[Openid-specs-fapi] Issue #136: responsibility (openid/fapi)

Nat Sakimura nat at sakimura.org
Mon Mar 5 23:57:39 UTC 2018


 

If you have a concrete text proposal, that would be lovely. 

---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

On 2018-03-05 22:26, Tom Jones via Openid-specs-fapi wrote: 

> Note that the FCA claims it it there to protect the user 
> https://www.fca.org.uk/about/protecting-consumers [1] 
> It has fixed up some of the language since this thread began. Now the only problem that i have with the fca docs is that the user experience in not adequate. 
> I would like to see fapi pt 2 be adequate from a user experience perspective. 
> The OAUTH spec does recognize the need for trust, but does not explain the mechanism. 
> I believe that any useful Financial API needs to address the need for trust, and i would like it to mandate at least something about the mechanism for obtaining that trust. 
> 
> Peace ..tom 
> 
> On Mon, Mar 5, 2018 at 5:05 AM, Tom Jones <thomasclinganjones at gmail.com> wrote:
> 
> perhaps my language is not clear then. 
> As i understand it, the AS gets a grant, which actually comes from the client and responds with a token, the explicit assumption is that the user trust the OP to make that at the user's consent. 
> What i believe MUST be in scope for this to make any sense is that the user knows who the client is and trust the clients to act on the user's behalf. 
> If that is not in scope then this spec is actually meaningless from the users perspective. 
> I understand that is out of scope in Open ID Connect, but must be fro this profile. That is why i also added the strong ID part for the client. 
> 
> In a nutshell: 
> THE USER MUST BE ABLE TO TRUST ANY ENTITY THAT ACTS ON THE USER'S BEHALF TO TAKE MONEY OUT OF THE USER ACCOUNT.. 
> my assertion; 
> If that is not in scope we have failed the user. 
> 
> Peace ..tom 
> 
> On Fri, Mar 2, 2018 at 3:05 PM, tomcjones via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> New issue 136: responsibility
> https://bitbucket.org/openid/fapi/issues/136/responsibility [2]
> 
> tomcjones:
> 
> Add a clarifying comment to FAPI #2
> 
> Following this profile as written is not sufficient to prove the user bears responsibility for the security of the transaction.
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi [3]

_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-fapi [3]

 

Links:
------
[1] https://www.fca.org.uk/about/protecting-consumers
[2] https://bitbucket.org/openid/fapi/issues/136/responsibility
[3] http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180306/8c11fd34/attachment.html>


More information about the Openid-specs-fapi mailing list