<div dir="ltr">Thanks. <div><br></div><div>We are going to deal with these as main topics tomorrow. <div><br></div><div>Best, </div><div><br></div><div>Nat</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 9 Oct 2023 at 06:33, Marcus Almgren via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-4363621209175791174">

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Hi,</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Please find attached the technical report on the formal security analysis of FAPI2. In case you're not aware of the details, the report is written by researchers from the university of Stuttgart, and it's the result of modeling and analysis work performed since

 early spring this year.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

The stakeholders are meeting for a final milestone review on October 24th, and there is an expectation that the FAPI WG provides feedback and acceptance/approval of the report, so it would be appreciated if you could please review it.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

If you would like to, the researchers have agreed to do a brief presentation of the report in the upcoming Atlantic call on Wednesday October 11th. However, I realize that IIW is happening this week and I'm not sure if the call will proceed as planned or not.

 Please let me know at your earliest convenience if you would like to add this point to the agenda.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Finally, during the course of this work, some related issues have been opened on Bitbucket. I will list them below for your convenience. The researchers say that "it appears that there are no blocking issues from our side", but please have a look and see what

 we can do to resolve the outstanding issues, if possible.<br>

</div>

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<ul>

<li style="list-style-type:disc">[Resolved] <a href="https://bitbucket.org/openid/fapi/issues/551/extra-security-considerations-for-clients" target="_blank">https://bitbucket.org/openid/fapi/issues/551/extra-security-considerations-for-clients</a></li><li style="list-style-type:disc">[Resolved] <a href="https://bitbucket.org/openid/fapi/issues/602/client-is-misleading-in-the-context-of" target="_blank">https://bitbucket.org/openid/fapi/issues/602/client-is-misleading-in-the-context-of</a></li></ul>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<div>

<ul>

<li style="list-style-type:disc">[Invalid] <a href="https://bitbucket.org/openid/fapi/issues/605/jarm-for-signed-authz-responses-seems-to" target="_blank">https://bitbucket.org/openid/fapi/issues/605/jarm-for-signed-authz-responses-seems-to</a></li></ul>

</div>

<div>

<ul>

<li style="list-style-type:disc">[Open] <a href="https://bitbucket.org/openid/fapi/issues/596/non-repudiation" target="_blank">https://bitbucket.org/openid/fapi/issues/596/non-repudiation</a></li><ul style="list-style-type:circle">

<li><span>The researchers have accepted the thread explanation and performed the analysis accordingly. However, there is seemingly not yet any PR for the proposed security considerations.</span></li></ul>

<li style="list-style-type:disc">[Open] <a href="https://bitbucket.org/openid/fapi/issues/608/make-clear-that-requests-and-responses-to" target="_blank">https://bitbucket.org/openid/fapi/issues/608/make-clear-that-requests-and-responses-to</a></li><ul style="list-style-type:circle">

<li><span>There's an open PR, <a href="https://bitbucket.org/openid/fapi/pull-requests/433" target="_blank">https://bitbucket.org/openid/fapi/pull-requests/433</a></span></li></ul>

<li style="list-style-type:disc">[Open] <a href="https://bitbucket.org/openid/fapi/issues/609/ciba-make-clear-limitation-of-binding" target="_blank">https://bitbucket.org/openid/fapi/issues/609/ciba-make-clear-limitation-of-binding</a></li><ul style="list-style-type:circle">

<li><span>Nat already wrote that they want to add security considerations on this, which should be fine from our point of view. However, there is no PR yet.</span></li></ul>

<li style="list-style-type:disc">[New] <a href="https://bitbucket.org/openid/fapi/issues/621/fapi-ciba" target="_blank">https://bitbucket.org/openid/fapi/issues/621/fapi-ciba</a></li><ul style="list-style-type:circle">

<li><span>There's an open PR, <a href="https://bitbucket.org/openid/fapi/pull-requests/417" target="_blank">https://bitbucket.org/openid/fapi/pull-requests/417</a></span></li></ul>

</ul>

</div>

<br>

</div>

<div id="m_-4363621209175791174Signature">

<div>

<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Thank you,<br>

Marcus Almgren<br>

OIDF Certification team</span></div>

<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>

</span></div>

</div>

</div>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div id="m_-4363621209175791174appendonsend"></div>

<hr style="display:inline-block;width:98%">

<div id="m_-4363621209175791174divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt;color:rgb(0,0,0)"><b>From:</b> Marcus Almgren <<a href="mailto:marcus.almgren@oidf.org" target="_blank">marcus.almgren@oidf.org</a>><br>

