[Openid-specs-fapi] FAPI2 security analysis, technical report

Nat Sakimura nat at nat.consulting
Tue Oct 10 16:34:42 UTC 2023 

Thanks.

We are going to deal with these as main topics tomorrow.

Best,

Nat

On Mon, 9 Oct 2023 at 06:33, Marcus Almgren via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> Hi,
>
> Please find attached the technical report on the formal security analysis
> of FAPI2. In case you're not aware of the details, the report is written by
> researchers from the university of Stuttgart, and it's the result of
> modeling and analysis work performed since early spring this year.
>
> The stakeholders are meeting for a final milestone review on October 24th,
> and there is an expectation that the FAPI WG provides feedback and
> acceptance/approval of the report, so it would be appreciated if you could
> please review it.
>
> If you would like to, the researchers have agreed to do a brief
> presentation of the report in the upcoming Atlantic call on Wednesday
> October 11th. However, I realize that IIW is happening this week and I'm
> not sure if the call will proceed as planned or not. Please let me know at
> your earliest convenience if you would like to add this point to the agenda.
>
> Finally, during the course of this work, some related issues have been
> opened on Bitbucket. I will list them below for your convenience. The
> researchers say that "it appears that there are no blocking issues from our
> side", but please have a look and see what we can do to resolve the
> outstanding issues, if possible.
>
>    - [Resolved]
>    https://bitbucket.org/openid/fapi/issues/551/extra-security-considerations-for-clients
>    - [Resolved]
>    https://bitbucket.org/openid/fapi/issues/602/client-is-misleading-in-the-context-of
>
>
>    - [Invalid]
>    https://bitbucket.org/openid/fapi/issues/605/jarm-for-signed-authz-responses-seems-to
>
>
>    - [Open] https://bitbucket.org/openid/fapi/issues/596/non-repudiation
>       - The researchers have accepted the thread explanation and
>       performed the analysis accordingly. However, there is seemingly not yet any
>       PR for the proposed security considerations.
>    - [Open]
>    https://bitbucket.org/openid/fapi/issues/608/make-clear-that-requests-and-responses-to
>       - There's an open PR,
>       https://bitbucket.org/openid/fapi/pull-requests/433
>    - [Open]
>    https://bitbucket.org/openid/fapi/issues/609/ciba-make-clear-limitation-of-binding
>       - Nat already wrote that they want to add security considerations
>       on this, which should be fine from our point of view. However, there is no
>       PR yet.
>    - [New] https://bitbucket.org/openid/fapi/issues/621/fapi-ciba
>       - There's an open PR,
>       https://bitbucket.org/openid/fapi/pull-requests/417
>
>
> Thank you,
> Marcus Almgren
> OIDF Certification team
>
>
> ------------------------------
> *From:* Marcus Almgren <marcus.almgren at oidf.org>
> *Sent:* Monday, October 2, 2023 10:35
> *To:* dave.tonge at moneyhub.com <dave.tonge at moneyhub.com>; nat_fwd
> <nat at nat.consulting>; ralf.kuesters at sec.uni-stuttgart.de <
> ralf.kuesters at sec.uni-stuttgart.de>; pedram.hosseyni at sec.uni-stuttgart.de
> <pedram.hosseyni at sec.uni-stuttgart.de>; tim.wuertele at sec.uni-stuttgart.de
> <tim.wuertele at sec.uni-stuttgart.de>; rob.hanson at treasury.gov.au <
> rob.hanson at treasury.gov.au>; mark.verstege at consumerdatastandards.gov.au <
> mark.verstege at consumerdatastandards.gov.au>; Mark
> <mark at considrd.consulting>; mail at danielfett.de <mail at danielfett.de>;
> atul at sgnl.ai <atul at sgnl.ai>; Gail Hodges <gail at oidf.org>; Joseph Heenan <
> joseph.heenan at oidf.org>
> *Cc:* robert.t.hanson at gmail.com <robert.t.hanson at gmail.com>
> *Subject:* FAPI2 WP2b: Report
>
> Hi,
>
> Please find attached the FAPI2 formal security analysis technical report
> WP2. Thanks to Ralf, Tim & Pedram for sharing, and for their work.
>
> This means that we're entering the final stage of WP2, and according to my
> notes we've got a few things to take care of during October:
>
>
>    - It is expected that the FAPI WG provides feedback on the report.
>    Issues that have been discussed between the researchers and the WG should
>    be commented and concluded on, and open pull requests related to the topics
>    should be resolved.
>    - My notes also state that I should ensure that Mark Verstege has
>    received the report and provided feedback on it, with the option of getting
>    together with Tim & Pedram and the WG on an appropriate Pacific call to
