[Openid-specs-fapi] Pull Requests for FAPI v1 and call today

Wed Jul 8 06:19:04 UTC 2020

Dear WG

We would like to finalise FAPI v1 as soon as possible.

There are 9 pull requests in need of some feedback. Please if at all
possible can you review these in the next few days.

There are 15 remaining issues that it would be good to resolve as soon as
possible. Hopefully we can go through some of them on the call today, but
if not we will need to collaborate on the mailing list in order to resolve
them.

*PRs ready to merge*

   1. IANA considerations for s_hash -
   https://bitbucket.org/openid/fapi/pull-requests/176
   2. Require auth codes and refresh tokens to have specific entropy -
   https://bitbucket.org/openid/fapi/pull-requests/171
   3. Remove PKCE requirement from part 2 -
   https://bitbucket.org/openid/fapi/pull-requests/170
   4. Clarify uuid requirement -
   https://bitbucket.org/openid/fapi/pull-requests/174
   5. Add DNSSEC and HSTS considerations. -
   https://bitbucket.org/openid/fapi/pull-requests/164

*PRs in need of feedback:*

   1. Add security consideration around sharing keys -
   https://bitbucket.org/openid/fapi/pull-requests/175
   2. Add requirement for client to verify scope in token response -
   https://bitbucket.org/openid/fapi/pull-requests/172
   3. Add requirement for servers to accept IPv6 addresses -
   https://bitbucket.org/openid/fapi/pull-requests/169
   4. Restrict of lifetime of access tokens that are not sender constrained
   - https://bitbucket.org/openid/fapi/pull-requests/166
   5.
   6. Add security requirements for jwks_uri -
   https://bitbucket.org/openid/fapi/pull-requests/173
   7. Highlight that there are no public clients in part 2 -
   https://bitbucket.org/openid/fapi/pull-requests/168
   8. Key selection alg -
   https://bitbucket.org/openid/fapi/pull-requests/167
   9. Remove 'write operation' wording -
   https://bitbucket.org/openid/fapi/pull-requests/177/remove-the-phrase-write-operation

*Issues that still need to be resolved:*

   1. Dave -
   https://bitbucket.org/openid/fapi/issues/255/certification-clarification-request
   and
   https://bitbucket.org/openid/fapi/issues/239/fapi-part-2-should-mention-require
   2. Joseph -
   https://bitbucket.org/openid/fapi/issues/277/fapi-rw-is-disallowing-signed-id_tokens
   3. Joseph -
   https://bitbucket.org/openid/fapi/issues/124/more-examples-as-an-appendix
   4. Nat -
   https://bitbucket.org/openid/fapi/issues/90/create-a-sensible-privacy-consideration
   and
   https://bitbucket.org/openid/fapi/issues/232/part-1-complete-the-privacy-consideration
   5. Joseph -
   https://bitbucket.org/openid/fapi/issues/264/expand-on-privacy-considerations-for
   6. Joseph -
   https://bitbucket.org/openid/fapi/issues/270/jarm-fapi-rw-openid-client-session-binding
   7. Tosren -
   https://bitbucket.org/openid/fapi/issues/166/ed-need-to-add-jarm-in-the-introductions
   8. Joseph -
   https://bitbucket.org/openid/fapi/issues/154/behaviour-of-as-undefined-if-no-acr-claim
   9. Nat -
   https://bitbucket.org/openid/fapi/issues/135/confidential-client-needs-a-strong
   10. Torsten -
   https://bitbucket.org/openid/fapi/issues/202/authorization-code-and-refresh-token-must
   11. Dave -
   https://bitbucket.org/openid/fapi/issues/298/change-holder-of-key-to-sender-constrained
   12. Joseph -
   https://bitbucket.org/openid/fapi/issues/224/fapi-certification-conformance-profile
   13. Nat -
   https://bitbucket.org/openid/fapi/issues/223/need-of-a-customer-unique-immutable

*Issues that should probably be closed:*

   1. https://bitbucket.org/openid/fapi/issues/251/refresh-token-expiry-time
   2. https://bitbucket.org/openid/fapi/issues/207/rs256-vs-ps256-again

Thank you

-- 
Dave Tonge
FAPI WG - Co Chair

-- 

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology 
Limited which is authorised and regulated by the Financial Conduct 
Authority ("FCA"). Moneyhub Financial Technology is entered on the 
Financial Services Register (FRN 809360) at https://register.fca.org.uk/ 
<https://register.fca.org.uk/>. Moneyhub Financial Technology is registered 
in England & Wales, company registration number 06909772. Moneyhub 
Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, 
Temple Quay, 1 Friary, Bristol, BS1 6EA. 

DISCLAIMER: This email 
(including any attachments) is subject to copyright, and the information in 
it is confidential. Use of this email or of any information in it other 
than by the addressee is unauthorised and unlawful. Whilst reasonable 
efforts are made to ensure that any attachments are virus-free, it is the 
recipient's sole responsibility to scan all attachments for viruses. All 
calls and emails to and from this company may be monitored and recorded for 
legitimate purposes relating to this company's business. Any opinions 
expressed in this email (or in any attachments) are those of the author and 
do not necessarily represent the opinions of Moneyhub Financial Technology 
Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200708/49ccf2a9/attachment-0001.html>