<b>Sent:</b> Monday, October 2, 2023 10:35<br>

<b>To:</b> <a href="mailto:dave.tonge@moneyhub.com" target="_blank">dave.tonge@moneyhub.com</a> <<a href="mailto:dave.tonge@moneyhub.com" target="_blank">dave.tonge@moneyhub.com</a>>; nat_fwd <nat@nat.consulting>; <a href="mailto:ralf.kuesters@sec.uni-stuttgart.de" target="_blank">ralf.kuesters@sec.uni-stuttgart.de</a> <<a href="mailto:ralf.kuesters@sec.uni-stuttgart.de" target="_blank">ralf.kuesters@sec.uni-stuttgart.de</a>>; <a href="mailto:pedram.hosseyni@sec.uni-stuttgart.de" target="_blank">pedram.hosseyni@sec.uni-stuttgart.de</a> <<a href="mailto:pedram.hosseyni@sec.uni-stuttgart.de" target="_blank">pedram.hosseyni@sec.uni-stuttgart.de</a>>; <a href="mailto:tim.wuertele@sec.uni-stuttgart.de" target="_blank">tim.wuertele@sec.uni-stuttgart.de</a>

 <<a href="mailto:tim.wuertele@sec.uni-stuttgart.de" target="_blank">tim.wuertele@sec.uni-stuttgart.de</a>>; <a href="mailto:rob.hanson@treasury.gov.au" target="_blank">rob.hanson@treasury.gov.au</a> <<a href="mailto:rob.hanson@treasury.gov.au" target="_blank">rob.hanson@treasury.gov.au</a>>; <a href="mailto:mark.verstege@consumerdatastandards.gov.au" target="_blank">mark.verstege@consumerdatastandards.gov.au</a> <<a href="mailto:mark.verstege@consumerdatastandards.gov.au" target="_blank">mark.verstege@consumerdatastandards.gov.au</a>>; Mark <mark@considrd.consulting>; <a href="mailto:mail@danielfett.de" target="_blank">mail@danielfett.de</a> <<a href="mailto:mail@danielfett.de" target="_blank">mail@danielfett.de</a>>;

 <a href="mailto:atul@sgnl.ai" target="_blank">atul@sgnl.ai</a> <<a href="mailto:atul@sgnl.ai" target="_blank">atul@sgnl.ai</a>>; Gail Hodges <<a href="mailto:gail@oidf.org" target="_blank">gail@oidf.org</a>>; Joseph Heenan <<a href="mailto:joseph.heenan@oidf.org" target="_blank">joseph.heenan@oidf.org</a>><br>

<b>Cc:</b> <a href="mailto:robert.t.hanson@gmail.com" target="_blank">robert.t.hanson@gmail.com</a> <<a href="mailto:robert.t.hanson@gmail.com" target="_blank">robert.t.hanson@gmail.com</a>><br>

<b>Subject:</b> FAPI2 WP2b: Report</font>

<div> </div>

</div>

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Hi,</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Please find attached the FAPI2 formal security analysis technical report WP2. Thanks to Ralf, Tim & Pedram for sharing, and for their work.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

This means that we're entering the final stage of WP2, and according to my notes we've got a few things to take care of during October:</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<ul>

<li style="list-style-type:disc">It is expected that the FAPI WG provides feedback on the report. Issues that have been discussed between the researchers and the WG should be commented and concluded on, and open pull requests related to the topics should be

 resolved.</li><li style="list-style-type:disc">My notes also state that I should ensure that Mark Verstege has received the report and provided feedback on it, with the option of getting together with Tim & Pedram and the WG on an appropriate Pacific call to discuss, if

 needed. The options for the Pacific call are Thursday 11 PM UTC either this week or two weeks later. I will reach out directly to you, Mark, to coordinate that.</li><li style="list-style-type:disc">I will send out a meeting invitation for the report walkthrough and milestone approval for October 24<span><sup>th</sup> </span><span>shortly.</span><br>

</li></ul>

</div>

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div id="m_-4363621209175791174x_Signature">

<div>

<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Thank you,<br>

Marcus Almgren<br>

OIDF Certification team</span></div>

<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>

</span></div>

</div>

</div>

</div>

<div id="m_-4363621209175791174x_appendonsend"></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<hr style="display:inline-block;width:98%">

<div id="m_-4363621209175791174x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt;color:rgb(0,0,0)"><b>From:</b> Marcus Almgren <<a href="mailto:marcus.almgren@oidf.org" target="_blank">marcus.almgren@oidf.org</a>><br>

