[Openid-specs-fapi] FAPI Security Profile 1.0 Parts 1 & 2 Final Preview

Brian Campbell bcampbell at pingidentity.com
Fri Jan 29 21:39:00 UTC 2021


There are still a few remnant uses of "read-only" and "read and write" and
similar that don't seem to align with the later breaking change to classify
the documents as baseline and advanced. I suspect this could be rather
jarring to a reader that isn't familiar with the history of the naming.

In baseline:
"This document is Part 1 of FAPI Security Profile 1.0 that specifies the
Financial-grade API and it provides a profile of OAuth that is suitable to
be used in the access of read-only financial data and similar use cases. A
higher level of security profile is provided in Part 2, suitable for read
and write financial access APIs and other similar situations where the risk
is higher. " is maybe okay because of the "and similar..." qualifications
but
"obtain OAuth tokens in a secure manner for read-only access to protected
data"
"use tokens to read protected data from REST endpoints."
"Read-only access is generally viewed to pose a lower risk than the write
access and as such, the characteristics required of the tokens are
different and the methods to obtain tokens are explained separately."
"Read-only access is a lower risk scenario compared to the write access;
therefore the protection level can also be lower."
"shall verify that the scope associated with the access token authorizes
the reading of the resource it is representing"
don't really make sense in the context of a document that isn't supposed to
be about read-only
also the grammar check in my email doesn't like "to the write"

In advanced:
"provides a profile of OAuth that is suitable to be used for high risk
access (read or write), for example, read access to highly sensitive data
or write access to financial data (also known as payment initiation)." and
"For example, read and write access to a bank API has a higher financial
risk than read-only access." are maybe ok because they are given as
examples rather than absolutes
but
"Read and write access carries higher risk; therefore the protection level
required is higher than read-only access."
looks like it just wasn't updated with the change from read and write to
advanced





On Wed, Jan 27, 2021 at 4:22 AM Edmund Jay via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> Dear WG members,
>
> Attached are the Final preview version of the rendered HTML of the FAPI
> Security Profile 1.0 Parts 1 and 2.
>
> Your comments and feedback are much appreciated.
>
> Thank you.
>
> -- Edmund
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20210129/747dac9e/attachment.html>


More information about the Openid-specs-fapi mailing list