[Openid-specs-mobile-profile] Mobile Profile WG Call on April 19th 2017 preliminary minutes

philippe.clement at orange.com philippe.clement at orange.com
Thu Apr 20 08:43:25 UTC 2017


Dear all, please find below the preliminary minutes of our call.
Any error or misunderstanding, please let me know.

   Participants : Bjorn, Charles, Gonza, Hubert, Nicolas, Philippe, Siva, John, Shahram

Agenda :
1.      Implementer's Draft Vote [Bjorn]
2.      IIW attendance and MODRNA topics [Bjorn/All]
3.      IETF 98 update [John]
4.      FAPI/Banking Use Cases
5.      Feedback on draft-oauth-versatile-jwt-profile [Orange/All]
6.      UK Banking use cases/call flows [John]
7.      GSMA CPAS work status and schedule [GSMA]
8.      Issue Tracker
9.      AOB
Discussion :

1.      Implementer's Draft Vote [Bjorn]
As a reminder, Bjorn mentions the opening on the vote on the 4 documents in implementers draft mode, everyone is sollicited to vote on these (link sent by email to OIF members).
2.      IIW attendance and MODRNA topics [Bjorn/All]
For the OIF workshop, the MODRNA slidedeck has to be updated and forwarded to the list before the event.
Suggestion is made to mention the account porting spec during the IIW, this document is telco agnostic and can concern everyone.
regarding the 4 drafts under implementers draft, a high level view can be envisioned.

3.      IETF 98 update [John]
A draft exists (Nat, Torsten and Nat), but needs still some progress on security.
Mutual TLS is presented as a good candidate for server 2 server business applications.

4.      FAPI/Banking Use Cases
For banks talking to other financial institutions, using mutual TLS makes sense, and binding access token and refresh token has to be considered for other cases. The alternative can be Token binding for native apps, and mutual TLS for server 2 server. Security aspects have to be taken into consideration.

Is there a link between what we do in backchannel approach and FAPI ? not sure.

A working draft is published in the FAPI WG: Financial API part 2, Read and Write API Security Profile.
Discussions about the certificate issued to a particular client and included in the software statement. A centralized certificate authority is not mandatory.

5.      Feedback on draft-oauth-versatile-jwt-profile [Orange/All]
Not addressed.

6.      UK Banking use cases/call flows [John]
Addressed partially in point 4, no doc regarding call flows.

7.      GSMA CPAS work status and schedule [GSMA]
Not addressed.

8.      Issue Tracker
Not addressed.





_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170420/d2254522/attachment.html>


More information about the Openid-specs-mobile-profile mailing list