<b>Sent:</b> Tuesday, September 12, 2023 07:20<br>

<b>To:</b> <a href="mailto:dave.tonge@moneyhub.com" target="_blank">dave.tonge@moneyhub.com</a> <<a href="mailto:dave.tonge@moneyhub.com" target="_blank">dave.tonge@moneyhub.com</a>>; nat_fwd <nat@nat.consulting>; <a href="mailto:ralf.kuesters@sec.uni-stuttgart.de" target="_blank">ralf.kuesters@sec.uni-stuttgart.de</a> <<a href="mailto:ralf.kuesters@sec.uni-stuttgart.de" target="_blank">ralf.kuesters@sec.uni-stuttgart.de</a>>; <a href="mailto:pedram.hosseyni@sec.uni-stuttgart.de" target="_blank">pedram.hosseyni@sec.uni-stuttgart.de</a> <<a href="mailto:pedram.hosseyni@sec.uni-stuttgart.de" target="_blank">pedram.hosseyni@sec.uni-stuttgart.de</a>>; <a href="mailto:tim.wuertele@sec.uni-stuttgart.de" target="_blank">tim.wuertele@sec.uni-stuttgart.de</a>

 <<a href="mailto:tim.wuertele@sec.uni-stuttgart.de" target="_blank">tim.wuertele@sec.uni-stuttgart.de</a>>; <a href="mailto:rob.hanson@treasury.gov.au" target="_blank">rob.hanson@treasury.gov.au</a> <<a href="mailto:rob.hanson@treasury.gov.au" target="_blank">rob.hanson@treasury.gov.au</a>>; <a href="mailto:mark.verstege@consumerdatastandards.gov.au" target="_blank">mark.verstege@consumerdatastandards.gov.au</a> <<a href="mailto:mark.verstege@consumerdatastandards.gov.au" target="_blank">mark.verstege@consumerdatastandards.gov.au</a>>; Mark <mark@considrd.consulting>; <a href="mailto:mail@danielfett.de" target="_blank">mail@danielfett.de</a> <<a href="mailto:mail@danielfett.de" target="_blank">mail@danielfett.de</a>>;

 <a href="mailto:atul@sgnl.ai" target="_blank">atul@sgnl.ai</a> <<a href="mailto:atul@sgnl.ai" target="_blank">atul@sgnl.ai</a>>; Gail Hodges <<a href="mailto:gail@oidf.org" target="_blank">gail@oidf.org</a>>; Joseph Heenan <<a href="mailto:joseph.heenan@oidf.org" target="_blank">joseph.heenan@oidf.org</a>><br>

<b>Cc:</b> <a href="mailto:robert.t.hanson@gmail.com" target="_blank">robert.t.hanson@gmail.com</a> <<a href="mailto:robert.t.hanson@gmail.com" target="_blank">robert.t.hanson@gmail.com</a>><br>

<b>Subject:</b> Re: FAPI2 WP2b: Status call</font>

<div> </div>

</div>

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<b>Meeting notes</b>

<div><b>FAPI2 WP2b, pre-milestone review meeting, 2023-09-12</b></div>

<div><br>

</div>

<div>Agenda:</div>

<div>- Current status from Ustutt/Tim & Pedram.</div>

<div>- Date for sharing of final report & date for milestone review meeting</div>

<div>- Thoughts, feedback, questions from Australia (if any).</div>

<div>- AOB</div>

<div><br>

</div>

<div>Participants:</div>

<div>Rob</div>

<div>Tim</div>

<div>Pedram</div>

<div>Ralf<br>

</div>

<div>Gail</div>

<div>Marcus</div>

<div><br>

</div>

<div>1. Current status from Ustutt/Tim & Pedram.</div>

<div><br>

</div>

<div>We changed some things in the model regarding message signing and HTTP signing. Currently working on the proofs, modifying previous and adapting new proofs. FAPI-CIBA concern (known issue) voiced and message passed to the WG.

 We're on track, provided that no new findings are made in the remaining analysis and verification.</div>

<div><br>

</div>

<div>2. Date for sharing of final report & date for milestone review meeting</div>

<div><br>

</div>

<div>We will repeat the process from last milestone, meaning that we set a date for delivering the report (September 29th). Rob is on leave for a couple of weeks early October, so we should set the dates for the report review and

 walkthrough for late October.</div>

<div><br>

</div>

<div>3. Thoughts, feedback, questions from Australia (if any).</div>

<div><br>

</div>

<div>None beyond what's been discussed in the other agenda points.<br>

</div>

<div><br>

</div>

<div>4. AOB</div>

<div><br>

</div>

<div>(a) Get Mark Verstege (FirstID), Tim/Pedram together with FAPI WG Pacific call time regarding any open issues, PR, the report outcome. Schedule this for early October, after the report has been shared on September 29th.</div>

<div><br>

</div>

(b) After collecting feedback, possibly correcting or adjusting the report, we move to agreement on milestone approval. This will happen during October.<br>

