<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">FAPI/Open Banking Meeting 12-Jul-17<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat Sakimura - OIDF Chairman - FAPI WG Co-Chair - NRI<o:p></o:p></p>
<p class="MsoNormal">Torsten Lodderstedt - Yes<o:p></o:p></p>
<p class="MsoNormal">Gavin Wong - Open Banking - Working on R/W specifications<o:p></o:p></p>
<p class="MsoNormal">Tony Nadalin - FAPI WG Co-Chair - Microsoft<o:p></o:p></p>
<p class="MsoNormal">Tatsudo Kudo - NRI SecureTechnologies<o:p></o:p></p>
<p class="MsoNormal">Roland Hedberg - Independent Consul<o:p></o:p></p>
<p class="MsoNormal">Mike Jones - OIDF Secretary - Microsoft<o:p></o:p></p>
<p class="MsoNormal">Mark Haine - Open Banking<o:p></o:p></p>
<p class="MsoNormal">Dave Tonge - Moneyhub Enterprise - Getting rid of screen scraping<o:p></o:p></p>
<p class="MsoNormal">Don Thibeau - OIDF Executive Director<o:p></o:p></p>
<p class="MsoNormal">Ralph Bragg - Open Banking<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan - Authlete<o:p></o:p></p>
<p class="MsoNormal">John Bradley - OIDF Treasurer - Yubico<o:p></o:p></p>
<p class="MsoNormal">Freddie Guyera - Open Banking<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On the phone:<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm - MODRNA Working Group Chair - Verizon<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell - Ping Identity<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Cooperation Update<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ralph: Open Banking is working on setting up test suites for the FAPI specifications<o:p></o:p></p>
<p class="MsoNormal">Tony: Does this include any certification testing in this framework?<o:p></o:p></p>
<p class="MsoNormal">Ralph: No. We are working towards that in the future, including establishing appropriate contracts and IPR<o:p></o:p></p>
<p class="MsoNormal">Tony: Will you be requiring OpenID Certification?<o:p></o:p></p>
<p class="MsoNormal">Ralph: Unless the request object is supported, all tests will fail<o:p></o:p></p>
<p class="MsoNormal">Roland: Supporting the request object should be easy to do<o:p></o:p></p>
<p class="MsoNormal">Tony: To get the FAPI certification, you'll have to first get OpenID Connect certification<o:p></o:p></p>
<p class="MsoNormal">Ralph: There are three ASPs creating their own OPs<o:p></o:p></p>
<p class="MsoNormal">Mark: Mid-August and Mid-October are the key dates in the Open Banking plan<o:p></o:p></p>
<p class="MsoNormal">Ralph: Open Banking can't mandate certification, but the banks have asked for it<o:p></o:p></p>
<p class="MsoNormal"> Competition and Markets (CMA) can mandate conformance<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">IPR Discussions<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ralph: The IPR has gone through legal review<o:p></o:p></p>
<p class="MsoNormal">Dave: There are data schema requirements across Europe for PSD2<o:p></o:p></p>
<p class="MsoNormal">Joseph: The OpenID Foundation is sorting out the OpenID IPR issues<o:p></o:p></p>
<p class="MsoNormal">Ralph: The standards used by Open Banking were the result of contributions by many parties<o:p></o:p></p>
<p class="MsoNormal"> There was no IPR agreement for these contributions<o:p></o:p></p>
<p class="MsoNormal"> Ralph would like a letter from FAPI about the IPR issues<o:p></o:p></p>
<p class="MsoNormal"> Getting a non-assert from all the contributors may be problematic<o:p></o:p></p>
<p class="MsoNormal">Don: The OIDF will draft a letter to the trustee and others regarding our vision of licensing and adoption<o:p></o:p></p>
<p class="MsoNormal">John: The IPR situation may be practically more comfortable for implementers in Europe than in other places<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification Tests<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Don: It is expected that the contract to develop certification tests will be direct with Hans Zandbelt and not with the OIDF<o:p></o:p></p>
