[Openid-specs-fapi] Proposal to use DDA specification in FAPI

Luis SAIZ GIMENO luis.saiz at bbva.com
Tue Jun 14 13:10:31 UTC 2016


Hi,

Maybe it's not a subject for this list but it sounds odd to me the use of
POST for "get" info. In order to be more consistent with REST APIs and to
avoid mistakes in authorization rules/scopes I think it should be used GET
for read-only operations and POST(PUT/DELETE) for write operations
("transfer" scope)

The use of GET vs POST for security reasons dates from the early HTTP RFC
when TLS was uncommon (HTTP predates TLS). Nowadays and even more in a
financial scenario, all transfers must be done under TLS and so no
sensitive info can be leaked in proxies. Web servers has access to the full
info regardless GET/POST, it's a server-side responsibility to configure
web servers audit logs for not logging sensitive information

Recommendations of W3C:

https://www.w3.org/2001/tag/doc/whenToUseGet.html


BTW, HEART WG explicitly refers to RESTful APIs but FAPI don't. Should we
consider and discuss about it?


Best,

Luis

-------
"Crypto can't create trust It merely automates the trust that already
exists for other reasons" -- John Gilmore

2016-06-09 2:34 GMT+02:00 Saxena, Anoop <Anoop_Saxena at intuit.com>:

> Hello All,
>
>
>
> FS-ISAC working group   ratified a solution that will replace credential
> based aggregation of data via screen scraping bank website with  OAUTH 2.x
> & DDA (durable data API).
>
>
>
> Recommendation for Open Id FAPI working group to use Durable Data API as
> base which defines various entities definition (such as Account,
> transactions etc.. ).
>
> These entities are returned under the scope of OAUTH token.
>
>
>
>
>
> Note: See attachment for detail DDA Specification.
>
>
>
>
>
> Thanks,
>
>
>
> Anoop Saxena
>
> Architect
> *Intuit |** simplify the business of life**tm*
>
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>


-- 

*BBVA*

*Luis Saiz Gimeno*

*Innovation in Security*

Móvil +34 609703264 - Tel. +34 918073152 - luis.saiz at bbva.com

*Engineering - Architecture & Global Deployment *– Monforte de Lemos, s/n,
28029

Maps:
https://www.google.es/maps/place/Av.+de+Monforte+de+Lemos,+28,+28029+Madrid/

Antes de imprimir este mensaje, por favor comprueba que es necesario
hacerlo. Before you print this message please consider if it is really
necessary.

-- 


"Este mensaje está dirigido de manera exclusiva a su destinatario y puede 
contener información privada y confidencial. No lo reenvíe, copie o 
distribuya a terceros que no deban conocer su contenido. En caso de haberlo 
recibido por error,  rogamos lo notifique al remitente y proceda a su 
borrado, así como al de cualquier documento que pudiera adjuntarse.

 Por favor tenga en cuenta que los correos enviados vía Internet no 
permiten garantizar la confidencialidad de los mensajes ni su transmisión 
de forma íntegra.

 Las opiniones expresadas en el presente correo pertenecen únicamente al 
remitente y no representan necesariamente la opinión del Grupo BBVA."

 "This message is intended exclusively for the adressee and may contain 
privileged and confidential information. Please, do not disseminate, copy 
or distribute it to third parties who should not receive it. In case you 
have received it by mistake, please inform the sender and delete the 
message and attachments from your system.

 Please keep in mind that e-mails sent by Internet do not allow to 
guarantee neither the confidentiality or the integrity of the messages 
sent."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20160614/955853ca/attachment.html>


More information about the Openid-specs-fapi mailing list