[Openid-specs-fapi] FAPI2 security analysis, technical report

Marcus Almgren marcus.almgren at oidf.org
Mon Oct 9 13:33:15 UTC 2023 

Hi,

Please find attached the technical report on the formal security analysis of FAPI2. In case you're not aware of the details, the report is written by researchers from the university of Stuttgart, and it's the result of modeling and analysis work performed since early spring this year.

The stakeholders are meeting for a final milestone review on October 24th, and there is an expectation that the FAPI WG provides feedback and acceptance/approval of the report, so it would be appreciated if you could please review it.

If you would like to, the researchers have agreed to do a brief presentation of the report in the upcoming Atlantic call on Wednesday October 11th. However, I realize that IIW is happening this week and I'm not sure if the call will proceed as planned or not. Please let me know at your earliest convenience if you would like to add this point to the agenda.

Finally, during the course of this work, some related issues have been opened on Bitbucket. I will list them below for your convenience. The researchers say that "it appears that there are no blocking issues from our side", but please have a look and see what we can do to resolve the outstanding issues, if possible.

  *   [Resolved] https://bitbucket.org/openid/fapi/issues/551/extra-security-considerations-for-clients
  *   [Resolved] https://bitbucket.org/openid/fapi/issues/602/client-is-misleading-in-the-context-of

  *   [Invalid] https://bitbucket.org/openid/fapi/issues/605/jarm-for-signed-authz-responses-seems-to

  *   [Open] https://bitbucket.org/openid/fapi/issues/596/non-repudiation
     *   The researchers have accepted the thread explanation and performed the analysis accordingly. However, there is seemingly not yet any PR for the proposed security considerations.
  *   [Open] https://bitbucket.org/openid/fapi/issues/608/make-clear-that-requests-and-responses-to
     *   There's an open PR, https://bitbucket.org/openid/fapi/pull-requests/433
  *   [Open] https://bitbucket.org/openid/fapi/issues/609/ciba-make-clear-limitation-of-binding
     *   Nat already wrote that they want to add security considerations on this, which should be fine from our point of view. However, there is no PR yet.
  *   [New] https://bitbucket.org/openid/fapi/issues/621/fapi-ciba
     *   There's an open PR, https://bitbucket.org/openid/fapi/pull-requests/417

Thank you,
Marcus Almgren
OIDF Certification team


________________________________
From: Marcus Almgren <marcus.almgren at oidf.org>
Sent: Monday, October 2, 2023 10:35
To: dave.tonge at moneyhub.com <dave.tonge at moneyhub.com>; nat_fwd <nat at nat.consulting>; ralf.kuesters at sec.uni-stuttgart.de <ralf.kuesters at sec.uni-stuttgart.de>; pedram.hosseyni at sec.uni-stuttgart.de <pedram.hosseyni at sec.uni-stuttgart.de>; tim.wuertele at sec.uni-stuttgart.de <tim.wuertele at sec.uni-stuttgart.de>; rob.hanson at treasury.gov.au <rob.hanson at treasury.gov.au>; mark.verstege at consumerdatastandards.gov.au <mark.verstege at consumerdatastandards.gov.au>; Mark <mark at considrd.consulting>; mail at danielfett.de <mail at danielfett.de>; atul at sgnl.ai <atul at sgnl.ai>; Gail Hodges <gail at oidf.org>; Joseph Heenan <joseph.heenan at oidf.org>
Cc: robert.t.hanson at gmail.com <robert.t.hanson at gmail.com>
Subject: FAPI2 WP2b: Report

Hi,

Please find attached the FAPI2 formal security analysis technical report WP2. Thanks to Ralf, Tim & Pedram for sharing, and for their work.

This means that we're entering the final stage of WP2, and according to my notes we've got a few things to take care of during October:


  *   It is expected that the FAPI WG provides feedback on the report. Issues that have been discussed between the researchers and the WG should be commented and concluded on, and open pull requests related to the topics should be resolved.
  *   My notes also state that I should ensure that Mark Verstege has received the report and provided feedback on it, with the option of getting together with Tim & Pedram and the WG on an appropriate Pacific call to discuss, if needed. The options for the Pacific call are Thursday 11 PM UTC either this week or two weeks later. I will reach out directly to you, Mark, to coordinate that.
  *   I will send out a meeting invitation for the report walkthrough and milestone approval for October 24th shortly.

