[Openid-specs-fapi] PSD2 - FAPI Client Registration

Anders Rundgren anders.rundgren.net at gmail.com
Thu Aug 6 05:09:00 UTC 2020

Personally I don't see the point of putting data that needs to be signed in HTTP headers rather than in the message itself unless the HTTP body rather is an image, CBOR, XML, or similar.  For the latter I would use JWS "compact" as sole HTTP body element and put the additional information in the JWS Header.

Anyway, none of the proposed solutions support serialization of HTTP requests or responses although this is actually quite easy to achieve:
This sample seems easier to "decipher" than the ETSI variant of the same data.

It is though still possible complementing this scheme with an "httpData" element catering for signed headers while maintaining serializability.  If JSF (JSON Signature Format) seems to daring, switching back to JWS is a no-brainer.

Regarding the JAdES sample: Why use certificate hashes instead of certificates?



More information about the Openid-specs-fapi mailing list