<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Dear WG<br clear="all"></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">We would like to finalise FAPI v1 as soon as possible.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">There are 9 pull requests in need of some feedback. Please if at all possible can you review these in the next few days.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">There are 15 remaining issues that it would be good to resolve as soon as possible. Hopefully we can go through some of them on the call today, but if not we will need to collaborate on the mailing list in order to resolve them.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><b>PRs ready to merge</b></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><ol><li>IANA considerations for s_hash - <a href="https://bitbucket.org/openid/fapi/pull-requests/176">https://bitbucket.org/openid/fapi/pull-requests/176</a><div class="gmail_default"></div></li><li>Require auth codes and refresh tokens to have specific entropy - <a href="https://bitbucket.org/openid/fapi/pull-requests/171">https://bitbucket.org/openid/fapi/pull-requests/171</a><br></li><li>Remove PKCE requirement from part 2 -<a href="https://bitbucket.org/openid/fapi/pull-requests/170">https://bitbucket.org/openid/fapi/pull-requests/170</a></li><li>Clarify uuid requirement - <a href="https://bitbucket.org/openid/fapi/pull-requests/174">https://bitbucket.org/openid/fapi/pull-requests/174</a></li><li>Add DNSSEC and HSTS considerations. - <a href="https://bitbucket.org/openid/fapi/pull-requests/164">https://bitbucket.org/openid/fapi/pull-requests/164</a><br></li></ol></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><b>PRs in need of feedback:</b></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><ol><li>Add security consideration around sharing keys - <a href="https://bitbucket.org/openid/fapi/pull-requests/175">https://bitbucket.org/openid/fapi/pull-requests/175</a></li><li>Add requirement for client to verify scope in token response - <a href="https://bitbucket.org/openid/fapi/pull-requests/172">https://bitbucket.org/openid/fapi/pull-requests/172</a><br></li><li>Add requirement for servers to accept IPv6 addresses - <a href="https://bitbucket.org/openid/fapi/pull-requests/169">https://bitbucket.org/openid/fapi/pull-requests/169</a></li><li>Restrict of lifetime of access tokens that are not sender constrained - <a href="https://bitbucket.org/openid/fapi/pull-requests/166">https://bitbucket.org/openid/fapi/pull-requests/166</a></li><li></li><li>Add security requirements for jwks_uri - <a href="https://bitbucket.org/openid/fapi/pull-requests/173">https://bitbucket.org/openid/fapi/pull-requests/173</a></li><li>Highlight that there are no public clients in part 2 - <a href="https://bitbucket.org/openid/fapi/pull-requests/168">https://bitbucket.org/openid/fapi/pull-requests/168</a></li><li>Key selection alg - <a href="https://bitbucket.org/openid/fapi/pull-requests/167">https://bitbucket.org/openid/fapi/pull-requests/167</a></li><li>Remove 'write operation' wording - <a href="https://bitbucket.org/openid/fapi/pull-requests/177/remove-the-phrase-write-operation">https://bitbucket.org/openid/fapi/pull-requests/177/remove-the-phrase-write-operation</a></li></ol></div><div><br></div><div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><b>Issues that still need to be resolved:</b></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><ol><li>Dave - <a href="https://bitbucket.org/openid/fapi/issues/255/certification-clarification-request">https://bitbucket.org/openid/fapi/issues/255/certification-clarification-request</a> and <a href="https://bitbucket.org/openid/fapi/issues/239/fapi-part-2-should-mention-require">https://bitbucket.org/openid/fapi/issues/239/fapi-part-2-should-mention-require</a></li><li>Joseph - <a href="https://bitbucket.org/openid/fapi/issues/277/fapi-rw-is-disallowing-signed-id_tokens">https://bitbucket.org/openid/fapi/issues/277/fapi-rw-is-disallowing-signed-id_tokens</a></li><li>Joseph - <a href="https://bitbucket.org/openid/fapi/issues/124/more-examples-as-an-appendix">https://bitbucket.org/openid/fapi/issues/124/more-examples-as-an-appendix</a><br></li><li>Nat - <a href="https://bitbucket.org/openid/fapi/issues/90/create-a-sensible-privacy-consideration">https://bitbucket.org/openid/fapi/issues/90/create-a-sensible-privacy-consideration</a> and <a href="https://bitbucket.org/openid/fapi/issues/232/part-1-complete-the-privacy-consideration">https://bitbucket.org/openid/fapi/issues/232/part-1-complete-the-privacy-consideration</a><br></li><li>Joseph - <a href="https://bitbucket.org/openid/fapi/issues/264/expand-on-privacy-considerations-for">https://bitbucket.org/openid/fapi/issues/264/expand-on-privacy-considerations-for</a></li><li>Joseph - <a href="https://bitbucket.org/openid/fapi/issues/270/jarm-fapi-rw-openid-client-session-binding">https://bitbucket.org/openid/fapi/issues/270/jarm-fapi-rw-openid-client-session-binding</a></li><li>Tosren - <a href="https://bitbucket.org/openid/fapi/issues/166/ed-need-to-add-jarm-in-the-introductions">https://bitbucket.org/openid/fapi/issues/166/ed-need-to-add-jarm-in-the-introductions</a></li><li>Joseph - <a href="https://bitbucket.org/openid/fapi/issues/154/behaviour-of-as-undefined-if-no-acr-claim">https://bitbucket.org/openid/fapi/issues/154/behaviour-of-as-undefined-if-no-acr-claim</a></li><li>Nat - <a href="https://bitbucket.org/openid/fapi/issues/135/confidential-client-needs-a-strong">https://bitbucket.org/openid/fapi/issues/135/confidential-client-needs-a-strong</a></li><li>Torsten - <a href="https://bitbucket.org/openid/fapi/issues/202/authorization-code-and-refresh-token-must">https://bitbucket.org/openid/fapi/issues/202/authorization-code-and-refresh-token-must</a></li><li>Dave - <a href="https://bitbucket.org/openid/fapi/issues/298/change-holder-of-key-to-sender-constrained">https://bitbucket.org/openid/fapi/issues/298/change-holder-of-key-to-sender-constrained</a></li><li>Joseph - <a href="https://bitbucket.org/openid/fapi/issues/224/fapi-certification-conformance-profile">https://bitbucket.org/openid/fapi/issues/224/fapi-certification-conformance-profile</a></li><li>Nat - <a href="https://bitbucket.org/openid/fapi/issues/223/need-of-a-customer-unique-immutable">https://bitbucket.org/openid/fapi/issues/223/need-of-a-customer-unique-immutable</a></li></ol><div><b>Issues that should probably be closed:</b></div><div><ol><li><a href="https://bitbucket.org/openid/fapi/issues/251/refresh-token-expiry-time">https://bitbucket.org/openid/fapi/issues/251/refresh-token-expiry-time</a><br></li><li><a href="https://bitbucket.org/openid/fapi/issues/207/rs256-vs-ps256-again">https://bitbucket.org/openid/fapi/issues/207/rs256-vs-ps256-again</a></li></ol></div></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"></div></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">Thank you</div><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="line-height:normal"><div style="color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;font-size:1em;font-weight:bold;line-height:1.4">Dave Tonge</div><div style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.8125em;line-height:1.4"><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">FAPI WG - Co Chair</div><br></div></div></div></div></div></div></div></div></div>

<br>
<p dir="ltr" style="font-weight:bold"><font face="Arial" color="#808080" size="1">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at <a href="https://register.fca.org.uk/" target="_blank"><span>https://register.fca.org.uk/</span></a>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772. Moneyhub Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1 6EA. </font></p><p dir="ltr" style="font-weight:bold"><span style="color:rgb(128,128,128);font-family:Arial;font-weight:400"><font size="1">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.</font></span></p><br>