<div dir="auto">That's correct but not a concern of HEART. Where would a appropriate forum be.<br><br><div data-smartmail="gmail_signature">thx ..Tom (mobile)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020, 10:24 AM Steinar Noem <<a href="mailto:steinar@udelt.no">steinar@udelt.no</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">That is interesting Tom, could you elaborate a little more on the reasons for why you don't agree with the attacker model?
I was unaware of the criticism, so it would be good to get a better understanding.<div><br></div><div>I guess this also means that you do not agree with the recent work done with the security best practices document? (<a href="https://www.ietf.org/id/draft-ietf-oauth-security-topics-15.html" target="_blank" rel="noreferrer">https://www.ietf.org/id/draft-ietf-oauth-security-topics-15.html</a>) </div><div><div><div><br></div><div>My personal opinion is that pointing to a common security profile for OAuth will make things easier for systems developers (and for the customers posing requirements), and would let the HEART WG focus on the domain specific needs for standardization.</div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">tir. 21. apr. 2020 kl. 18:30 skrev Tom Jones <<a href="mailto:thomasclinganjones@gmail.com" target="_blank" rel="noreferrer">thomasclinganjones@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Well, I am a member of the FAPI wg and do not like their current direction. Specifically I strongly disagree with Fett's attack model which has come under increasing attack in, for example the current issue of the CACM. If HEART focuses on evaluation of solutions before they even try to enumerate the problems that need to be addressed, I will take a pass.<br><br><div>thx ..Tom (mobile)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020, 8:04 AM Debbie Bucci <<a href="mailto:debbucci@gmail.com" target="_blank" rel="noreferrer">debbucci@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">Agree we are generally heading in that direction but there may be a Diff between what FAPI covers in near term and addition requirements ( examples; Delegation, support of different client types) (?) </div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020 at 10:56 AM Justin Richer <<a href="mailto:jricher@mit.edu" rel="noreferrer noreferrer" target="_blank">jricher@mit.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>This is what I proposed on the call yesterday, to adopt FAPI as the “mechanical” specification base for HEART going forward.<div><br></div><div>We only defined HEART’s mechanical specifications because there weren’t any at the time — we were the first vertically-focused group within OIDF. FAPI is now seeking to position themselves as a general purpose baseline across different verticals. It’s up to HEART wether to adopt that or not.</div></div><div><div><br><div><br></div><div> — Justin<br><div><br><blockquote type="cite"><div>On Apr 21, 2020, at 10:16 AM, Steinar Noem <<a href="mailto:steinar@udelt.no" rel="noreferrer noreferrer" target="_blank">steinar@udelt.no</a>> wrote:</div><br><div><div dir="ltr"><div>Just a comment regarding FAPI. The FAPI WG is working on FAPI version 2 which has a different wording and approach. <a href="https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md" rel="noreferrer noreferrer" target="_blank">https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md</a></div><div>"<span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">OIDF FAPI 2.0 is an API security profile based on the OAuth 2.0 Authorization Framework"</span></div><div><span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px"><br></span></div><div>In my opinion it doesn't make sense to specify another OAuth security profile for HEART. I think that if we see a reason to either ease up or tighten the requirements specified in FAPI this could be solved by adding specific amendments (not sure if that is the correct word to use in this context).</div><div><br></div><div>Could we invite Daniel Fett from the FAPI WG to do a presentation of FAPI to the HEART WG to get a common understanding?</div><div><br></div><div>-Steinar</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">man. 20. apr. 2020 kl. 19:31 skrev Adrian Gropper <<a href="mailto:agropper@healthurl.com" rel="noreferrer noreferrer" target="_blank">agropper@healthurl.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Thanks for putting up a straw charter, Tom.</div><div><br></div><div>I disagree with the FAPI reference. <br></div><div><br></div><div>Here is what FAPI says at <a href="https://openid.net/wg/fapi/" rel="noreferrer noreferrer" target="_blank">https://openid.net/wg/fapi</a> :<br></div><div style="margin-left:40px">'Specifically, the FAPI WG aims to <span style="font-weight:400">provide JSON data schemas, security and privacy recommendations and protocols to:</span></div><div><div style="margin-left:40px">
