[Openid-specs-fapi] Strong MERCHANT Authentication

Francis Pouatcha fpo at adorsys.de
Fri Apr 10 21:56:27 UTC 2020

On Fri, Apr 10, 2020 at 2:13 AM Anders Rundgren <
anders.rundgren.net at gmail.com> wrote:

> On 2020-04-09 21:37, Francis Pouatcha wrote:
> >
> >     >     Personally, I'm into "moderately smart contracts" that are
> targeted at a more conventional payment market:
> >     >
> https://cyberphone.github.io/doc/payments/y2020-strong-merchant-authorization.pdf
> >     >
> >     > Great illustration. This is the way to go. Banking Protocols like
> EBICS (http://www.ebics.org/home-page/) has been making use of
> the  signature key-pairs in the corporate context for a while. Now it is
> also open for individual customers. We will slowly be witnessing progress
> in this direction.
> >
> >     Thanks!  I hope you are right :)
> >
> >     EBICS was new to me.  It looks quite interesting.
> >
> >     In my particular use case, secure lookup services are used rather
> than X.509 certificates due to the amount of structured and certified data
> needed by verifiers:
> >     https://mobilepki.org/webpay-payeebank/payees/86344
> >
> > Submitting a payment request to a bank is associated with a lot of
> provisions including AML, GDPR, ... (no matter if it is a credit transfer
> or a direct debit). European PSD2 uses eIDas certificates for TPP. I like
> the concept of strong merchant authentication as Merchant could also be
> issued certificates. Merchant will then use certified key-pair to submit
> the customer's signed payment request to the bank. Without any third party.
> I suspect major merchants will endup acquiring tpp certificates.
> Right, you are thinking in terms of PSD2 TTPs (PISPs).  However, Strong
> Merchant Authorization is a part of a rather different approach to payment
> authorizations which builds on the since ages back established "Four Corner
> Model":
> https://cyberphone.github.io/doc/saturn/enhanced-four-corner-model.pdf
> The setup process for a small merchant would be of the same magnitude as
> today.
Of course the "Four Corner Model" shows the difference between a Merchant
and a PISP. What if instead of using an authority object a merchant uses a
certificate issued by certification authority (like eIDas QTSP) on behalf
of the bank? I think the state of technology wants us to use PKI + CTs.

> I must admit that I don't fully understand how this could impact Open
> Banking.  In the depicted scheme User keys are only recognized (and
> actually readable) by the User Bank.
Existing open banking initiatives have not foreseen user private key based
SCA. Neither do they include existing standards like EBICS. I guess the
banking world is not accustomed to end users digitally signing
transactions, as it is still not obvious to trust end users protecting
those private keys. Progress is being made in this domain.

Francis Pouatcha
Co-Founder and Technical Lead at adorys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200410/af2b8e8c/attachment-0001.html>

More information about the Openid-specs-fapi mailing list