[Openid-specs-fapi] Issue #136: responsibility (openid/fapi)

Tom Jones thomasclinganjones at gmail.com
Mon Mar 5 13:26:16 UTC 2018 

Note that the FCA claims it it there to protect the user
https://www.fca.org.uk/about/protecting-consumers
It has fixed up some of the language since this thread began. Now the only
problem that i have with the fca docs is that the user experience in not
adequate.
I would like to see fapi pt 2 be adequate from a user experience
perspective.
The OAUTH spec does recognize the need for trust, but does not explain the
mechanism.
I believe that any useful Financial API needs to address the need for
trust, and i would like it to mandate at least something about the
mechanism for obtaining that trust.


Peace ..tom

On Mon, Mar 5, 2018 at 5:05 AM, Tom Jones <thomasclinganjones at gmail.com>
wrote:

> perhaps my language is not clear then.
> As i understand it, the AS gets a grant, which actually comes from the
> client and responds with a token, the explicit assumption is that the user
> trust the OP to make that at the user's consent.
> What i believe MUST be in scope for this to make any sense is that the
> user knows who the client is and trust the clients to act on the user's
> behalf.
> If that is not in scope then this spec is actually meaningless from the
> users perspective.
> I understand that is out of scope in Open ID Connect, but must be fro this
> profile. That is why i also added the strong ID part for the client.
>
> In a nutshell:
> THE USER MUST BE ABLE TO TRUST ANY ENTITY THAT ACTS ON THE USER'S BEHALF
> TO TAKE MONEY OUT OF THE USER ACCOUNT..
> my assertion;
> If that is not in scope we have failed the user.
>
> Peace ..tom
>
> On Fri, Mar 2, 2018 at 3:05 PM, tomcjones via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
>> New issue 136: responsibility
>> https://bitbucket.org/openid/fapi/issues/136/responsibility
>>
>> tomcjones:
>>
>> Add a clarifying comment to FAPI #2
>>
>> Following this profile as written is not sufficient to prove the user
>> bears responsibility for  the security of the transaction.
>>
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180305/951672dc/attachment.html>

More information about the Openid-specs-fapi mailing list