</div><ul style="margin-left:40px"><li><span style="font-weight:400">enable applications to utilize the data stored in the financial account,</span></li><li><span style="font-weight:400">enable applications to interact with the financial account, and</span></li><li><span style="font-weight:400">enable <span style="background-color:rgb(255,255,0)">users</span> to control the security and privacy settings.'</span></li></ul><div>The word "users" would need to be "applications" in order to enable the UMA2 "wide ecosystem" model at the core of a patient-centered system. Patients need the ability to specify the agent of their choice. UMA2 (and future OAuth3 deigns) should be used to do this.</div><div><br></div><div>- Adrian<br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 20, 2020 at 12:35 PM Tom Jones <<a href="mailto:thomasclinganjones@gmail.com" rel="noreferrer noreferrer" target="_blank">thomasclinganjones@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I haven't seen any ideas, so i offer this as a starting point. It is intentionally brief to try to focus on the big ideas first.<br clear="all"><div><div dir="ltr"><div dir="ltr"><div>Peace ..tom</div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 17, 2020 at 7:16 AM Debbie Bucci <<a href="mailto:debbucci@gmail.com" rel="noreferrer noreferrer" target="_blank">debbucci@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;font-weight:700">Hello Everyone,</span><div><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;font-weight:700"><br></span></div><div><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;font-weight:700">REMINDER:<br></span><div style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;margin:0px 0px 11px"><br></div><span style="font-weight:700;background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">When: 1 PM PST/4 PM EST</span><br><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;font-weight:700">Where: Gotomeeting – </span><a href="https://global.gotomeeting.com/join/785234357" rel="noopener noreferrer noreferrer noreferrer" style="background-color:rgb(250,250,250);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;color:rgb(247,140,64);text-decoration-line:none" target="_blank">https://global.gotomeeting.com/join/785234357</a><br><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">GoToMeeting software is available on Mac, PC, iPhone, and Android Phone.</span><br><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;font-weight:700">Using VoIP option of GoToMeeting is preferred</span><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">. If you must use a plain old telephone for some reason, here is the US phone number:</span><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px"> </span><span style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:nowrap">+1 (619) 550-0003. Access Code 785-234-357</span><br><em style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">Please Note: Participation in the call is limited to the 20 most active members at the discretion of the chairs due to the number of lines available.</em><br></div><div><em style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px"><br></em></div><div><em style="background-color:rgb(250,250,250);color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">AGENDA:</em></div><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif" color="#5a5a5a"><span style="font-size:14px;background-color:rgb(250,250,250)"><i>Create/Update HEART Charter - link of existing for reference </i></span></font><a href="https://openid.net/wg/heart/charter/" rel="noreferrer noreferrer" target="_blank">https://openid.net/wg/heart/charter/</a></div><div><br></div><div>Hope you will join us!</div><div><br></div><div><br></div></div>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
</blockquote></div>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
</blockquote></div>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)">Vennlig hilsen</span><br></div><div style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></div><div style="color:rgb(80,0,80)"><div style="color:rgb(34,34,34)">Steinar Noem</div><div style="color:rgb(34,34,34)">Partner Udelt AS</div><div style="color:rgb(34,34,34)">Systemutvikler</div><div style="color:rgb(34,34,34)"> </div><div style="color:rgb(34,34,34)">| <a href="mailto:steinar@udelt.no" style="color:rgb(17,85,204)" rel="noreferrer noreferrer" target="_blank"><span style="color:rgb(34,34,34);background:rgb(255,255,204)">steinar@udelt.no</span></a> | <a href="mailto:hei@udelt.no" style="color:rgb(17,85,204)" rel="noreferrer noreferrer" target="_blank">hei@udelt.no</a> | <a rel="noreferrer noreferrer">+47 955 21 620</a> | <a href="http://www.udelt.no/" style="color:rgb(17,85,204)" rel="noreferrer noreferrer" target="_blank">www.udelt.no</a> | </div></div></div></div></div></div>
_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br></div></blockquote></div><br></div></div></div>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
</blockquote></div></div>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
</blockquote></div>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)">Vennlig hilsen</span><br></div><div style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></div><div style="color:rgb(80,0,80)"><div style="color:rgb(34,34,34)">Steinar Noem</div><div style="color:rgb(34,34,34)">Partner Udelt AS</div><div style="color:rgb(34,34,34)">Systemutvikler</div><div style="color:rgb(34,34,34)"> </div><div style="color:rgb(34,34,34)">| <a href="mailto:steinar@udelt.no" style="color:rgb(17,85,204)" target="_blank" rel="noreferrer"><span style="color:rgb(34,34,34);background:rgb(255,255,204)">steinar@udelt.no</span></a> | <a href="mailto:hei@udelt.no" style="color:rgb(17,85,204)" target="_blank" rel="noreferrer">hei@udelt.no</a> | <a rel="noreferrer">+47 955 21 620</a> | <a href="http://www.udelt.no/" style="color:rgb(17,85,204)" target="_blank" rel="noreferrer">www.udelt.no</a> | </div></div></div></div></div></div>
</blockquote></div>