<p class="MsoNormal"> The OpenID Connect test suite will be updated to be able to support use of the request object<o:p></o:p></p>
<p class="MsoNormal">Mike: We have updated the code in ways to enable adding new certification profiles<o:p></o:p></p>
<p class="MsoNormal">Roland: It would be a check box at configuration time to support use of the request object<o:p></o:p></p>
<p class="MsoNormal">John: There may be issues about where the request objects are hosted<o:p></o:p></p>
<p class="MsoNormal">Mike: The test suite already supports configuration time settings, such as whether encryption is supported<o:p></o:p></p>
<p class="MsoNormal">Ralph: We use request objects by value - not by reference<o:p></o:p></p>
<p class="MsoNormal">Mike: Any OpenID Certifications or use of the OpenID Certified mark must be under the auspices of the OpenID Foundation<o:p></o:p></p>
<p class="MsoNormal">Dave: Open Banking should be a profile of FAPI<o:p></o:p></p>
<p class="MsoNormal">Ralph: There may be exceptions. For instance, not all banks will support Hybrid from day one<o:p></o:p></p>
<p class="MsoNormal"> We may not be supporting public clients from day one<o:p></o:p></p>
<p class="MsoNormal">Nat: FAPI redirect_uris must be per-RP<o:p></o:p></p>
<p class="MsoNormal">Ralph: Open Banking is publishing information on registering clients<o:p></o:p></p>
<p class="MsoNormal">Dave: Do we want to enable configuring the same certification suite for both FAPI and Open Banking?<o:p></o:p></p>
<p class="MsoNormal">Mark: There will be an end-stage where we allow for Open Banking peculiarities<o:p></o:p></p>
<p class="MsoNormal">Mike: The OIDF believes that there should be one certification test code base<o:p></o:p></p>
<p class="MsoNormal"> It's fine for there to be additional tests not used for certifications, including those sponsored by Open Banking<o:p></o:p></p>
<p class="MsoNormal">Ralph: That's Open Banking's view too. That's what's in the MOU. We don't want to own or maintain the code long-term.<o:p></o:p></p>
<p class="MsoNormal">Ralph: One of the challenges will be establishing that the tests do what they need to do - testing the tests<o:p></o:p></p>
<p class="MsoNormal">Mark: The banks will want assurances that the test suite does what it needs to do before they pay<o:p></o:p></p>
<p class="MsoNormal">Tony: The current MOU doesn't provide for continuation. That needs to be provided for in advance.<o:p></o:p></p>
<p class="MsoNormal">Mark: Kim at Open Banking wants the conformance test suite in October.<o:p></o:p></p>
<p class="MsoNormal"> It sounds like there needs to be internal conversations on goals that drive timing of deliverables<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">FAPI Draft Status and Future Work Plan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat: We are nearing the end of the 45-day review period for FAPI Part 2<o:p></o:p></p>
<p class="MsoNormal"> We have received a number of editorial comments<o:p></o:p></p>
<p class="MsoNormal"> Nat plans to apply those before the formal voting opens on Monday<o:p></o:p></p>
<p class="MsoNormal"> Brian Campbell also requested possible normative changes related to s_hash<o:p></o:p></p>
<p class="MsoNormal">Ralph: The IAM vendors are already implementing FAPI as it stands<o:p></o:p></p>
<p class="MsoNormal">John: The client an already integrity protect the state<o:p></o:p></p>
<p class="MsoNormal"> If you're implementing state properly, there's no requirement for s_hash<o:p></o:p></p>
<p class="MsoNormal">Mike: It's fine to obtain Implementer's Draft status as specified and then make an update and produce another Implementer's Draft<o:p></o:p></p>
<p class="MsoNormal">John: We should document what clients need to do to be secure nonetheless<o:p></o:p></p>
<p class="MsoNormal">Freddie:We have very little control over what clients are used<o:p></o:p></p>
<p class="MsoNormal">Mike: We can use negative tests to verify that clients correctly implement security features<o:p></o:p></p>