</div>

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div id="m_-4363621209175791174x_x_Signature">

<div>

<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Thank you,<br>

Marcus Almgren<br>

OIDF Certification team</span></div>

<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>

</span></div>

</div>

</div>

</div>

<div>

<div id="m_-4363621209175791174x_x_appendonsend"></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<hr style="display:inline-block;width:98%">

<div id="m_-4363621209175791174x_x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt;color:rgb(0,0,0)"><b>From:</b> Marcus Almgren<br>

<b>Sent:</b> Saturday, September 2, 2023 16:32<br>

<b>To:</b> <a href="mailto:dave.tonge@moneyhub.com" target="_blank">dave.tonge@moneyhub.com</a> <<a href="mailto:dave.tonge@moneyhub.com" target="_blank">dave.tonge@moneyhub.com</a>>; nat_fwd <nat@nat.consulting>; <a href="mailto:ralf.kuesters@sec.uni-stuttgart.de" target="_blank">ralf.kuesters@sec.uni-stuttgart.de</a> <<a href="mailto:ralf.kuesters@sec.uni-stuttgart.de" target="_blank">ralf.kuesters@sec.uni-stuttgart.de</a>>; <a href="mailto:pedram.hosseyni@sec.uni-stuttgart.de" target="_blank">pedram.hosseyni@sec.uni-stuttgart.de</a> <<a href="mailto:pedram.hosseyni@sec.uni-stuttgart.de" target="_blank">pedram.hosseyni@sec.uni-stuttgart.de</a>>; <a href="mailto:tim.wuertele@sec.uni-stuttgart.de" target="_blank">tim.wuertele@sec.uni-stuttgart.de</a>

 <<a href="mailto:tim.wuertele@sec.uni-stuttgart.de" target="_blank">tim.wuertele@sec.uni-stuttgart.de</a>>; <a href="mailto:rob.hanson@treasury.gov.au" target="_blank">rob.hanson@treasury.gov.au</a> <<a href="mailto:rob.hanson@treasury.gov.au" target="_blank">rob.hanson@treasury.gov.au</a>>; <a href="mailto:mark.verstege@consumerdatastandards.gov.au" target="_blank">mark.verstege@consumerdatastandards.gov.au</a> <<a href="mailto:mark.verstege@consumerdatastandards.gov.au" target="_blank">mark.verstege@consumerdatastandards.gov.au</a>>; Mark <mark@considrd.consulting>; <a href="mailto:mail@danielfett.de" target="_blank">mail@danielfett.de</a> <<a href="mailto:mail@danielfett.de" target="_blank">mail@danielfett.de</a>>;

 <a href="mailto:atul@sgnl.ai" target="_blank">atul@sgnl.ai</a> <<a href="mailto:atul@sgnl.ai" target="_blank">atul@sgnl.ai</a>>; Gail Hodges <<a href="mailto:gail@oidf.org" target="_blank">gail@oidf.org</a>>; Joseph Heenan <<a href="mailto:joseph.heenan@oidf.org" target="_blank">joseph.heenan@oidf.org</a>><br>

<b>Cc:</b> <a href="mailto:robert.t.hanson@gmail.com" target="_blank">robert.t.hanson@gmail.com</a> <<a href="mailto:robert.t.hanson@gmail.com" target="_blank">robert.t.hanson@gmail.com</a>><br>

<b>Subject:</b> FAPI2 WP2b: Status call<br>

<b>When:</b> Tuesday, September 12, 2023 7:00 AM-7:30 AM.<br>

<b>Where:</b> <a href="https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09" target="_blank">https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09</a></font>

<div> </div>

</div>

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">

Pre-milestone review meeting for the FAPI2 Workpackage 2 project.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">

<a href="https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09" id="m_-4363621209175791174OWAea7d818a-f275-36a3-e3c5-e8a306a0aa5a" target="_blank">https://zoom.us/j/5304483764?pwd=Mlgxc1VEK2hWQll4Z0R5b3dHYWhHdz09</a></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">

Preliminary agenda:</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">

<ol>

<li><span>Current status from Ustutt/Tim & Pedram.</span></li><li>Date for sharing of final report & date for milestone review meeting<br>

</li><li><span>Thoughts, feedback, questions from Australia (if any).</span></li><li><span>AOB</span></li></ol>

<div>Thank you,<br>

Marcus Almgren<br>

OIDF Certification team</div>

</div>

<br>

</div>

</div>

</div>

</div>

</div>

</div>

_______________________________________________<br>

Openid-specs-fapi mailing list<br>

<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>

<a href="https://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>

</div></blockquote></div>