<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr">Hi Daniel,</div><div dir="ltr"><br><blockquote type="cite">Am 05.06.2020 um 10:20 schrieb Daniel Fett via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hi all,</p>
<p>I prepared a first (rough) draft of the FAPI 2 Advanced profile
and would welcome your feedback: <a href="https://bitbucket.org/openid/fapi/src/c28fc020e7ab9377d96501f2b4daa9a9da8f2128/FAPI_2_0_Advanced_Profile.md?at=danielfett%2Ffapi2%2Fadvanced">https://bitbucket.org/openid/fapi/src/c28fc020e7ab9377d96501f2b4daa9a9da8f2128/FAPI_2_0_Advanced_Profile.md?at=danielfett%2Ffapi2%2Fadvanced</a></p></div></blockquote><div>thanks for preparing the draft!</div><div><br></div><div>Here are my comments:</div><div>- <span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);">[@I-D.lodderstedt-oauth-par] should refer to the WG draft</span></div><div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);">- „</span><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);"> shall support at least one of the following methods to sign the authorization response:“</span></div><div><font color="#172b4d" face="-apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Oxygen, Ubuntu, Fira Sans, Droid Sans, Helvetica Neue, sans-serif"><span style="caret-color: rgb(23, 43, 77); font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);">I think the AS must support at least one mode for interoperability reasons. I think this should be JARM and ID token may be supported (for the purpose of this profile) for backward compatibility reasons.</span></font></div><div><font color="#172b4d" face="-apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Oxygen, Ubuntu, Fira Sans, Droid Sans, Helvetica Neue, sans-serif"><span style="caret-color: rgb(23, 43, 77); font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);">„</span></font><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto;">OPEN QUESTION: how to handle userinfo response type selection? OIDC core says: depends on client registration“ I think that's fine. We use the same philosophy for all sorts of request and response signing. It’s determined by client registration parameters + general deployment metadata (what is generally supported/expected).</span></div><div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto;">- „</span><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);">The FAPI 2.0 endpoints are OAuth 2.0 protected resource endpoints that return protected information for the resource owner associated with the submitted access token.“ - RSs also initiate actions (eg payments), that’s one important reason for requiring non-repudiation. I suggest to add something like „.... that perform sensitive actions and return protected information for the resource owner ...“</span></div><div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);"><br></span></div><div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);">best regards,</span></div><div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; -webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);">Torsten.</span></div><blockquote type="cite"><div dir="ltr">
<p>One open question is whether we can give recommendations
regarding resource request and response signing. We currently have
<a href="https://bitbucket.org/openid/fapi/src/master/Financial_API_HTTP_Signing.md">https://bitbucket.org/openid/fapi/src/master/Financial_API_HTTP_Signing.md</a>
which lists "typical requirements" but does not give concrete
advice.</p>
<p>eTSI is developding JAdES and there is some work ongoing in the
IETF HTTP group as well.</p>
<p>What are other options that we should take a look at?</p>
<p>-Daniel<br>
</p>
<span>_______________________________________________</span><br><span>Openid-specs-fapi mailing list</span><br><span>Openid-specs-fapi@lists.openid.net</span><br><span>http://lists.openid.net/mailman/listinfo/openid-specs-fapi</span><br></div></blockquote></body></html>