[Openid-specs-fapi] Tailored OAuth and OIDC Profiles

Ralph Bragg ralph.bragg at raidiam.com
Tue Mar 3 18:18:22 UTC 2020


As a quick follow up - PAR and RAR address a lot of the requirements specific in this profile. It would be a shame to not advantage of the latest work from the group if you’re looking to promote this for wide spread adoption amongst government in the US.

Any comparisons against FAPI and particularly the latest drafts for FAPI v2 which are on github would be very useful as a cursory read I’m struggling to identify where and why I’d use this profile over the gold standard especially as fapi certifications and support are now very common amongst most vendor sets and come with a certification program, a testing harness and documented and academically reviewed threat model and analysis.

Any help would be appreciated.

________________________________
From: Ralph Bragg <ralph.bragg at raidiam.com>
Sent: Tuesday, March 3, 2020 6:13:32 PM
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>; openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
Cc: Russell, Mark L <mrussell at mitre.org>; NSA ICAM Investigation <NSAICAM at groups.mitre.org>
Subject: Re: Tailored OAuth and OIDC Profiles

Hi,

Can I ask what the ask is here, across Europe, Australia, New Zealand and other jurisdictions FAPI RW is rapidly being the standard regardless of sector and already we are looking at a new version of FAPI Advanced profile that has several improvements on what is outlined in this profile.

Has any comparison been performed between the current high security fapi profile VS this profile that’s proposed here?

Could you confirm wha the ask is from the working group or what improvements this profile proposes on top of FAPI or issues it addresses.

Kind Regards,
Ralph

________________________________
From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Russell, Mark L via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: Tuesday, March 3, 2020 5:20:42 PM
To: openid-specs-fapi at lists.openid.net <openid-specs-fapi at lists.openid.net>; openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
Cc: Russell, Mark L <mrussell at mitre.org>; NSA ICAM Investigation <NSAICAM at groups.mitre.org>
Subject: [Openid-specs-fapi] Tailored OAuth and OIDC Profiles


Hello all,



For anyone who may be interested: MITRE, in support of the U.S. Government, has developed tailored OAuth and OpenID Connect profiles for use in enterprise environments. We have leveraged previous standards efforts (e.g. work in the IETF and in the OpenID Foundation) and have detailed requirements to use the standards in a secure and interoperable manner to address enterprise environment use cases.



These profiles should be considered informational as we seek feedback from subject matter experts. We’re interested in working with standards bodies and others to move these concepts forward. We welcome any comments and suggestions at OAuthOIDCProfiles at groups.mitre.org<mailto:OAuthOIDCProfiles at groups.mitre.org> .



The profiles can be found at: https://www.mitre.org/publications/technical-papers/enterprise-mission-tailored-oauth-20-and-openid-connect-profiles



[This message was previously sent to the OAuth IETF mailing list – apologies to anyone who receives it multiple times]



Mark Russell

Cyber Physical and Mobile Tech – T8A5

The MITRE Corporation

(o) 703-983-7941  (m) 202-492-5567

mrussell at mitre.org<mailto:mrussell at mitre.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200303/6cb2da3f/attachment-0001.html>


More information about the Openid-specs-fapi mailing list