b><span
                    class="Apple-converted-space"> </span>Torsten
                  Lodderstedt <<a
                    href="mailto:torsten@lodderstedt.net" class=""
                    moz-do-not-send="true">torsten@lodderstedt.net</a>><br
                    class="">
                  <b class="">Sent:</b><span
                    class="Apple-converted-space"> </span>Saturday, June
                  6, 2020 10:09:22 AM<br class="">
                  <b class="">To:</b><span class="Apple-converted-space"> </span>Ralph
                  Bragg <<a href="mailto:ralph.bragg@raidiam.com"
                    class="" moz-do-not-send="true">ralph.bragg@raidiam.com</a>><br
                    class="">
                  <b class="">Cc:</b><span class="Apple-converted-space"> </span>Financial
                  API Working Group List <<a
                    href="mailto:openid-specs-fapi@lists.openid.net"
                    class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>><br
                    class="">
                  <b class="">Subject:</b><span
                    class="Apple-converted-space"> </span>Re:
                  [Openid-specs-fapi] FAPI 2 Advanced Profile /
                  Recommendations for signing resource
                  requests/responses</font>
                <div class=""> </div>
              </div>
              <div dir="auto" style="caret-color: rgb(0, 0, 0);
                font-family: Helvetica; font-size: 12px; font-style:
                normal; font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none;" class="">
                <div dir="ltr" class="">I also suggest we document what
                  metadata values AS and client are supposed to use,
                  e.g. there will be the metadata parameter <span
                    style="color: rgb(33, 37, 41); font-family:
                    SFMono-Regular, Menlo, Monaco, Consolas,
                    "Liberation Mono", "Courier
                    New", monospace; font-size: 12.25px;" class="">require_pushed_authorization_requests </span>to
                  let the AS indicate it supports pushed authorization
                  requests only (<a
href="https://mailarchive.ietf.org/arch/msg/oauth/S76ODyZkHPSA6L69yyx08BuEP5M/"
                    style="color: blue; text-decoration: underline;"
                    class="" moz-do-not-send="true">https://mailarchive.ietf.org/arch/msg/oauth/S76ODyZkHPSA6L69yyx08BuEP5M/</a>).</div>
                <div dir="ltr" class=""><br class="">
                </div>
                <div dir="ltr" class="">A FAPI2 compliant AS must set
                  this value to true.</div>
                <div dir="ltr" class=""><br class="">
                  <blockquote type="cite" class="">Am 06.06.2020 um
                    10:55 schrieb Ralph Bragg <<a
                      href="mailto:ralph.bragg@raidiam.com" class=""
                      moz-do-not-send="true">ralph.bragg@raidiam.com</a>>:<br
                      class="">
                    <br class="">
                  </blockquote>
                </div>
                <blockquote type="cite" class="">
                  <div dir="ltr" class="">
                    <div class="x_WordSection1">
                      <div style="margin: 0cm 0cm 0.0001pt; font-size:
                        11pt; font-family: Calibri, sans-serif;"
                        class=""><span class="">Hi Daniel,</span></div>
                      <p class="x_MsoNormal" style="margin: 0cm 0cm
                        0.0001pt; font-size: 11pt; font-family: Calibri,
                        sans-serif;"><span class=""> </span></p>
                      <div style="margin: 0cm 0cm 0.0001pt; font-size:
                        11pt; font-family: Calibri, sans-serif;"
                        class=""><span class="">In addition to Torstens
                          comments, and if we’re looking for backwards
                          combability, do we care or want to mandate
                          that the id_token from the front channel is
                          ONLY used for code binding. Sub is a mandatory
                          property of the id_token and as such required,
                          to prevent any leakage of any information
                          useful to a potential attacker should the sub
                          property explicitly be made pairwise or some
                          other value deliberately not related to the
                          resource owner / subject.</span></div>
                      <p class="x_MsoNormal" style="margin: 0cm 0cm
                        0.0001pt; font-size: 11pt; font-family: Calibri,
                        sans-serif;"><span class=""> </span></p>
                      <div style="margin: 0cm 0cm 0.0001pt; font-size:
                        11pt; font-family: Calibri, sans-serif;"
                        class=""><span class="">Kind Regards,</span></div>
                      <div style="margin: 0cm 0cm 0.0001pt; font-size:
                        11pt; font-family: Calibri, sans-serif;"
                        class=""><span class="">Ralph</span></div>
                      <p class="x_MsoNormal" style="margin: 0cm 0cm
                        0.0001pt; font-size: 11pt; font-family: Calibri,
                        sans-serif;"><span class=""> </span></p>
                      <p class="x_MsoNormal" style="margin: 0cm 0cm
                        0.0001pt; font-size: 11pt; font-family: Calibri,
                        sans-serif;"><span class=""> </span></p>
                      <p class="x_MsoNormal" style="margin: 0cm 0cm
                        0.0001pt; font-size: 11pt; font-family: Calibri,
                        sans-serif;"><span class=""> </span></p>
                      <div style="border-style: solid none none;
                        border-top-width: 1pt; border-top-color:
                        rgb(181, 196, 223); padding: 3pt 0cm 0cm;"
                        class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><b class=""><span style="font-size:
                              12pt;" class="">From:<span
                                class="Apple-converted-space"> </span></span></b><span
                            style="font-size: 12pt;" class="">Openid-specs-fapi
