[Openid-specs-fapi] Google proposal: FIDO/PISP Integration

Anders Rundgren anders.rundgren.net at gmail.com
Mon Apr 13 09:51:57 UTC 2020

On 2020-04-13 10:45, Torsten Lodderstedt wrote:
> Thanks.
> Any idea how this is protected from replay?

It is [probably] not an intrinsic part of the design. My guess is that each "Wallet" (ServiceWorker) invocation would result in a unique and time-stamped authorization.  Then it is up to the verifier (Bank) to check if an authorization has already been processed/used and ultimately returning the identical result (idempotent).

PISP-specific keys seem like a pretty hard sell.


>> Am 13.04.2020 um 06:45 schrieb Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
>> https://www.w3.org/2020/02/3p-creds-20200219.pdf
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list