<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Aptos;
        panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:11.0pt;
        font-family:"Aptos",sans-serif;
        mso-ligatures:standardcontextual;
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#467886;
        text-decoration:underline;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:11.0pt;
        mso-ligatures:none;
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi AB/Connect and FAPI people,</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There was a presentation at OSW2025 where I learned that OWASP are working on a major revision to their Application Security Verification Standard.  As part of that revision, they are adding content relating to “OAuth and OIDC” (sic). 
 Some of you might wish to review and provide comment.  If having an OIDF set of collated feedback is desirable I may be able to find time to aggregate your thoughts and comments. If that is the case please let me know. I shall do my best to review for the
 OIDF in any case.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://github.com/OWASP/ASVS/tree/master">https://github.com/OWASP/ASVS/tree/master</a></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><img border="0" width="432" height="108" style="width:4.5in;height:1.125in" id="Picture_x0020_1" src="cid:image001.jpg@01DB8C38.8AD5DB90"></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Specific section on OAuth and OIDC is in:</p>
<p class="MsoNormal"><a href="https://github.com/OWASP/ASVS/blob/master/5.0/en/0x51-V51-OAuth2.md">https://github.com/OWASP/ASVS/blob/master/5.0/en/0x51-V51-OAuth2.md</a></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have reached out to the presenter to see if there is any other guidance for reviewers. If I get anything back I’ll add it to this mail thread.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards,</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">Mark Haine</span><span style="font-size:12.0pt;font-family:"Calibri",sans-serif;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"> </span><span style="font-size:12.0pt;font-family:"Calibri",sans-serif;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri",sans-serif;color:black;mso-ligatures:none;mso-fareast-language:EN-GB"><a href="tel:+447775550344"><span style="color:#0078D7">+44 (0) 777 555 0344</span></a> | <a href="mailto:mark.haine@oidf.org"><span style="color:#0563C1">mark.haine@oidf.org</span></a> | </span><span style="font-size:12.0pt;font-family:"Calibri",sans-serif;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><a href="https://www.considrd.consulting/" title="https://www.considrd.consulting/"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif;color:black;mso-ligatures:none;mso-fareast-language:EN-GB;text-decoration:none"><img border="0" width="152" height="48" style="width:1.5833in;height:.5in" id="Picture_x0020_2" src="cid:image002.png@01DB8C39.CDAC7EA0" alt="OpenID Logo"></span></a><span style="font-size:12.0pt;font-family:"Calibri",sans-serif;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>