Thank you,
Marcus Almgren
OIDF Certification team


________________________________
From: Marcus Almgren <marcus.almgren at oidf.org>
Sent: Tuesday, September 12, 2023 07:20
To: dave.tonge at moneyhub.com <dave.tonge at moneyhub.com>; nat_fwd <nat at nat.consulting>; ralf.kuesters at sec.uni-stuttgart.de <ralf.kuesters at sec.uni-stuttgart.de>; pedram.hosseyni at sec.uni-stuttgart.de <pedram.hosseyni at sec.uni-stuttgart.de>; tim.wuertele at sec.uni-stuttgart.de <tim.wuertele at sec.uni-stuttgart.de>; rob.hanson at treasury.gov.au <rob.hanson at treasury.gov.au>; mark.verstege at consumerdatastandards.gov.au <mark.verstege at consumerdatastandards.gov.au>; Mark <mark at considrd.consulting>; mail at danielfett.de <mail at danielfett.de>; atul at sgnl.ai <atul at sgnl.ai>; Gail Hodges <gail at oidf.org>; Joseph Heenan <joseph.heenan at oidf.org>
Cc: robert.t.hanson at gmail.com <robert.t.hanson at gmail.com>
Subject: Re: FAPI2 WP2b: Status call

Meeting notes
FAPI2 WP2b, pre-milestone review meeting, 2023-09-12

Agenda:
- Current status from Ustutt/Tim & Pedram.
- Date for sharing of final report & date for milestone review meeting
- Thoughts, feedback, questions from Australia (if any).
- AOB

Participants:
Rob
Tim
Pedram
Ralf
Gail
Marcus

1. Current status from Ustutt/Tim & Pedram.

We changed some things in the model regarding message signing and HTTP signing. Currently working on the proofs, modifying previous and adapting new proofs. FAPI-CIBA concern (known issue) voiced and message passed to the WG. We're on track, provided that no new findings are made in the remaining analysis and verification.

2. Date for sharing of final report & date for milestone review meeting

We will repeat the process from last milestone, meaning that we set a date for delivering the report (September 29th). Rob is on leave for a couple of weeks early October, so we should set the dates for the report review and walkthrough for late October.

3. Thoughts, feedback, questions from Australia (if any).

None beyond what's been discussed in the other agenda points.

4. AOB

(a) Get Mark Verstege (FirstID), Tim/Pedram together with FAPI WG Pacific call time regarding any open issues, PR, the report outcome. Schedule this for early October, after the report has been shared on September 29th.

(b) After collecting feedback, possibly correcting or adjusting the report, we move to agreement on milestone approval. This will happen during October.

Thank you,
Marcus Almgren
OIDF Certification team


________________________________
From: Marcus Almgren
Sent: Saturday, September 2, 2023 16:32
To: dave.tonge at moneyhub.com <dave.tonge at moneyhub.com>; nat_fwd <nat at nat.consulting>; ralf.kuesters at sec.uni-stuttgart.de <ralf.kuesters at sec.uni-stuttgart.de>; pedram.hosseyni at sec.uni-stuttgart.de <pedram.hosseyni at sec.uni-stuttgart.de>; tim.wuertele at sec.uni-stuttgart.de <tim.wuertele at sec.uni-stuttgart.de>; rob.hanson at treasury.gov.au <rob.hanson at treasury.gov.au>; mark.verstege at consumerdatastandards.gov.au <mark.verstege at consumerdatastandards.gov.au>; Mark <mark at considrd.consulting>; mail at danielfett.de <mail at danielfett.de>; atul at sgnl.ai <atul at sgnl.ai>; Gail Hodges <gail at oidf.org>; Joseph Heenan <joseph.heenan at oidf.org>
Cc: robert.t.hanson at gmail.com <robert.t.hanson at gmail.com>
Subject: FAPI2 WP2b: Status call
When: Tuesday, September 12, 2023 7:00 AM-7:30 AM.
Where: https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09

Pre-milestone review meeting for the FAPI2 Workpackage 2 project.

https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09

Preliminary agenda:

  1.  Current status from Ustutt/Tim & Pedram.
  2.  Date for sharing of final report & date for milestone review meeting
  3.  Thoughts, feedback, questions from Australia (if any).
  4.  AOB

Thank you,
Marcus Almgren
OIDF Certification team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20231009/88f6be44/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sep23-tr-WP2b.pdf
Type: application/pdf
Size: 1312112 bytes
Desc: sep23-tr-WP2b.pdf
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20231009/88f6be44/attachment-0001.pdf>

More information about the Openid-specs-fapi mailing list