[Openid-specs-fapi] Google proposal: FIDO/PISP Integration
Anders Rundgren
anders.rundgren.net at gmail.com
Mon Apr 13 14:03:32 UTC 2020
On 2020-04-13 14:43, Torsten Lodderstedt wrote:
>
>
>> On 13. Apr 2020, at 11:51, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
>>
>> On 2020-04-13 10:45, Torsten Lodderstedt wrote:
>>> Thanks.
>>> Any idea how this is protected from replay?
>>
>> It is [probably] not an intrinsic part of the design. My guess is that each "Wallet" (ServiceWorker) invocation would result in a unique and time-stamped authorization. Then it is up to the verifier (Bank) to check if an authorization has already been processed/used and ultimately returning the identical result (idempotent).
>
> The PISP as MITM could suppress the request and replay it itself later. I don’t see whether the proposal bind the FIDO messages to a certain transaction (amount, creditor etc).
It is really not a very detailed description but page #18 seems to do something like that.
>
>>
>> PISP-specific keys seem like a pretty hard sell.
>
> It feels like sacrificing the FIDO security model for the embedded mode.
This is an [heroic|stupid] Google-lead effort to exploit the https://www.w3.org/TR/payment-handler/ in a PISP context.
Anders
>
>>
>> Anders
>>
>>
>>>> Am 13.04.2020 um 06:45 schrieb Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
>>>>
>>>> https://www.w3.org/2020/02/3p-creds-20200219.pdf
>>>> _______________________________________________
>>>> Openid-specs-fapi mailing list
>>>> Openid-specs-fapi at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>
More information about the Openid-specs-fapi
mailing list