[Openid-specs-heart] Preparing for next Monday's meeting
Eve Maler
eve.maler at forgerock.com
Thu Nov 29 17:57:23 UTC 2018
Hi everyone-- Looking forward to our call on Monday; it's been a little
while. The agenda for this meeting is:
*Discussion whether a highly-secure health related profile(s) that aligns
with the Financial Grade API (FAPI) would be beneficial to profile within
HEART*
The idea is that we may be able to learn and apply lessons from one or more
of the FAPI security profiles (equivalent to what have called "mechanical"
HEART profiles -- that is, not focusing on any financial-industry open API
particulars of adding security/identity/privacy, but just on generic
aspects of security and interop). Originally they were developed for
specific application to the financial industry ("Financial API"), but
ultimately it was felt these patterns are more broadly applicable, and the
acronym was retrofitted to stand for "Financial-*Grade* API".
The FAPI WG site <https://openid.net/wg/fapi/> links to the latest specs.
The two to examine for now are "FAPI Part 1: Read Only API Security Profile
<http://openid.net/specs/openid-financial-api-part-1.html>" and "FAPI Part
2: Read & Write API Security Profile
<http://openid.net/specs/openid-financial-api-part-2.html>". Both recently
reached implementer's draft stage. (Our latest specs are here
<https://openid.bitbucket.io/HEART/> -- there seems to be an issue with
rendering at the moment that I hope we can sort out shortly.)
Some items to think about:
- FAPI merges OAuth and OpenID Connect profiling together. We have done
that in separate specs by turn (with a third for UMA).
- FAPI profiles two levels of security, where "read" operations are
lower-sensitivity and "read & write" is higher-sensitivity. We don't have
any such clean lines (what might be called "named security modes").
- FAPI's writing style is to provide numbered list-item clauses, to aid
testability and reference. Our style is more prose-oriented.
- FAPI's design center is security in a financial services context first
and foremost, despite the broadened name. Of the requirements and
guidelines in these profiles, how do they and the HEART equivalents
actually compare, and do any of the actual profiling outcomes turn out to
align well enough to inspire/teach/directly influence any of our own work,
and/or vice versa?
[image: ForgeRock] <https://www.forgerock.com/> *Eve Maler*
VP Innovation & Emerging Technology | ForgeRock
*t* (425) 345-6756 | *e* eve.maler at forgerock.com
*twitter* xmlgrrl | *web* www.forgerock.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20181129/5a812369/attachment.html>
More information about the Openid-specs-heart
mailing list