[Openid-specs-fapi] Issue #136: responsibility (openid/fapi)
Nat Sakimura
nat at sakimura.org
Mon Mar 5 23:57:39 UTC 2018
If you have a concrete text proposal, that would be lovely.
---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
On 2018-03-05 22:26, Tom Jones via Openid-specs-fapi wrote:
> Note that the FCA claims it it there to protect the user
> https://www.fca.org.uk/about/protecting-consumers [1]
> It has fixed up some of the language since this thread began. Now the only problem that i have with the fca docs is that the user experience in not adequate.
> I would like to see fapi pt 2 be adequate from a user experience perspective.
> The OAUTH spec does recognize the need for trust, but does not explain the mechanism.
> I believe that any useful Financial API needs to address the need for trust, and i would like it to mandate at least something about the mechanism for obtaining that trust.
>
> Peace ..tom
>
> On Mon, Mar 5, 2018 at 5:05 AM, Tom Jones <thomasclinganjones at gmail.com> wrote:
>
> perhaps my language is not clear then.
> As i understand it, the AS gets a grant, which actually comes from the client and responds with a token, the explicit assumption is that the user trust the OP to make that at the user's consent.
> What i believe MUST be in scope for this to make any sense is that the user knows who the client is and trust the clients to act on the user's behalf.
> If that is not in scope then this spec is actually meaningless from the users perspective.
> I understand that is out of scope in Open ID Connect, but must be fro this profile. That is why i also added the strong ID part for the client.
>
> In a nutshell:
> THE USER MUST BE ABLE TO TRUST ANY ENTITY THAT ACTS ON THE USER'S BEHALF TO TAKE MONEY OUT OF THE USER ACCOUNT..
> my assertion;
> If that is not in scope we have failed the user.
>
> Peace ..tom
>
> On Fri, Mar 2, 2018 at 3:05 PM, tomcjones via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> New issue 136: responsibility
> https://bitbucket.org/openid/fapi/issues/136/responsibility [2]
>
> tomcjones:
>
> Add a clarifying comment to FAPI #2
>
> Following this profile as written is not sufficient to prove the user bears responsibility for the security of the transaction.
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi [3]
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-fapi [3]
Links:
------
[1] https://www.fca.org.uk/about/protecting-consumers
[2] https://bitbucket.org/openid/fapi/issues/136/responsibility
[3] http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180306/8c11fd34/attachment.html>
More information about the Openid-specs-fapi
mailing list