Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FDC3 Identity & Threat Modelling Meeting - Nov 14, 2024 #1435

Open
2 tasks
Yannick-Malins opened this issue Nov 14, 2024 · 7 comments
Open
2 tasks

FDC3 Identity & Threat Modelling Meeting - Nov 14, 2024 #1435

Yannick-Malins opened this issue Nov 14, 2024 · 7 comments

Comments

@Yannick-Malins
Copy link
Contributor

Date

Thursday 14 Nov 2024 - 16:00 UTC

Zoom info

  • Join Zoom Meeting
  • Meeting ID: 969 4029 4948
  • Passcode: 636931
  • Dial-in:
    Country International Dial-in Toll-free Dial-in
    US +1 929 205 6099 (New York) 877 853 5247
    UK +44 330 088 5830 0800 031 5717
    France +33 1 8699 5831 0 800 940 415
    Find your local number https://zoom.us/u/ad2WVnBzb8

Meeting notices

  • FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

  • All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

  • FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

  • FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Participation Requirements

Note: Meeting participants are expected to accept the terms of the FDC3 license (Community Specification License), understand the governance process and have a CLA in place.

Please click the following links at the start of the meeting if you have not done so previously.

Tracking Attendance

Note: Meeting participants are expected to add a comment to this GitHub issue in order that we can track attendance of FDC3 project meetings. Please do this at the start of the meeting.

Agenda (45mn)

  • Convene & roll call, review meeting notices (5mn)
  • Continue brainstorm on how to share public keys for signing/encryption flows, agree on one or multiple recommendations (40mn)

Minutes

@paulgoldsmith
Copy link

Paul Goldsmith / Morgan Stanley

@kriswest
Copy link
Contributor

Kris West / interop.io 🚀

@robmoffat
Copy link
Member

Rob Moffat / FINOS 🔍

@kiran-shahane
Copy link

Kiran Shahane / Morgan Stanley

@Yannick-Malins
Copy link
Contributor Author

yannick malins / Symphony

@kemerava
Copy link
Contributor

Elizabeth Kemerava / BlackRock

@kriswest
Copy link
Contributor

kriswest commented Nov 14, 2024

Some notes we took at the end of the call for @Yannick-Malins:

  • Establishing trust requires administrative between two firms + a system of confirming identity
  • That could result in an approving TLD or appD's domain such that any apps published under the appD on that domain can be identified and hence could be trusted
  • AppD records can contain JSON Web Key elements describing keys to use for authentication of identity - need to establish a field for these, which can hold multiple keys
  • Set-up of a secure channel might involve exchanging appD record URLs, which can be compared to that approved list.
  • This doesn't require a central directory (e.g. FINOS) - but there might still be advantages to creating one to help with onboarding processes - if not record retrievals
  • Federation of appDs (so an appD referencing records held in another) has use cases of its own - both at the FINOS level and for users of Desktop Agents (not just copying records but referencing them from the true owner).
  • To get this done in teh standard, we'll need:
    • a proposal to add some JWK elements to the appD record
    • a proposal to intents and contexts needed (potentially including an exchange appD URLs between apps looking to talk)
    • documentation of the process of secure communication to add to a new page in the standard (probably under the API section, but perhaps in a new file)
    • possible a review of the proposal/sample implementation by a security expert (for confirmation it is secure process)
  • The keys added to AppD records can later be used for proposals to enable app identity validation by Desktop Agents

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants