[Openid-specs-fapi] Issue #790: FAPI1: [ISO/IEC 25791-1 Review Comments] Reference BCP195, not specific crypto algos (openid/fapi)

[Hodari McClain]

New issue 790: FAPI1: [ISO/IEC 25791-1 Review Comments] Reference BCP195, not specific crypto algos
https://bitbucket.org/openid/fapi/issues/790/fapi1-iso-iec-25791-1-review-comments

Hodari McClain:

* Member Body / National Committee: DE/02
* Subclause\(s\): 5.2.2\[0\], 6.2.1, 6.2.2
* Type: Editorial
* Comments: Germany disapproves ISO/DIS 25791-1 and -2 for the following reasons:

1. Security: The proposed cryptographic algorithms and related recommendations are based on the state of the art at the time when the FAPI standard was developed within the OpenID Foundation. However, algorithms continuously evolve, and since these algorithms are employed in much broader contexts \(e.g., TLS\), 
2. Functional, Application-Level Detail Requirements: The draft imposes requirements on individual headers, including the definition of proprietary, FAPI-specific headers. This does not enhance security. Standard headers defined in relevant RFCs - and widely adopted by many Open Banking specifications - already exist. 

* Proposed Change:  

1. We believe it is more appropriate to reference established and regularly updated guidance - such as that provided by NIST - rather than defining proprietary algorithm libraries.
2. Introducing FAPI-specific headers yields no security benefit and should not be endorsed at the ISO level, as it only constrains implementation.

* WG Accept / Reject: Partially accepted. 

    



    For 1, OIDF is in the process of amending the text to refer to BCP 195 instead of an explicit list of cipher suites. 



    



    Thus, the text will look like: 



    Only the cipher suites recommended in BCP195 shall be permitted.



    For the authorization\_endpoint, the authorization server may allow additional cipher suites that are permitted by the latest version of BCP195, if necessary to allow sufficient interoperability with users’ web browsers or are required by local regulations. NOTE: Permitted cipher suites are those that BCP195 does not explicity say MUST NOT use.  \[Hodari note: Does this replace sections of 5.2.2? Tagging as trivial until this question is resolved.\]



    



    For 2, Those headers are not a security mechanism. They help to correlate the logs at the time of trouble. FAPI’s such headers are used by over a dozen Open Banking ecosystems and are in demand. In fact, we have tried several times to remove it and have had a strong pushback from the ecosystems. 



‌