FDC3 revolves around several types of independent entities:
Applications
Desktop Agents
App Directories
Users
Each of these has an identity, and needs to know and trust the identities of several of the others in order to work seamlessly.However, at present there are few or no methods for them to validate those identities within the FDC3 Standard, meaning trust must be assumed. This comes with problems and risks : data loss, identity theft, oauth hell, or an inability to adopt interop via FDC3 - all of which are a threat to the FDC3 ecosystem’s continued growth. This complexity is multiplied by the different types of FDC3 setups now possible - desktop app interop, in-container interop, web interop, and interop between Desktop Agents (Bridging).
Over the past few years, various discussions, demos and roundtables have addressed this topic, but the outcome each time has been “what do our users need?”.
Therefore our first objective in this stream is to dig into what these risks and problems are, before we discuss and work on potential solutions
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
A Discussion Group has no direct decision-making power regarding the FDC3 standard - rather it is intended that anything they propose or work on will result in proposals (via Github issues and PRs) for the Standards Working Group participants to consider and vote on for inclusion in the standard.
Agenda (60mn)
[ ] Convene & roll call, review meeting notices (5mins)
[ ] Discuss usecases from participants (50mins)
[ ] AOB & Adjourn (5mins)
Minutes
The entire discussion revolved around building and refining a set of "core use-cases" that can be used to analyse the different potential solutions (signing, symmetric or asymmetric encrypting etc).
Use Case A: “Look up public information”
Persona: Buy-side investor
From: In-house platform
To: Market data app
Flow: From within their in-house platform, the user requests the latest news items concerning a public company, using a context broadcast or a direct intent
Risks: There is no proprietary information sent, however the fact that the investor is looking at this information is in itself confidential
Use Case B: “Look up internal information”
Persona: Buy-side investor
From Market data app
To: In-house platform
Flow: Whilst browsing public information, an investor wants to check the current firm position on a security
Risks: Again, no proprietary information is sent over FDC3 (only a request to display whatever internal information may or may not exist). But again, the fact that the investor wants to look at this information is in itself confidential
Use Case C: “Request pre-trade information”
Persona: Buy-side trader
From: In-house platform
To: Multiple Single-dealer platforms
Flow: Buy-side trader requests margin requirements on an instrument from multiple sell-side platforms. Information is sent back through intent replies
Risks: From the buy-side perspective, they expect the same level of confidentiality as cases A/B - none of their data is shared, but the fact that they want to see this data is in of itself confidential. From the sell-side perspective they cannot risk this information leaking to anyone except the buy who requested it.
Use Case D: CRUD with sensitive information
Persona: Analyst
From: In-house platform
To: CRM
Flow: Log a client call
Risks: Similar to use-case B, but with two differences: sensitive information is transmitted over FDC3, and this is a “write” operation, not read
Action Items
Yannick & Rob to propose solutions and build the solution/use-case matrix
Group overview
FDC3 revolves around several types of independent entities:
Each of these has an identity, and needs to know and trust the identities of several of the others in order to work seamlessly.However, at present there are few or no methods for them to validate those identities within the FDC3 Standard, meaning trust must be assumed. This comes with problems and risks : data loss, identity theft, oauth hell, or an inability to adopt interop via FDC3 - all of which are a threat to the FDC3 ecosystem’s continued growth. This complexity is multiplied by the different types of FDC3 setups now possible - desktop app interop, in-container interop, web interop, and interop between Desktop Agents (Bridging).
Over the past few years, various discussions, demos and roundtables have addressed this topic, but the outcome each time has been “what do our users need?”.
Therefore our first objective in this stream is to dig into what these risks and problems are, before we discuss and work on potential solutions
Relevant issue tags
https://github.com/finos/FDC3/labels/identity-security
Meeting Date
Thursday 14 Mar 2024 - 3pm GMT
Zoom info
Meeting notices
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
A Discussion Group has no direct decision-making power regarding the FDC3 standard - rather it is intended that anything they propose or work on will result in proposals (via Github issues and PRs) for the Standards Working Group participants to consider and vote on for inclusion in the standard.
Agenda (60mn)
Minutes
The entire discussion revolved around building and refining a set of "core use-cases" that can be used to analyse the different potential solutions (signing, symmetric or asymmetric encrypting etc).
Action Items
Yannick & Rob to propose solutions and build the solution/use-case matrix