<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

Hi,</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

Please find attached the technical report on the formal security analysis of FAPI2. In case you're not aware of the details, the report is written by researchers from the university of Stuttgart, and it's the result of modeling and analysis work performed since

 early spring this year.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

The stakeholders are meeting for a final milestone review on October 24th, and there is an expectation that the FAPI WG provides feedback and acceptance/approval of the report, so it would be appreciated if you could please review it.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

If you would like to, the researchers have agreed to do a brief presentation of the report in the upcoming Atlantic call on Wednesday October 11th. However, I realize that IIW is happening this week and I'm not sure if the call will proceed as planned or not.

 Please let me know at your earliest convenience if you would like to add this point to the agenda.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">

Finally, during the course of this work, some related issues have been opened on Bitbucket. I will list them below for your convenience. The researchers say that "it appears that there are no blocking issues from our side", but please have a look and see what

 we can do to resolve the outstanding issues, if possible.<br>

</div>

<div class="elementToProof">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="ContentPasted1">

<ul data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}">

<li style="list-style-type: disc;">[Resolved] https://bitbucket.org/openid/fapi/issues/551/extra-security-considerations-for-clients</li><li class="ContentPasted1" style="list-style-type: disc;">[Resolved] https://bitbucket.org/openid/fapi/issues/602/client-is-misleading-in-the-context-of</li></ul>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="ContentPasted1">

<div class="ContentPasted1">

<ul data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}">

<li style="list-style-type: disc;">[Invalid] https://bitbucket.org/openid/fapi/issues/605/jarm-for-signed-authz-responses-seems-to</li></ul>

</div>

<div class="ContentPasted1">

<ul data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}">

<li style="list-style-type: disc;">[Open] https://bitbucket.org/openid/fapi/issues/596/non-repudiation</li><ul style="list-style-type: circle;">

<li style=""><span>The researchers have accepted the thread explanation and performed the analysis accordingly. However, there is seemingly not yet any PR for the proposed security considerations.</span></li></ul>

<li class="ContentPasted1" style="list-style-type: disc;">[Open] https://bitbucket.org/openid/fapi/issues/608/make-clear-that-requests-and-responses-to</li><ul style="list-style-type: circle;">

<li class="ContentPasted1" style=""><span>There's an open PR, https://bitbucket.org/openid/fapi/pull-requests/433</span></li></ul>

<li class="ContentPasted1" style="list-style-type: disc;">[Open] https://bitbucket.org/openid/fapi/issues/609/ciba-make-clear-limitation-of-binding</li><ul style="list-style-type: circle;">

<li class="ContentPasted1" style=""><span>Nat already wrote that they want to add security considerations on this, which should be fine from our point of view. However, there is no PR yet.</span></li></ul>

<li class="ContentPasted1" style="list-style-type: disc;">[New] https://bitbucket.org/openid/fapi/issues/621/fapi-ciba</li><ul style="list-style-type: circle;">

<li class="ContentPasted1" style=""><span>There's an open PR, https://bitbucket.org/openid/fapi/pull-requests/417</span></li></ul>

</ul>

</div>

<br>

</div>

<div id="Signature">

<div>

<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">Thank you,<br>

Marcus Almgren<br>

OIDF Certification team</span></div>

<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><br>

</span></div>

</div>

</div>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="appendonsend"></div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b> Marcus Almgren <marcus.almgren@oidf.org><br>

<b>Sent:</b> Monday, October 2, 2023 10:35<br>

<b>To:</b> dave.tonge@moneyhub.com <dave.tonge@moneyhub.com>; nat_fwd <nat@nat.consulting>; ralf.kuesters@sec.uni-stuttgart.de <ralf.kuesters@sec.uni-stuttgart.de>; pedram.hosseyni@sec.uni-stuttgart.de <pedram.hosseyni@sec.uni-stuttgart.de>; tim.wuertele@sec.uni-stuttgart.de

 <tim.wuertele@sec.uni-stuttgart.de>; rob.hanson@treasury.gov.au <rob.hanson@treasury.gov.au>; mark.verstege@consumerdatastandards.gov.au <mark.verstege@consumerdatastandards.gov.au>; Mark <mark@considrd.consulting>; mail@danielfett.de <mail@danielfett.de>;

 atul@sgnl.ai <atul@sgnl.ai>; Gail Hodges <gail@oidf.org>; Joseph Heenan <joseph.heenan@oidf.org><br>

<b>Cc:</b> robert.t.hanson@gmail.com <robert.t.hanson@gmail.com><br>

<b>Subject:</b> FAPI2 WP2b: Report</font>

<div> </div>

</div>

<div dir="ltr">

<div class="x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Hi,</div>

<div class="x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div class="x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Please find attached the FAPI2 formal security analysis technical report WP2. Thanks to Ralf, Tim & Pedram for sharing, and for their work.</div>