                            <<a
                              href="mailto:openid-specs-fapi-bounces@lists.openid.net"
                              class="" moz-do-not-send="true">openid-specs-fapi-bounces@lists.openid.net</a>>
                            on behalf of Torsten Lodderstedt via
                            Openid-specs-fapi <<a
                              href="mailto:openid-specs-fapi@lists.openid.net"
                              class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>><br
                              class="">
                            <b class="">Reply to:<span
                                class="Apple-converted-space"> </span></b>Financial
                            API Working Group List <<a
                              href="mailto:openid-specs-fapi@lists.openid.net"
                              class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>><br
                              class="">
                            <b class="">Date:<span
                                class="Apple-converted-space"> </span></b>Saturday,
                            6 June 2020 at 09:36<br class="">
                            <b class="">To:<span
                                class="Apple-converted-space"> </span></b>Financial
                            API Working Group List <<a
                              href="mailto:openid-specs-fapi@lists.openid.net"
                              class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>><br
                              class="">
                            <b class="">Cc:<span
                                class="Apple-converted-space"> </span></b>Torsten
                            Lodderstedt <<a
                              href="mailto:torsten@lodderstedt.net"
                              class="" moz-do-not-send="true">torsten@lodderstedt.net</a>><br
                              class="">
                            <b class="">Subject:<span
                                class="Apple-converted-space"> </span></b>Re:
                            [Openid-specs-fapi] FAPI 2 Advanced Profile
                            / Recommendations for signing resource
                            requests/responses</span></div>
                      </div>
                      <div class="">
                        <p class="x_MsoNormal" style="margin: 0cm 0cm
                          0.0001pt; font-size: 11pt; font-family:
                          Calibri, sans-serif;"> </p>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class="">Hi Daniel,</div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><br class="">
                          <br class="">
                        </div>
                        <blockquote style="margin-top: 5pt;
                          margin-bottom: 5pt;" class="">
                          <p class="x_MsoNormal" style="margin: 0cm 0cm
                            12pt; font-size: 11pt; font-family: Calibri,
                            sans-serif;">Am 05.06.2020 um 10:20 schrieb
                            Daniel Fett via Openid-specs-fapi <<a
                              href="mailto:openid-specs-fapi@lists.openid.net"
                              class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>>:</p>
                        </blockquote>
                      </div>
                      <blockquote style="margin-top: 5pt; margin-bottom:
                        5pt;" class="">
                        <div class="">
                          <p class="">Hi all,</p>
                          <p class="">I prepared a first (rough) draft
                            of the FAPI 2 Advanced profile and would
                            welcome your feedback:<a
href="https://bitbucket.org/openid/fapi/src/c28fc020e7ab9377d96501f2b4daa9a9da8f2128/FAPI_2_0_Advanced_Profile.md?at=danielfett%2Ffapi2%2Fadvanced"
                              style="color: blue; text-decoration:
                              underline;" class=""
                              moz-do-not-send="true">https://bitbucket.org/openid/fapi/src/c28fc020e7ab9377d96501f2b4daa9a9da8f2128/FAPI_2_0_Advanced_Profile.md?at=danielfett%2Ffapi2%2Fadvanced</a></p>
                        </div>
                      </blockquote>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class="">thanks for preparing the draft!</div>
                      </div>
                      <div class="">
                        <p class="x_MsoNormal" style="margin: 0cm 0cm
                          0.0001pt; font-size: 11pt; font-family:
                          Calibri, sans-serif;"> </p>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class="">Here are my comments:</div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class="">- <span style="font-size: 10.5pt;
                            font-family: "Helvetica Neue";
                            color: rgb(23, 43, 77); background-color:
                            white; background-position: initial initial;
                            background-repeat: initial initial;"
                            class="">[@I-D.lodderstedt-oauth-par] should
                            refer to the WG draft</span></div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><span style="font-size: 10.5pt;
                            font-family: "Helvetica Neue";
                            color: rgb(23, 43, 77); background-color:
                            white; background-position: initial initial;
                            background-repeat: initial initial;"
                            class="">- „ shall support at least one of
                            the following methods to sign the
                            authorization response:“</span></div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><span style="font-size: 10.5pt;
                            font-family: "Helvetica Neue";
                            color: rgb(23, 43, 77); background-color:
                            white; background-position: initial initial;
                            background-repeat: initial initial;"
                            class="">I think the AS must support at
                            least one mode for interoperability reasons.
