[Openid-specs-fapi] Google proposal: FIDO/PISP Integration

Torsten Lodderstedt torsten at lodderstedt.net
Mon Apr 13 12:43:58 UTC 2020

> On 13. Apr 2020, at 11:51, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
> On 2020-04-13 10:45, Torsten Lodderstedt wrote:
>> Thanks.
>> Any idea how this is protected from replay?
> It is [probably] not an intrinsic part of the design. My guess is that each "Wallet" (ServiceWorker) invocation would result in a unique and time-stamped authorization.  Then it is up to the verifier (Bank) to check if an authorization has already been processed/used and ultimately returning the identical result (idempotent).

The PISP as MITM could suppress the request and replay it itself later. I don’t see whether the proposal bind the FIDO messages to a certain transaction (amount, creditor etc).

> PISP-specific keys seem like a pretty hard sell.

It feels like sacrificing the FIDO security model for the embedded mode. 

> Anders
>>> Am 13.04.2020 um 06:45 schrieb Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
>>> https://www.w3.org/2020/02/3p-creds-20200219.pdf
>>> _______________________________________________
>>> Openid-specs-fapi mailing list
>>> Openid-specs-fapi at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3946 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200413/ca77baf6/attachment.p7s>

More information about the Openid-specs-fapi mailing list