>    discuss, if needed. The options for the Pacific call are Thursday 11 PM UTC
>    either this week or two weeks later. I will reach out directly to you,
>    Mark, to coordinate that.
>    - I will send out a meeting invitation for the report walkthrough and
>    milestone approval for October 24th shortly.
>
>
> Thank you,
> Marcus Almgren
> OIDF Certification team
>
>
> ------------------------------
> *From:* Marcus Almgren <marcus.almgren at oidf.org>
> *Sent:* Tuesday, September 12, 2023 07:20
> *To:* dave.tonge at moneyhub.com <dave.tonge at moneyhub.com>; nat_fwd
> <nat at nat.consulting>; ralf.kuesters at sec.uni-stuttgart.de <
> ralf.kuesters at sec.uni-stuttgart.de>; pedram.hosseyni at sec.uni-stuttgart.de
> <pedram.hosseyni at sec.uni-stuttgart.de>; tim.wuertele at sec.uni-stuttgart.de
> <tim.wuertele at sec.uni-stuttgart.de>; rob.hanson at treasury.gov.au <
> rob.hanson at treasury.gov.au>; mark.verstege at consumerdatastandards.gov.au <
> mark.verstege at consumerdatastandards.gov.au>; Mark
> <mark at considrd.consulting>; mail at danielfett.de <mail at danielfett.de>;
> atul at sgnl.ai <atul at sgnl.ai>; Gail Hodges <gail at oidf.org>; Joseph Heenan <
> joseph.heenan at oidf.org>
> *Cc:* robert.t.hanson at gmail.com <robert.t.hanson at gmail.com>
> *Subject:* Re: FAPI2 WP2b: Status call
>
> *Meeting notes*
> *FAPI2 WP2b, pre-milestone review meeting, 2023-09-12*
>
> Agenda:
> - Current status from Ustutt/Tim & Pedram.
> - Date for sharing of final report & date for milestone review meeting
> - Thoughts, feedback, questions from Australia (if any).
> - AOB
>
> Participants:
> Rob
> Tim
> Pedram
> Ralf
> Gail
> Marcus
>
> 1. Current status from Ustutt/Tim & Pedram.
>
> We changed some things in the model regarding message signing and HTTP
> signing. Currently working on the proofs, modifying previous and adapting
> new proofs. FAPI-CIBA concern (known issue) voiced and message passed to
> the WG. We're on track, provided that no new findings are made in the
> remaining analysis and verification.
>
> 2. Date for sharing of final report & date for milestone review meeting
>
> We will repeat the process from last milestone, meaning that we set a date
> for delivering the report (September 29th). Rob is on leave for a couple of
> weeks early October, so we should set the dates for the report review and
> walkthrough for late October.
>
> 3. Thoughts, feedback, questions from Australia (if any).
>
> None beyond what's been discussed in the other agenda points.
>
> 4. AOB
>
> (a) Get Mark Verstege (FirstID), Tim/Pedram together with FAPI WG Pacific
> call time regarding any open issues, PR, the report outcome. Schedule this
> for early October, after the report has been shared on September 29th.
>
> (b) After collecting feedback, possibly correcting or adjusting the
> report, we move to agreement on milestone approval. This will happen during
> October.
>
> Thank you,
> Marcus Almgren
> OIDF Certification team
>
>
> ------------------------------
> *From:* Marcus Almgren
> *Sent:* Saturday, September 2, 2023 16:32
> *To:* dave.tonge at moneyhub.com <dave.tonge at moneyhub.com>; nat_fwd
> <nat at nat.consulting>; ralf.kuesters at sec.uni-stuttgart.de <
> ralf.kuesters at sec.uni-stuttgart.de>; pedram.hosseyni at sec.uni-stuttgart.de
> <pedram.hosseyni at sec.uni-stuttgart.de>; tim.wuertele at sec.uni-stuttgart.de
> <tim.wuertele at sec.uni-stuttgart.de>; rob.hanson at treasury.gov.au <
> rob.hanson at treasury.gov.au>; mark.verstege at consumerdatastandards.gov.au <
> mark.verstege at consumerdatastandards.gov.au>; Mark
> <mark at considrd.consulting>; mail at danielfett.de <mail at danielfett.de>;
> atul at sgnl.ai <atul at sgnl.ai>; Gail Hodges <gail at oidf.org>; Joseph Heenan <
> joseph.heenan at oidf.org>
> *Cc:* robert.t.hanson at gmail.com <robert.t.hanson at gmail.com>
> *Subject:* FAPI2 WP2b: Status call
> *When:* Tuesday, September 12, 2023 7:00 AM-7:30 AM.
> *Where:* https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09
>
> Pre-milestone review meeting for the FAPI2 Workpackage 2 project.
>
> https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09
>
> Preliminary agenda:
>
>    1. Current status from Ustutt/Tim & Pedram.
>    2. Date for sharing of final report & date for milestone review meeting
>    3. Thoughts, feedback, questions from Australia (if any).
>    4. AOB
>
> Thank you,
> Marcus Almgren
> OIDF Certification team
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20231010/17e30722/attachment-0001.html>

More information about the Openid-specs-fapi mailing list