[Openid-specs-fapi] Tailored OAuth and OIDC Profiles

Don Thibeau don at oidf.org
Mon Mar 16 14:57:53 UTC 2020


Hello Financial-Grade API Work Group Members

As Ralph Bragg notes below…”For the sake of global interoperability, we’ve been pushing alignment with all of the major market initiatives.”  Given many market initiatives, global interoperability is a particularly timely and important goal of both the Financial-Grade API and eKYC and Identity Assurance Was. To that end, the OpenID Foundation has begun working closely with colleagues to replicate the success of recent in-person workshops in Tokyo and London with online equivalents.

In my recent blog; Flatten the Curve: OpenID Foundation Virtual Workshops to Continue Momentum and Progress<https://openid.net/2020/03/13/flatten-the-curve-openid-foundation-virtual-workshops-to-continue-momentum-and-progress/> I outlined how the OpenID Foundation is reaching out to liaison partners, members and the community at large to join us in maintaining the momentum advancing the development of these important standards. In addition to joining workgroups, we're encouraging our partners and members to co-sponsor online workshops, contribute to our FAPI-Mini Site <https://fapi.openid.net/> , and collaborate in new and creative ways.

We are planning an online workshop soon with our liaison partner, the UK Open Banking Implementation Entity. This is timely given the cancellation of key conferences and many UK banks and TPPs will be recovering from a recent UK Financial Conduct Authority (FCA) deadline.  Feel free to share your comments, suggestions, etc.

Don Thibeau : Executive Director, OpenID Foundation
Email: don at oidf.org<mailto:don at oidf.org>
Voice: +1 202.841.8222
https://openid.net/foundation


On Mar 15, 2020, at 1:12 PM, Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:

Hi Michael,

No worries, if you could provide the delta or a comparison for discussion it would be greatly appreciated and massively speed up the effort. I’d be particularly interested in any recommendations based on poor vendor support or other justifications that would prevent adoption of a strict reading of FAPI RW.

In the UK, the Banks were given 12 months grace to utilise the “Open Banking security profile” which was a balance somewhere between FAPI R and FAPI RW in terms of security, implementation complexity and features necessary to be adopted to make the initial ecosystem function. There wasn’t sufficient vendor support to enforce FAPI RW directly out of the gate onto providers, the Banks were requested to lean heavily on their suppliers to uplift capabilities to FAPI RW which they did.

FAPI RW is now the only standard that the UK’s OBIE supports. For the sake of global interoperability, we’ve been pushing alignment to these profiles pretty hard with all of the major market initiatives so I’d be really to know your thoughts if elements of the profile still suffer from implementation difficulties with your user groups.

Kind Regards,
Ralph

From: "Peck, Michael A" <mpeck at mitre.org<mailto:mpeck at mitre.org>>
Date: Sunday, 15 March 2020 at 17:02
To: Ralph Bragg <ralph.bragg at raidiam.com>, Financial API Working Group List <openid-specs-fapi at lists.openid.net>, "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
Cc: OAuthOIDCProfiles <OAuthOIDCProfiles at groups.mitre.org>
Subject: Re: [Openid-specs-fapi] Tailored OAuth and OIDC Profiles

Hi Ralph,

No specific ask on our part from sharing our enterprise profiles, we are sharing them as informational for anyone who may be interested.
We do welcome and appreciate the feedback.
We’re comparing our enterprise profiles with the FAPI and draft FAPI v2 profiles now and will send comments/questions to the FAPI mailing list.
We are interested in aligning our profiles (using one of the FAPI profiles as a baseline for ours) as that could greatly simplify what we need to specify, and as you say allow us to leverage FAPI’s adoption. From my reading so far, the current draft FAPI 2.0 Baseline Profile has strong requirements that I’m glad to see and hope will push implementations in the right direction if they’re not there yet.

Our intention is to state mandatory requirements that we believe can be deployed today or in the near future, and state recommended/optional requirements to try to influence the future direction of implementations. PAR and RAR don’t seem to be widely implemented yet, but please correct me if I’m wrong. We could at least specify them as optional to show our interest.

Thanks,
Mike


From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Reply-To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Date: Tuesday, March 3, 2020 at 1:18 PM
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>, "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
Cc: Ralph Bragg <ralph.bragg at raidiam.com>, NSA ICAM Investigation <NSAICAM at groups.mitre.org>
Subject: [EXT] Re: [Openid-specs-fapi] Tailored OAuth and OIDC Profiles

As a quick follow up - PAR and RAR address a lot of the requirements specific in this profile. It would be a shame to not advantage of the latest work from the group if you’re looking to promote this for wide spread adoption amongst government in the US.

Any comparisons against FAPI and particularly the latest drafts for FAPI v2 which are on github would be very useful as a cursory read I’m struggling to identify where and why I’d use this profile over the gold standard especially as fapi certifications and support are now very common amongst most vendor sets and come with a certification program, a testing harness and documented and academically reviewed threat model and analysis.

Any help would be appreciated.

From: Ralph Bragg <ralph.bragg at raidiam.com>
Sent: Tuesday, March 3, 2020 6:13:32 PM
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>; openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
Cc: Russell, Mark L <mrussell at mitre.org>; NSA ICAM Investigation <NSAICAM at groups.mitre.org>
Subject: Re: Tailored OAuth and OIDC Profiles

Hi,

Can I ask what the ask is here, across Europe, Australia, New Zealand and other jurisdictions FAPI RW is rapidly being the standard regardless of sector and already we are looking at a new version of FAPI Advanced profile that has several improvements on what is outlined in this profile.

Has any comparison been performed between the current high security fapi profile VS this profile that’s proposed here?

Could you confirm wha the ask is from the working group or what improvements this profile proposes on top of FAPI or issues it addresses.

Kind Regards,
Ralph

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Russell, Mark L via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: Tuesday, March 3, 2020 5:20:42 PM
To: openid-specs-fapi at lists.openid.net <openid-specs-fapi at lists.openid.net>; openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
Cc: Russell, Mark L <mrussell at mitre.org>; NSA ICAM Investigation <NSAICAM at groups.mitre.org>
Subject: [Openid-specs-fapi] Tailored OAuth and OIDC Profiles

Hello all,

For anyone who may be interested: MITRE, in support of the U.S. Government, has developed tailored OAuth and OpenID Connect profiles for use in enterprise environments. We have leveraged previous standards efforts (e.g. work in the IETF and in the OpenID Foundation) and have detailed requirements to use the standards in a secure and interoperable manner to address enterprise environment use cases.

These profiles should be considered informational as we seek feedback from subject matter experts. We’re interested in working with standards bodies and others to move these concepts forward. We welcome any comments and suggestions at OAuthOIDCProfiles at groups.mitre.org .

The profiles can be found at: https://www.mitre.org/publications/technical-papers/enterprise-mission-tailored-oauth-20-and-openid-connect-profiles

[This message was previously sent to the OAuth IETF mailing list – apologies to anyone who receives it multiple times]

Mark Russell
Cyber Physical and Mobile Tech – T8A5
The MITRE Corporation
(o) 703-983-7941  (m) 202-492-5567
mrussell at mitre.org

_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-fapi

--
Don Thibeau : Executive Director, OpenID Foundation
Email: don at oidf.org
Voice: +1 202.841.8222
https://openid.net/foundation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200316/ea9966ca/attachment-0001.html>


More information about the Openid-specs-fapi mailing list