<p class="MsoNormal"> Surely you must be able to place technical requirements on clients<o:p></o:p></p>
<p class="MsoNormal">Ralph: Yes, PSD2 can motivate technical requirements<o:p></o:p></p>
<p class="MsoNormal">Freddie:Liability rests with the banks<o:p></o:p></p>
<p class="MsoNormal">John: The advantage of s_hash is that you can construct a negative test for it<o:p></o:p></p>
<p class="MsoNormal">Brian: My concern is that s_hash is not part of OpenID Connect and so will likely not exist in products<o:p></o:p></p>
<p class="MsoNormal"> We would likely add it at some point but maybe not on a timeline that meets the needs of our customers<o:p></o:p></p>
<p class="MsoNormal">Ralph: We fully expect that there be elements of the FAPI specs that not all vendors will support on day one<o:p></o:p></p>
<p class="MsoNormal"> The compliance testing will help us flesh out what exceptions we may need to make in practice<o:p></o:p></p>
<p class="MsoNormal">Nat: As working group chairman, I'll conclude from our discussions that we don't need to touch the current draft in this regard<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Client Initiated Back-Channel Authentication (CIBA) Profile<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dave: This came from the European movement towards APIs<o:p></o:p></p>
<p class="MsoNormal"> The work in MODRNA seems to support this interaction method<o:p></o:p></p>
<p class="MsoNormal"> FAPI could profile CIBA to bring it into line with the FAPI R/W spec<o:p></o:p></p>
<p class="MsoNormal"> Dave has created a FAPI profile of CIBA<o:p></o:p></p>
<p class="MsoNormal"> MODRNA supports polling and notification methods<o:p></o:p></p>
<p class="MsoNormal"> Dave focused on the notification method<o:p></o:p></p>
<p class="MsoNormal"> He is requesting feedback on the spec<o:p></o:p></p>
<p class="MsoNormal"> For instance, should a client be able to register for multiple methods?<o:p></o:p></p>
<p class="MsoNormal">John: There are privacy implications of CIBA - how to create a pairwise identifier without a redirect_uri<o:p></o:p></p>
<p class="MsoNormal"> MODRNA is still dealing with this problem<o:p></o:p></p>
<p class="MsoNormal"> The GSMA isn't supporting polling for this reason<o:p></o:p></p>
<p class="MsoNormal">Torsten:Couldn't you solve this with a software statement?<o:p></o:p></p>
<p class="MsoNormal">John: A federation operator might have to make statements on your behalf<o:p></o:p></p>
<p class="MsoNormal">John: If we can solve the sector identifier problem, there isn't a reason for clients not to be able to use multiple methods<o:p></o:p></p>
<p class="MsoNormal">Dave: The profile uses both FAPI Part 2 and CIBA<o:p></o:p></p>
<p class="MsoNormal">John: Axel is still working on this<o:p></o:p></p>
<p class="MsoNormal"> Any client authentication method should be able to be used<o:p></o:p></p>
<p class="MsoNormal">John: FAPI is using signed request objects<o:p></o:p></p>
<p class="MsoNormal">Dave: Described the use of TLS mutual authentication<o:p></o:p></p>
<p class="MsoNormal">John: Described the use of Proof-of-Possession request objects in the CIBA back channel<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ralph: SCIM 2.0 is being used as the API to get information from the IdP<o:p></o:p></p>
<p class="MsoNormal"> We are using Software Statements<o:p></o:p></p>
<p class="MsoNormal">Tony: Did you extend the SCIM schema?<o:p></o:p></p>
<p class="MsoNormal">Ralph: We have created new fields and will register them in the IANA registry<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Liaison Status<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat: We have Class A liaison relationship with ISO TC 68<o:p></o:p></p>
<p class="MsoNormal"> This means that we could submit our work to ISO<o:p></o:p></p>
<p class="MsoNormal"> We haven't made any decisions about this yet<o:p></o:p></p>
<p class="MsoNormal">Mike: This would be an OpenID Board decision as well as a working group decision<o:p></o:p></p>
