[Openid-specs-fapi] Final issues and PRs for FAPI2 Security Profile
Dave Tonge
dave.tonge at momentumft.co.uk
Tue Aug 27 11:06:30 UTC 2024
Dear FAPI Working Group
We are very close to resolving the final issues for the FAPI 2.0 Security
Analysis - thank you to everyone who has contributed.
If possible please can I get some reviews of the following PRs before
tomorrow's call:
*Security Consideration:*
https://bitbucket.org/openid/fapi/pull-requests/514/overview - This is an
attempt to address the recommendations from here:
https://www.cisa.gov/resources-tools/resources/CSRB-Review-Summer-2023-MEO-Intrusion.
I grouped the recommendations under a security consideration around key
compromise. However it would be good to get feedback from vendors on the
wording, especially the wording around stateful vs stateless credentials.
*Note for Conformance:*
https://bitbucket.org/openid/fapi/pull-requests/513/diff - This gives
guidance on when implementers should comply with new BCP195 iterations
*Editorial:*
https://bitbucket.org/openid/fapi/pull-requests/512 - Addling a link to the
FAPI 2 Security Analysis
Thank you
Dave
--
Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 809360) at https://register.fca.org.uk/
<https://register.fca.org.uk/>. Moneyhub Financial Technology is registered
in England & Wales, company registration number 06909772. Registered
address: C/O Roxburgh Milkins Limited Merchants House North, Wapping Road,
Bristol, United Kingdom, BS1 4RW, United Kingdom. Moneyhub Financial
Technology Limited 2024 © Moneyhub Enterprise.
DISCLAIMER: This email
(including any attachments) is subject to copyright, and the information in
it is confidential. Use of this email or of any information in it other
than by the addressee is unauthorised and unlawful. Whilst reasonable
efforts are made to ensure that any attachments are virus-free, it is the
recipient's sole responsibility to scan all attachments for viruses. All
calls and emails to and from this company may be monitored and recorded for
legitimate purposes relating to this company's business. Any opinions
expressed in this email (or in any attachments) are those of the author and
do not necessarily represent the opinions of Moneyhub Financial Technology
Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20240827/f3a90a71/attachment.html>
More information about the Openid-specs-fapi
mailing list