<div class="x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div class="x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

This means that we're entering the final stage of WP2, and according to my notes we've got a few things to take care of during October:</div>

<div class="x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div class="x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<ul data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}">

<li style="list-style-type:disc">It is expected that the FAPI WG provides feedback on the report. Issues that have been discussed between the researchers and the WG should be commented and concluded on, and open pull requests related to the topics should be

 resolved.</li><li style="list-style-type:disc">My notes also state that I should ensure that Mark Verstege has received the report and provided feedback on it, with the option of getting together with Tim & Pedram and the WG on an appropriate Pacific call to discuss, if

 needed. The options for the Pacific call are Thursday 11 PM UTC either this week or two weeks later. I will reach out directly to you, Mark, to coordinate that.</li><li style="list-style-type:disc">I will send out a meeting invitation for the report walkthrough and milestone approval for October 24<span><sup>th</sup> </span><span>shortly.</span><br>

</li></ul>

</div>

<div class="x_elementToProof">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="x_Signature">

<div>

<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">Thank you,<br>

Marcus Almgren<br>

OIDF Certification team</span></div>

<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><br>

</span></div>

</div>

</div>

</div>

<div id="x_appendonsend"></div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b> Marcus Almgren <marcus.almgren@oidf.org><br>

<b>Sent:</b> Tuesday, September 12, 2023 07:20<br>

<b>To:</b> dave.tonge@moneyhub.com <dave.tonge@moneyhub.com>; nat_fwd <nat@nat.consulting>; ralf.kuesters@sec.uni-stuttgart.de <ralf.kuesters@sec.uni-stuttgart.de>; pedram.hosseyni@sec.uni-stuttgart.de <pedram.hosseyni@sec.uni-stuttgart.de>; tim.wuertele@sec.uni-stuttgart.de

 <tim.wuertele@sec.uni-stuttgart.de>; rob.hanson@treasury.gov.au <rob.hanson@treasury.gov.au>; mark.verstege@consumerdatastandards.gov.au <mark.verstege@consumerdatastandards.gov.au>; Mark <mark@considrd.consulting>; mail@danielfett.de <mail@danielfett.de>;

 atul@sgnl.ai <atul@sgnl.ai>; Gail Hodges <gail@oidf.org>; Joseph Heenan <joseph.heenan@oidf.org><br>

<b>Cc:</b> robert.t.hanson@gmail.com <robert.t.hanson@gmail.com><br>

<b>Subject:</b> Re: FAPI2 WP2b: Status call</font>

<div> </div>

</div>

<div dir="ltr">

<div class="x_x_elementToProof x_x_ContentPasted0" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<b>Meeting notes</b>

<div class="x_x_ContentPasted0"><b>FAPI2 WP2b, pre-milestone review meeting, 2023-09-12</b></div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">Agenda:</div>

<div class="x_x_ContentPasted0">- Current status from Ustutt/Tim & Pedram.</div>

<div class="x_x_ContentPasted0">- Date for sharing of final report & date for milestone review meeting</div>

<div class="x_x_ContentPasted0">- Thoughts, feedback, questions from Australia (if any).</div>

<div class="x_x_ContentPasted0">- AOB</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">Participants:</div>

<div class="x_x_ContentPasted0">Rob</div>

<div class="x_x_ContentPasted0">Tim</div>

<div class="x_x_ContentPasted0">Pedram</div>

<div class="x_x_ContentPasted0">Ralf<br>

</div>

<div class="x_x_ContentPasted0">Gail</div>

<div class="x_x_ContentPasted0">Marcus</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">1. Current status from Ustutt/Tim & Pedram.</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">We changed some things in the model regarding message signing and HTTP signing. Currently working on the proofs, modifying previous and adapting new proofs. FAPI-CIBA concern (known issue) voiced and message passed to the WG.

 We're on track, provided that no new findings are made in the remaining analysis and verification.</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">2. Date for sharing of final report & date for milestone review meeting</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">We will repeat the process from last milestone, meaning that we set a date for delivering the report (September 29th). Rob is on leave for a couple of weeks early October, so we should set the dates for the report review and

 walkthrough for late October.</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">3. Thoughts, feedback, questions from Australia (if any).</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">None beyond what's been discussed in the other agenda points.<br>

</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">4. AOB</div>

<div><br class="x_x_ContentPasted0">

</div>

<div class="x_x_ContentPasted0">(a) Get Mark Verstege (FirstID), Tim/Pedram together with FAPI WG Pacific call time regarding any open issues, PR, the report outcome. Schedule this for early October, after the report has been shared on September 29th.</div>

