[Openid-specs-fapi] Issue #368: FAPI 1.0 Final Preview Feedback (openid/fapi)

Edmund Jay issues-reply at bitbucket.org
Mon Feb 1 23:06:45 UTC 2021 

New issue 368: FAPI 1.0 Final Preview Feedback
https://bitbucket.org/openid/fapi/issues/368/fapi-10-final-preview-feedback

Edmund Jay:

Brian Campbell:

In baseline:  
"This document is Part 1 of FAPI Security Profile 1.0 that specifies the Financial-grade API and it provides a profile of OAuth that is suitable to be used in the access of read-only financial data and similar use cases. A higher level of security profile is provided in Part 2, suitable for read and write financial access APIs and other similar situations where the risk is higher. " is maybe okay because of the "and similar..." qualifications  
but  
"obtain OAuth tokens in a secure manner for read-only access to protected data"  
"use tokens to read protected data from REST endpoints."  
"Read-only access is generally viewed to pose a lower risk than the write access and as such, the characteristics required of the tokens are different and the methods to obtain tokens are explained separately."  
"Read-only access is a lower risk scenario compared to the write access; therefore the protection level can also be lower."  
"shall verify that the scope associated with the access token authorizes the reading of the resource it is representing"  
don't really make sense in the context of a document that isn't supposed to be about read-only  
also the grammar check in my email doesn't like "to the write"

In advanced:  
"provides a profile of OAuth that is suitable to be used for high risk access \(read or write\), for example, read access to highly sensitive data or write access to financial data \(also known as payment initiation\)." and "For example, read and write access to a bank API has a higher financial risk than read-only access." are maybe ok because they are given as examples rather than absolutes  
but  
"Read and write access carries higher risk; therefore the protection level required is higher than read-only access."  
looks like it just wasn't updated with the change from read and write to advanced

Responsible: Edmund Jay

More information about the Openid-specs-fapi mailing list