Improve content of security recommendations

[danielfett]

The draft in Sections 5 and 6 refers to the security BCP:

The Authorization Endpoint is used in the same manner as defined in [RFC6749], taking into account the recommendations given in [I-D.ietf-oauth-security-topics].

The Token Endpoint issues an Access Token and, optionally, a Refresh Token in exchange for the Authorization Code that Client obtained in a successful Authorization Response. It is used in the same manner as defined in [RFC6749] and follows the recommendations given in [I-D.ietf-oauth-security-topics].

This wording is misleading, as not all protections mentioned in the BCP are mentioned here (e.g., PKCE is only implied in Section 6; the PKCE downgrade attack mitigation is not mentioned).

This may lead to implementers not implementing necessary security mechanisms.

[Sakurann]

WG discussion:

• make a suggestion to recommend people to follow FAPI 2.0 instead of security BCP, to make it actionable
• but we need to clarify that some of FAPI 2.0 requirements do not apply to wallet/VCI context.
  • for example, this section https://openid.net/specs/fapi-2_0-security-02.html#section-5.3.1.1-2.6.1 is being deliberately violated in VCI

[jogu]

It doesn't really help us now, but I opened an issue to suggest this is changed in future FAPI2 revisions: https://bitbucket.org/openid/fapi/issues/744/allow-oauth-20-attestation-based-client