<div><br class="x_x_ContentPasted0">

</div>

(b) After collecting feedback, possibly correcting or adjusting the report, we move to agreement on milestone approval. This will happen during October.<br>

</div>

<div class="x_x_elementToProof">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="x_x_Signature">

<div>

<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">Thank you,<br>

Marcus Almgren<br>

OIDF Certification team</span></div>

<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><br>

</span></div>

</div>

</div>

</div>

<div>

<div id="x_x_appendonsend"></div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b> Marcus Almgren<br>

<b>Sent:</b> Saturday, September 2, 2023 16:32<br>

<b>To:</b> dave.tonge@moneyhub.com <dave.tonge@moneyhub.com>; nat_fwd <nat@nat.consulting>; ralf.kuesters@sec.uni-stuttgart.de <ralf.kuesters@sec.uni-stuttgart.de>; pedram.hosseyni@sec.uni-stuttgart.de <pedram.hosseyni@sec.uni-stuttgart.de>; tim.wuertele@sec.uni-stuttgart.de

 <tim.wuertele@sec.uni-stuttgart.de>; rob.hanson@treasury.gov.au <rob.hanson@treasury.gov.au>; mark.verstege@consumerdatastandards.gov.au <mark.verstege@consumerdatastandards.gov.au>; Mark <mark@considrd.consulting>; mail@danielfett.de <mail@danielfett.de>;

 atul@sgnl.ai <atul@sgnl.ai>; Gail Hodges <gail@oidf.org>; Joseph Heenan <joseph.heenan@oidf.org><br>

<b>Cc:</b> robert.t.hanson@gmail.com <robert.t.hanson@gmail.com><br>

<b>Subject:</b> FAPI2 WP2b: Status call<br>

<b>When:</b> Tuesday, September 12, 2023 7:00 AM-7:30 AM.<br>

<b>Where:</b> https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09</font>

<div> </div>

</div>

<div>

<div class="x_x_x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<div class="x_x_x_x_x_x_elementToProof x_x_x_x_x_x_ContentPasted0 x_x_x_x_x_elementToProof x_x_x_ContentPasted0" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

Pre-milestone review meeting for the FAPI2 Workpackage 2 project.</div>

<div class="x_x_x_x_x_x_elementToProof x_x_x_x_x_x_ContentPasted0 x_x_x_x_x_x_ContentPasted1" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<br class="x_x_x_ContentPasted0">

</div>

<div class="x_x_x_x_x_x_elementToProof x_x_x_x_x_x_ContentPasted0 x_x_x_x_x_x_ContentPasted1 x_x_x_x_x_x_ContentPasted2 x_x_x_x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<a href="https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09" data-auth="NotApplicable" id="OWAea7d818a-f275-36a3-e3c5-e8a306a0aa5a" class="x_x_x_OWAAutoLink x_x_x_ContentPasted0">https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09</a></div>

<div class="x_x_x_x_x_x_elementToProof x_x_x_x_x_x_ContentPasted0 x_x_x_x_x_x_ContentPasted1 x_x_x_x_x_x_ContentPasted2 x_x_x_x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<br class="x_x_x_ContentPasted0">

</div>

<div class="x_x_x_x_x_x_elementToProof x_x_x_x_x_x_ContentPasted0 x_x_x_x_x_x_ContentPasted1 x_x_x_x_x_x_ContentPasted2 x_x_x_x_elementToProof x_x_x_ContentPasted0" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

Preliminary agenda:</div>

<div class="x_x_x_x_x_x_elementToProof x_x_x_x_x_x_ContentPasted0 x_x_x_x_x_x_ContentPasted1 x_x_x_x_x_x_ContentPasted2 x_x_x_x_elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<ol data-listchain="__List_Chain_523">

<li class="x_x_x_x_elementToProof"><span class="x_x_x_ContentPasted0">Current status from Ustutt/Tim & Pedram.</span></li><li class="x_x_x_x_elementToProof">Date for sharing of final report & date for milestone review meeting<br>

</li><li class="x_x_x_x_elementToProof"><span class="x_x_x_x_ContentPasted0 x_x_x_ContentPasted0">Thoughts, feedback, questions from Australia (if any).</span></li><li class="x_x_x_x_elementToProof"><span class="x_x_x_x_ContentPasted0 x_x_x_ContentPasted0">AOB</span></li></ol>

<div class="x_x_x_x_elementToProof x_x_x_ContentPasted0">Thank you,<br class="x_x_x_ContentPasted0">

Marcus Almgren<br class="x_x_x_ContentPasted0">

OIDF Certification team</div>

</div>

<br>

</div>

</div>

</div>

</div>

</div>

</body>

</html>