[Openid-specs-heart] HEART WG AGENDA Monday April 20, 2020

Tue Apr 21 17:24:14 UTC 2020

That is interesting Tom, could you elaborate a little more on the reasons
for why you don't agree with the attacker model? I was unaware of the
criticism, so it would be good to get a better understanding.

I guess this also means that you do not agree with the recent work done
with the security best practices document? (
https://www.ietf.org/id/draft-ietf-oauth-security-topics-15.html)

My personal opinion is that pointing to a common security profile for OAuth
will make things easier for systems developers (and for the customers
posing requirements), and would let the HEART WG focus on the domain
specific needs for standardization.

tir. 21. apr. 2020 kl. 18:30 skrev Tom Jones <thomasclinganjones at gmail.com>:

> Well, I am a member of the FAPI wg and do not like their current
> direction. Specifically I strongly disagree with Fett's attack model which
> has come under increasing attack in, for example the current issue of the
> CACM. If HEART focuses on evaluation of solutions before they even try to
> enumerate the problems that need to be addressed, I will take a pass.
>
> thx ..Tom (mobile)
>
> On Tue, Apr 21, 2020, 8:04 AM Debbie Bucci <debbucci at gmail.com> wrote:
>
>> Agree we are generally heading in that direction but there may be a Diff
>> between what FAPI covers in near term and addition requirements ( examples;
>> Delegation, support of different client types) (?)
>>
>> On Tue, Apr 21, 2020 at 10:56 AM Justin Richer <jricher at mit.edu> wrote:
>>
>>> This is what I proposed on the call yesterday, to adopt FAPI as the
>>> “mechanical” specification base for HEART going forward.
>>>
>>> We only defined HEART’s mechanical specifications because there weren’t
>>> any at the time — we were the first vertically-focused group within OIDF.
>>> FAPI is now seeking to position themselves as a general purpose baseline
>>> across different verticals. It’s up to HEART wether to adopt that or not.
>>>
>>>
>>>  — Justin
>>>
>>> On Apr 21, 2020, at 10:16 AM, Steinar Noem <steinar at udelt.no> wrote:
>>>
>>> Just a comment regarding FAPI. The FAPI WG is working on FAPI version 2
>>> which has a different wording and approach.
>>> https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md
>>> "OIDF FAPI 2.0 is an API security profile based on the OAuth 2.0
>>> Authorization Framework"
>>>
>>> In my opinion it doesn't make sense to specify another OAuth security
>>> profile for HEART. I think that if we see a reason to either ease up or
>>> tighten the requirements specified in FAPI this could be solved by adding
>>> specific amendments (not sure if that is the correct word to use in this
>>> context).
>>>
>>> Could we invite Daniel Fett from the FAPI WG to do a presentation of
>>> FAPI to the HEART WG to get a common understanding?
>>>
>>> -Steinar
>>>
>>> man. 20. apr. 2020 kl. 19:31 skrev Adrian Gropper <
>>> agropper at healthurl.com>:
>>>
>>>> Thanks for putting up a straw charter, Tom.
>>>>
>>>> I disagree with the FAPI reference.
>>>>
>>>> Here is what FAPI says at https://openid.net/wg/fapi :
>>>> 'Specifically, the FAPI WG aims to provide JSON data schemas, security
>>>> and privacy recommendations and protocols to:
>>>>
>>>>    - enable applications to utilize the data stored in the financial
>>>>    account,
>>>>    - enable applications to interact with the financial account, and
>>>>    - enable users to control the security and privacy settings.'
>>>>
>>>> The word "users" would need to be "applications" in order to enable the
>>>> UMA2 "wide ecosystem" model at the core of a patient-centered system.
>>>> Patients need the ability to specify the agent of their choice. UMA2 (and
>>>> future OAuth3 deigns) should be used to do this.
>>>>
>>>> - Adrian
>>>>
>>>> On Mon, Apr 20, 2020 at 12:35 PM Tom Jones <
>>>> thomasclinganjones at gmail.com> wrote:
>>>>
>>>>> I haven't seen any ideas, so i offer this as a starting point. It is
>>>>> intentionally brief to try to focus on the big ideas first.
>>>>> Peace ..tom
>>>>>
>>>>>
>>>>> On Fri, Apr 17, 2020 at 7:16 AM Debbie Bucci <debbucci at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello Everyone,
>>>>>>
>>>>>> REMINDER:
>>>>>>
>>>>>> When: 1 PM PST/4 PM EST
>>>>>> Where: Gotomeeting  – https://global.gotomeeting.com/join/785234357
>>>>>> GoToMeeting software is available on Mac, PC, iPhone, and Android
>>>>>> Phone.
>>>>>> Using VoIP option of GoToMeeting is preferred. If you must use a
>>>>>> plain old telephone for some reason, here is the US phone number: +1
>>>>>> (619) 550-0003. Access Code 785-234-357
>>>>>> *Please Note: Participation in the call is limited to the 20 most
>>>>>> active members at the discretion of the chairs due to the number of lines
>>>>>> available.*
>>>>>>
>>>>>> *AGENDA:*
>>>>>> *Create/Update HEART Charter - link of existing for reference *
>>>>>> https://openid.net/wg/heart/charter/
>>>>>>
>>>>>> Hope you will join us!
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Openid-specs-heart mailing list
>>>>>> Openid-specs-heart at lists.openid.net
>>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>>>
>>>>> _______________________________________________
>>>>> Openid-specs-heart mailing list
>>>>> Openid-specs-heart at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>>
>>>> _______________________________________________
>>>> Openid-specs-heart mailing list
>>>> Openid-specs-heart at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>
>>>
>>>
>>> --
>>> Vennlig hilsen
>>>
>>> Steinar Noem
>>> Partner Udelt AS
>>> Systemutvikler
>>>
>>> | steinar at udelt.no | hei at udelt.no  | +47 955 21 620 | www.udelt.no |
>>> _______________________________________________
>>> Openid-specs-heart mailing list
>>> Openid-specs-heart at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-heart mailing list
>>> Openid-specs-heart at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>
>> _______________________________________________
>> Openid-specs-heart mailing list
>> Openid-specs-heart at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>

-- 
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler

| steinar at udelt.no | hei at udelt.no  | +47 955 21 620 | www.udelt.no |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20200421/7c1de9db/attachment.html>