[Openid-specs-heart] Preparing for next Monday's meeting

Eve Maler eve.maler at forgerock.com
Thu Nov 29 17:57:23 UTC 2018


Hi everyone-- Looking forward to our call on Monday; it's been a little
while. The agenda for this meeting is:

*Discussion whether a highly-secure health related profile(s) that aligns
with the Financial Grade API (FAPI) would be beneficial to profile within
HEART*

The idea is that we may be able to learn and apply lessons from one or more
of the FAPI security profiles (equivalent to what have called "mechanical"
HEART profiles -- that is, not focusing on any financial-industry open API
particulars of adding security/identity/privacy, but just on generic
aspects of security and interop). Originally they were developed for
specific application to the financial industry ("Financial API"), but
ultimately it was felt these patterns are more broadly applicable, and the
acronym was retrofitted to stand for "Financial-*Grade* API".

The FAPI WG site <https://openid.net/wg/fapi/> links to the latest specs.
The two to examine for now are "FAPI Part 1: Read Only API Security Profile
<http://openid.net/specs/openid-financial-api-part-1.html>" and "FAPI Part
2: Read & Write API Security Profile
<http://openid.net/specs/openid-financial-api-part-2.html>". Both recently
reached implementer's draft stage. (Our latest specs are here
<https://openid.bitbucket.io/HEART/> -- there seems to be an issue with
rendering at the moment that I hope we can sort out shortly.)

Some items to think about:

   - FAPI merges OAuth and OpenID Connect profiling together. We have done
   that in separate specs by turn (with a third for UMA).
   - FAPI profiles two levels of security, where "read" operations are
   lower-sensitivity and "read & write" is higher-sensitivity. We don't have
   any such clean lines (what might be called "named security modes").
   - FAPI's writing style is to provide numbered list-item clauses, to aid
   testability and reference. Our style is more prose-oriented.
   - FAPI's design center is security in a financial services context first
   and foremost, despite the broadened name. Of the requirements and
   guidelines in these profiles, how do they and the HEART equivalents
   actually compare, and do any of the actual profiling outcomes turn out to
   align well enough to inspire/teach/directly influence any of our own work,
   and/or vice versa?


[image: ForgeRock] <https://www.forgerock.com/> *Eve Maler*
VP Innovation & Emerging Technology  |  ForgeRock
*t* (425) 345-6756  |  *e* eve.maler at forgerock.com
*twitter* xmlgrrl  |  *web* www.forgerock.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20181129/5a812369/attachment.html>


More information about the Openid-specs-heart mailing list