                            I think this should be JARM and ID token may
                            be supported (for the purpose of this
                            profile) for backward compatibility reasons.</span></div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><span style="font-size: 10.5pt;
                            font-family: "Helvetica Neue";
                            color: rgb(23, 43, 77); background-color:
                            white; background-position: initial initial;
                            background-repeat: initial initial;"
                            class="">„</span><span style="font-size:
                            10.5pt; font-family: "Helvetica
                            Neue"; color: rgb(23, 43, 77);"
                            class="">OPEN QUESTION: how to handle
                            userinfo response type selection? OIDC core
                            says: depends on client registration“ I
                            think that's fine. We use the same
                            philosophy for all sorts of request and
                            response signing. It’s determined by client
                            registration parameters + general deployment
                            metadata (what is generally
                            supported/expected).</span></div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><span style="font-size: 10.5pt;
                            font-family: "Helvetica Neue";
                            color: rgb(23, 43, 77);" class="">- „<span
                              style="background-color: white;
                              background-position: initial initial;
                              background-repeat: initial initial;"
                              class="">The FAPI 2.0 endpoints are OAuth
                              2.0 protected resource endpoints that
                              return protected information for the
                              resource owner associated with the
                              submitted access token.“ - RSs also
                              initiate actions (eg payments), that’s one
                              important reason for requiring
                              non-repudiation. I suggest to add
                              something like „.... that perform
                              sensitive actions and return protected
                              information for the resource owner ...“</span></span></div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><span style="font-size: 10.5pt;
                            font-family: "Helvetica Neue";
                            color: rgb(23, 43, 77); background-color:
                            white; background-position: initial initial;
                            background-repeat: initial initial;"
                            class=""><br class="">
                            <br class="">
                          </span></div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><span style="font-size: 10.5pt;
                            font-family: "Helvetica Neue";
                            color: rgb(23, 43, 77); background-color:
                            white; background-position: initial initial;
                            background-repeat: initial initial;"
                            class="">best regards,</span></div>
                      </div>
                      <div class="">
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          11pt; font-family: Calibri, sans-serif;"
                          class=""><span style="font-size: 10.5pt;
                            font-family: "Helvetica Neue";
                            color: rgb(23, 43, 77); background-color:
                            white; background-position: initial initial;
                            background-repeat: initial initial;"
                            class="">Torsten.</span></div>
                      </div>
                      <blockquote style="margin-top: 5pt; margin-bottom:
                        5pt;" class="">
                        <div class="">
                          <p class="">One open question is whether we
                            can give recommendations regarding resource
                            request and response signing. We currently
                            have<span class="Apple-converted-space"> </span><a
href="https://bitbucket.org/openid/fapi/src/master/Financial_API_HTTP_Signing.md"
                              style="color: blue; text-decoration:
                              underline;" class=""
                              moz-do-not-send="true">https://bitbucket.org/openid/fapi/src/master/Financial_API_HTTP_Signing.md</a><span
                              class="Apple-converted-space"> </span>which
                            lists "typical requirements" but does not
                            give concrete advice.</p>
                          <p class="">eTSI is developding JAdES and
                            there is some work ongoing in the IETF HTTP
                            group as well.</p>
                          <p class="">What are other options that we
                            should take a look at?</p>
                          <p class="">-Daniel</p>
                          <div style="margin: 0cm 0cm 0.0001pt;
                            font-size: 11pt; font-family: Calibri,
                            sans-serif;" class="">_______________________________________________<br
                              class="">
                            Openid-specs-fapi mailing list<br class="">
                            <a
                              href="mailto:Openid-specs-fapi@lists.openid.net"
                              class="" moz-do-not-send="true">Openid-specs-fapi@lists.openid.net</a><br
                              class="">
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></div>
                        </div>
                      </blockquote>
                    </div>
                  </div>
                </blockquote>
              </div>
              <span style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none; float: none; display: inline
                !important;" class="">_______________________________________________</span><br
                style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none;" class="">
              <span style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none; float: none; display: inline
                !important;" class="">Openid-specs-fapi mailing list</span><br
                style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none;" class="">
              <span style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none; float: none; display: inline
                !important;" class=""><a
                  href="mailto:Openid-specs-fapi@lists.openid.net"
                  class="" moz-do-not-send="true">Openid-specs-fapi@lists.openid.net</a></span><br
                style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none;" class="">
              <span style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none; float: none; display: inline
                !important;" class=""><a
                  href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi"
                  class="" moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></span></div>
          </blockquote>
        </div>
        <br class="">
      </div>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>