[Openid-specs-heart] HEART WG AGENDA Monday April 20, 2020

Tom Jones thomasclinganjones at gmail.com
Tue Apr 21 17:29:29 UTC 2020 

That's correct but not a concern of HEART. Where would a appropriate forum
be.

thx ..Tom (mobile)

On Tue, Apr 21, 2020, 10:24 AM Steinar Noem <steinar at udelt.no> wrote:

> That is interesting Tom, could you elaborate a little more on the reasons
> for why you don't agree with the attacker model? I was unaware of the
> criticism, so it would be good to get a better understanding.
>
> I guess this also means that you do not agree with the recent work done
> with the security best practices document? (
> https://www.ietf.org/id/draft-ietf-oauth-security-topics-15.html)
>
> My personal opinion is that pointing to a common security profile for
> OAuth will make things easier for systems developers (and for the customers
> posing requirements), and would let the HEART WG focus on the domain
> specific needs for standardization.
>
>
> tir. 21. apr. 2020 kl. 18:30 skrev Tom Jones <thomasclinganjones at gmail.com
> >:
>
>> Well, I am a member of the FAPI wg and do not like their current
>> direction. Specifically I strongly disagree with Fett's attack model which
>> has come under increasing attack in, for example the current issue of the
>> CACM. If HEART focuses on evaluation of solutions before they even try to
>> enumerate the problems that need to be addressed, I will take a pass.
>>
>> thx ..Tom (mobile)
>>
>> On Tue, Apr 21, 2020, 8:04 AM Debbie Bucci <debbucci at gmail.com> wrote:
>>
>>> Agree we are generally heading in that direction but there may be a Diff
>>> between what FAPI covers in near term and addition requirements ( examples;
>>> Delegation, support of different client types) (?)
>>>
>>> On Tue, Apr 21, 2020 at 10:56 AM Justin Richer <jricher at mit.edu> wrote:
>>>
>>>> This is what I proposed on the call yesterday, to adopt FAPI as the
>>>> “mechanical” specification base for HEART going forward.
>>>>
>>>> We only defined HEART’s mechanical specifications because there weren’t
>>>> any at the time — we were the first vertically-focused group within OIDF.
>>>> FAPI is now seeking to position themselves as a general purpose baseline
>>>> across different verticals. It’s up to HEART wether to adopt that or not.
>>>>
>>>>
>>>>  — Justin
>>>>
>>>> On Apr 21, 2020, at 10:16 AM, Steinar Noem <steinar at udelt.no> wrote:
>>>>
>>>> Just a comment regarding FAPI. The FAPI WG is working on FAPI version 2
>>>> which has a different wording and approach.
>>>> https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md
>>>> "OIDF FAPI 2.0 is an API security profile based on the OAuth 2.0
>>>> Authorization Framework"
>>>>
>>>> In my opinion it doesn't make sense to specify another OAuth security
>>>> profile for HEART. I think that if we see a reason to either ease up or
>>>> tighten the requirements specified in FAPI this could be solved by adding
>>>> specific amendments (not sure if that is the correct word to use in this
>>>> context).
>>>>
>>>> Could we invite Daniel Fett from the FAPI WG to do a presentation of
>>>> FAPI to the HEART WG to get a common understanding?
>>>>
>>>> -Steinar
>>>>
>>>> man. 20. apr. 2020 kl. 19:31 skrev Adrian Gropper <
>>>> agropper at healthurl.com>:
>>>>
>>>>> Thanks for putting up a straw charter, Tom.
>>>>>
>>>>> I disagree with the FAPI reference.
>>>>>
>>>>> Here is what FAPI says at https://openid.net/wg/fapi :
>>>>> 'Specifically, the FAPI WG aims to provide JSON data schemas,
>>>>> security and privacy recommendations and protocols to:
>>>>>
>>>>>    - enable applications to utilize the data stored in the financial
>>>>>    account,
>>>>>    - enable applications to interact with the financial account, and
>>>>>    - enable users to control the security and privacy settings.'
>>>>>
>>>>> The word "users" would need to be "applications" in order to enable
>>>>> the UMA2 "wide ecosystem" model at the core of a patient-centered system.
>>>>> Patients need the ability to specify the agent of their choice. UMA2 (and
>>>>> future OAuth3 deigns) should be used to do this.
>>>>>
>>>>> - Adrian
>>>>>
>>>>> On Mon, Apr 20, 2020 at 12:35 PM Tom Jones <
>>>>> thomasclinganjones at gmail.com> wrote:
>>>>>
>>>>>> I haven't seen any ideas, so i offer this as a starting point. It is
>>>>>> intentionally brief to try to focus on the big ideas first.
>>>>>> Peace ..tom
>>>>>>
>>>>>>
>>>>>> On Fri, Apr 17, 2020 at 7:16 AM Debbie Bucci <debbucci at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello Everyone,
>>>>>>>
>>>>>>> REMINDER:
>>>>>>>
>>>>>>> When: 1 PM PST/4 PM EST
>>>>>>> Where: Gotomeeting  – https://global.gotomeeting.com/join/785234357
>>>>>>> GoToMeeting software is available on Mac, PC, iPhone, and Android
>>>>>>> Phone.
>>>>>>> Using VoIP option of GoToMeeting is preferred. If you must use a
>>>>>>> plain old telephone for some reason, here is the US phone number: +1
>>>>>>> (619) 550-0003. Access Code 785-234-357
>>>>>>> *Please Note: Participation in the call is limited to the 20 most
>>>>>>> active members at the discretion of the chairs due to the number of lines
>>>>>>> available.*
>>>>>>>
>>>>>>> *AGENDA:*
>>>>>>> *Create/Update HEART Charter - link of existing for reference *
>>>>>>> https://openid.net/wg/heart/charter/
>>>>>>>
>>>>>>> Hope you will join us!
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Openid-specs-heart mailing list
>>>>>>> Openid-specs-heart at lists.openid.net
>>>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Openid-specs-heart mailing list
>>>>>> Openid-specs-heart at lists.openid.net
>>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>>>
>>>>> _______________________________________________
>>>>> Openid-specs-heart mailing list
>>>>> Openid-specs-heart at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>>
>>>>
>>>>
>>>> --
>>>> Vennlig hilsen
>>>>
>>>> Steinar Noem
>>>> Partner Udelt AS
>>>> Systemutvikler
>>>>
>>>> | steinar at udelt.no | hei at udelt.no  | +47 955 21 620 | www.udelt.no |
>>>> _______________________________________________
>>>> Openid-specs-heart mailing list
>>>> Openid-specs-heart at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>
>>>>
>>>> _______________________________________________
>>>> Openid-specs-heart mailing list
>>>> Openid-specs-heart at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>
>>> _______________________________________________
>>> Openid-specs-heart mailing list
>>> Openid-specs-heart at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>
>> _______________________________________________
>> Openid-specs-heart mailing list
>> Openid-specs-heart at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>
>
>
> --
> Vennlig hilsen
>
> Steinar Noem
> Partner Udelt AS
> Systemutvikler
>
> | steinar at udelt.no | hei at udelt.no  | +47 955 21 620 | www.udelt.no |
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20200421/d11d10f0/attachment.html>

More information about the Openid-specs-heart mailing list