[Openid-specs-fapi] i wish to resign from FAPI

Tom Jones thomasclinganjones at gmail.com
Wed Aug 15 18:38:47 UTC 2018


Well, i have spent as much time reviewing and annotating the attached
document as i am will to do pro bono.
What I don't see is any reason for the user to trust the flow shown.
So is the net result a debit against the user's account that is the user's
liability?
And does the user have the responsibility to prove that the charge was not
authorized by them?

This is not a service that i personally would be willing to use with a US
bank.
Here is the site where i record by own thought on user consent:
http://tcwiki.azurewebsites.net/index.php?title=User_Consent#Full_Title_or_Meme
i am also working with the Kantara CIS group and Mark Lizar by building an
OP that uses consent and show some results here:
tcwiki.azurewebsites.net/index.php?title=Consent_Receipt_Construction



Peace ..tom

On Wed, Aug 15, 2018 at 10:56 AM, Ralph Bragg <ralph.bragg at raidiam.com>
wrote:

> Hi Tom,
>
> I’m personally really interested in the concerns you’ve raised especially
> when it comes to the OB part.
>
> This (below) is the consent guidelines that the OBIE currently have
> published with an update in train.
>
> OB would be really interested in your feedback and comments.
>
> Kind regards,
>
> https://www.openbanking.org.uk/wp-content/uploads/Consent-
> Model-Part-1-Implementation-Guide.pdf
>
>
>
>
> ------------------------------
> *From:* 32022724200n behalf of
> *Sent:* Wednesday, August 15, 2018 16:55
> *To:* Financial API Working Group List
> *Cc:* Tom Jones
> *Subject:* [Openid-specs-fapi] i wish to resign from FAPI
>
> Please remove my name from the mailing list and from all future
> documentation produced by the wg.
>
> If you care to know why; i thought i would list my reasons (these just
> relate to the FAPI part):
> 1. FAPI is being used by the UK OB & PSD2 folk as proof of security
> compliance but that only applies to the connection between the ASPSP and
> TPP, the user is not involved.
> 2. Since this is the Open ID foundation, i believe it is not part of our
> work to consider any standard where the user is not identified.
> 3. We have no input on user consent to the process.
>
> I also have concerns about the damage that will be reflected on the OpenID
> foundation by association with a group that appears to have no interests in
> the user or the financial and time loss to the user that will (IMHO) result
> from user unhappiness with the way that their private data and actual
> assets are put on display without their explicit consent. It seems that the
> ASPSP has no choice but to accept a payment request initiated by any entity
> approved by any member state including Malta (with known tolerance for
> Russian oligarchs) or the channel islands which have been used by UK banks
> to avoid money laundering regulations. I do understand that they can refuse
> the request, but that action can be challenged by any TPP, which is certain
> to wear down their fiduciary duty to their users. The OP in the cases i
> have seen is not defined, so the threats cannot be fully known.
>
> Peace ..tom
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180815/7b5072af/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Consent-Model-Part-1-Implementation-Guidetcj.pdf
Type: application/pdf
Size: 6475365 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180815/7b5072af/attachment-0001.pdf>


More information about the Openid-specs-fapi mailing list