<p class="MsoNormal">Nat: We could obtain submitter status or the UK national body could submit if it's a UK standard<o:p></o:p></p>
<p class="MsoNormal">Mike: Wouldn't we want there to be final OpenID specifications before submission to ISO?<o:p></o:p></p>
<p class="MsoNormal">Nat: Yes<o:p></o:p></p>
<p class="MsoNormal">Nat: The ISO process is a multi-year process<o:p></o:p></p>
<p class="MsoNormal">Dave: ISO standards status will help with adoption, particularly in developing nations<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">FS-ISAC<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dave: They are considering adopting the security profiles<o:p></o:p></p>
<p class="MsoNormal">Nat: There was a lot of interest by participants related to PSD2<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Fintech Association Japan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat: They are interested in the Open Banking work<o:p></o:p></p>
<p class="MsoNormal"> They are exploring the possibility of having a joint workshop in Japan<o:p></o:p></p>
<p class="MsoNormal">Freddie:It's a conversation we should have with Chris Maple<o:p></o:p></p>
<p class="MsoNormal">Don: Kuppinger Cole wants to include FAPI content in their Singapore event in December<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">FAPI and MODRNA<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tony: How will FAPI and MODRNA integrate?<o:p></o:p></p>
<p class="MsoNormal">John: One possibility is the project by Orange, HSBC, and Barclays<o:p></o:p></p>
<p class="MsoNormal"> FAPI hasn't addressed what is necessary for banks to be relying parties<o:p></o:p></p>
<p class="MsoNormal"> That's something that FAPI should address in the future<o:p></o:p></p>
<p class="MsoNormal"> At the moment MODRNA only uses symmetric keys<o:p></o:p></p>
<p class="MsoNormal"> There are impedance mismatches<o:p></o:p></p>
<p class="MsoNormal">Tony: There's a mismatch that we need to address so we can enter the mobile banking space<o:p></o:p></p>
<p class="MsoNormal">Don: This is part of why we're doing pilots<o:p></o:p></p>
<p class="MsoNormal">Dave: GSMA is promoting this as a second factor<o:p></o:p></p>
<p class="MsoNormal">Bjorn: CIBA is based on banking use cases<o:p></o:p></p>
<p class="MsoNormal"> Talk with Nat about having more collaboration between FAPI and MODRNA<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Events<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ralph: Trust Framework and Security Profile for Open Banking should be issued in the next few months<o:p></o:p></p>
<p class="MsoNormal">Don: Kuppinger Cole<o:p></o:p></p>
<p class="MsoNormal">Nat: September 15th JICS identity meeting in Japan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Large-Scale Federations<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike: Asked for Roland to comment on joint work that maybe should happen on federation aspects<o:p></o:p></p>
<p class="MsoNormal">Roland: There is a large-scale <o:p></o:p></p>
<p class="MsoNormal">Roland: There is a design meeting September 15th in Copenhagen<o:p></o:p></p>
<p class="MsoNormal">Roland: It makes extensive use of metadata statements<o:p></o:p></p>
<p class="MsoNormal">Ralph: Has work been done with the UK Verify program?<o:p></o:p></p>
<p class="MsoNormal"> For instance, about claims used?<o:p></o:p></p>
<p class="MsoNormal"> We need to know the origin of the claims<o:p></o:p></p>
<p class="MsoNormal">Don: GDS is a member of the FAPI working group<o:p></o:p></p>
<p class="MsoNormal">Nat: Tom Jones is reading the OpenID Connect Federation specification<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">AOB<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ralph: EBA has taken a preliminary position against the use of screen scraping<o:p></o:p></p>
<p class="MsoNormal">Dave: Screen scraping may be allowed as a fallback measure for a year<o:p></o:p></p>
</div>
</body>
</html>