[Openid-specs-fapi] Strong MERCHANT Authentication

Francis Pouatcha fpo at adorsys.de
Thu Apr 9 19:45:11 UTC 2020

> >     Personally, I'm into "moderately smart contracts" that are targeted
> at a more conventional payment market:
> >
> https://cyberphone.github.io/doc/payments/y2020-strong-merchant-authorization.pdf
> >
> > Great illustration. This is the way to go. Banking Protocols like EBICS (
> http://www.ebics.org/home-page/) has been making use of the  signature
> key-pairs in the corporate context for a while. Now it is also open for
> individual customers. We will slowly be witnessing progress in this
> direction.
> Thanks!  I hope you are right :)
> EBICS was new to me.  It looks quite interesting.
> In my particular use case, secure lookup services are used rather than
> X.509 certificates due to the amount of structured and certified data
> needed by verifiers:
> https://mobilepki.org/webpay-payeebank/payees/86344

Submitting a payment request to a bank is associated with a lot of
provisions including AML, GDPR, ... (no matter if it is a credit transfer
or a direct debit). European PSD2 uses eIDas certificates for TPP. I like
the concept of strong merchant authentication as Merchant could also be
issued certificates. Merchant will then use certified key-pair to submit
the customer's signed payment request to the bank. Without any third party.
I suspect major merchants will endup acquiring tpp certificates.

> This makes the scheme scale trust-wise in the same way as the bank network
> itself without introducing new parties in the soup.  Merchant hosting
> services may though be needed since banks typically are not equipped for
> dealing with small merchants.
Webendpoint base pki will be tough, as it takes a lot of time and effort to
implement new trust schemes across networks. Adding a sort of "Certificate
Transparency" system to Country-Authority issued certificates (like PSD2's
eIDas) will fulfill the purpose.

What I liked in your suggestion is the end user carrying his own key-pair.
This will make open banking a lot easier, as we might use it to kill
redirect processes.

Francis Pouatcha
Co-Founder and Technical Lead at adorys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200409/141d2b46/attachment-0001.html>

More information about the Openid-specs-fapi mailing list