[Openid-specs-fapi] My updates for FAPI call
Gail Hodges
gail at oidf.org
Tue Feb 28 18:50:00 UTC 2023
Nat, Dave, Anoop and FAPI WG
Below are my updates for the FAPI WG call this week. Note the first three items requiring FAPI WG feedback.
Gail
1. FAPI clarifications (3/3 deadline)
* “Ask” Triggered by conversation with Open Banking Canada, but an update structured to be for any managing entity.
i. Request for clarifications on FAPI status, Covers spec development, estimated timing to move FAPI 2.0 to final, test development status, security analysis milestones.
ii. Support Milestones (generic steps and timing for markets moving to launch with OIDF support, this is intentional skewed towards the faster timelines as the “best case scenario” like a Brazil Insurance or Saudi Monetary Authority time to market.
* Commentors
i. Invited: WG co-chairs (Nat, Dave Anoop), Joseph, Ralph, Chris, Dima Mike L have access.
ii. All others: Let me know via email or google doc access request if anyone else can comment before Friday.
* https://docs.google.com/document/d/1tO9Ur21VBWv3hlaRXeSRg8dziOh4oIRfkJPVtA0pgF8/edit
1. FAPI recommendation on FAPI 1.0 vs FAPI 1.0+PAR vs FAPI 2.0 (target 3/17)
* 7 months has passed since the FAPI WG recommendation in July 2022 comparing the FAPI standards and WG recommendations: https://openid.net/wordpress-content/uploads/2022/08/OIDF_FAPI-Profiles-Comparisons_2022-07-27.pdf.
* Does the Working group believe updated advice is merited now, e.g. stronger encouragement for markets moving to launch in 2H 2023 to start with FAPI 2.0? And our views on migration of FAPI 1.0 markets to FAPI 2.0?
* If YES
i. Any changes recommended to be published in the next 2-3 weeks to be timely.
ii. Who from WG will update this briefing with the new information and WG recommendations?
1. NIST 8389 New Questions on “Cybersecurity Considerations for Open Banking Technology & Emerging Standards” – Due 3/31
* NIST asked entities that commented on 8389 to provide comments on a new set of questions for a clarification section, questions that are very relevant for FAPI WG to comment on…
* Mark Haine has been confirmed by Board as Distinguished Engineer to assist on several deliverables including requests for comment. Mark will take first stab on these questions, and confirm alignment with CFPB comments already made. They will then be shared FAPI WG for feedback via google docs. Mark can also coordinate a subgroup to confirm messages if desired by WG.
2. NIST 800-63-4 feedback
* Mark Haine will also be coordinating feedback across WGs on 800-63-4
* Feedback requested from OIDF members by 3/10
* Those from FAPI WG who are able to help synthesize and draft feedback for cover letter and line item changes to 800-63-4 are welcome to a series of 4 huddle sessions that will be between 3/10 and 3/23 before 3/24 deadline
* NIST’s NCCoE invited Gail to be on a panel on an “Innovating Identity Proofing Panel” 3/9 130-3pm ET with a structured agenda. Registration link here: https://www.nccoe.nist.gov/get-involved/attend-events/innovating-identity-proofing
3. Other Market updates
* Australia
i. Pending confirmation of contract signing for WorkPackage 2 by Treasury and University of Stuttgaart so we can kick off that workstream.
ii. Pending feedback from ACCC on certification workstream, and potential collaboration after our initial brief earlier in Feb
* Canada
i. Small group checkpoint held at their request 2/27
ii. No decisions on spec selection yet, but it sounds like they are getting close to making decisions. They are also moving at pace towards a rapid market launch.
iii. Timely support of questions like those above in (1) is important) to support their due process
iv. They confirmed they had read all of our whitepapers (drafts and finals) and found them to be very valuable documents. This is a great tribute to the lead editors and contributors—your work is appreciated and seems to be resonating!
* US
i. CFPB “informal” brief and 2-way conversation with FAPI WG representatives confirmed for 3/7 (Gail to be there in person)
From: "Laplante, Phillip A. (Fed)" <phillip.laplante at nist.gov<mailto:phillip.laplante at nist.gov>>
Date: Monday, February 27, 2023 at 11:46 AM
Cc: "Voas, Jeff (Fed)" <jeff.voas at nist.gov<mailto:jeff.voas at nist.gov>>
Subject: Draft NISTIR 8389 Open Banking Revision
Dear Respondents to the first DRAFT of NIST 8389:
Last year you and others commented on (or expressed interest in) the National Institute of Standards and Technology (NIST) report “NISTIR 8389 (Draft) Cybersecurity Considerations for Open Banking Technology and Emerging Standards” (https://csrc.nist.gov/publications/detail/nistir/8389/draft).
NIST is in the process of revising that document. From some of the responses, it is clear to us that the initial document did not clearly state the document’s intent correctly.
It is important to note NIST does not involve itself in policy or regulatory issues. NIST offers technical guidance and recommendations, which are made public through its documents. NIST 8389 was intended to only offer information about cybersecurity and privacy concerns for OB.
Based on the comments received, we are adding a new section to the updated DRAFT NIST 8389. This section will contain responses to the questions below. We feel that feedback from the initial respondents to these questions is necessary to create the next draft of NISTIR 8389.
The process will proceed as follows. You (or your designee) are invited to respond (via email) to the set of questions below. You may choose to respond to all or some of the questions or not to respond at all. We invite your participation (or a designee) to respond in writing to these questions. The findings and recommendations will be used to rework the existing version of 8389. Please note that due to the limits on the scope of our NIST roles, the focus of the panel will be on Cybersecurity and Privacy Considerations only and not on legislation, banking laws, policy, or other non-technical areas, even though we recognize that these may be intertwined.
Please indicate if you or your designee would be interested in participating. You will have 30 days (due date is March 31) to respond. Your responses will be compiled with those of the other participants, which may be included in the next draft of the document. You may also choose to keep your name or that of your organization anonymous.
Basic Questions
1. In terms of cybersecurity and infrastructure, what will it take to get to open banking (OB) in the US, i.e., what is the path?
2. What are the technical obstacles and technical problems that need to be solved?
3. Are there necessary and sufficient standards to enable practical implementation of OB?
4. Are there necessary and sufficient security protocols to protect public interest?
5. What is a realistic timeframe for OB to be rolled out to the public?
6. Why would consumers trust OB when consumers mistrust Internet transactions?
7. Is it reasonable for consumers to need to understand APIs to participate in OB?
8. What are the most likely cyberattacks on consumers that OB enables?
9. What, if any, privacy concerns should consumers consider before trusting OB?
10. Non-US countries seem to be ahead of the US in rolling-out OB? Why?
Thank you again for your interest in and contributions to this work.
Jeff Voas, PhD
Computer Scientist
Secure Systems and Applications Group
Computer Security Division
Information Technology Lab
NIST
Phillip A. Laplante, CSDP, PE, PhD
Computer Scientist
Secure Systems and Applications Group
Computer Security Division
Information Technology Lab
NIST
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230228/b5c45ee0/attachment-0001.html>
More information about the Openid-specs-fapi
mailing list