[Openid-specs-fapi] BG/Embedded SCA - Clinically free from OAuth

[Anders Rundgren]

On 2020-07-26 14:31, Torsten Lodderstedt wrote:
<snip>
>>>> The client is assumed to have a static and (per scheme) standardized payment credential, like in Apple Pay.
>>> What is the client then in this approach?
>>
>> There is no client in OAuth terms, the TPP is effectively a traditional backend processor:
>> Merchant->User/Device // Request payment
>> User/Device->Merchant // Authorize request
>> Merchant->TPP // Commit payment order
>> TPP->Bank // Initiate payment using a single authenticated & authorized request
>>
>> Saturn takes this [since decades back established] concept one step further by replacing the TPP with a trivial identity service ran by the Merchant's Bank.  That is, reusing the four corner model.  I thought I was alone with this crazy/genial idea but I have recently found other folks pushing the very same concept!
> 
> But TPP and Akquirer act more or less similar, why do you consider the four corner model superior?

TPP and Acquirer will indeed be the same in the BG Embedded SCA proposal.

The "superiority" of the four corner approach is that the Merchant's Bank only vouches for the authenticity of the Merchant including its claimed creditor account through a light-weight discovery service.  The latter also eliminates the reliance on eIDAS certificates, NCAs, and the PRETA registry.  The rationale is simply reducing costs and fuzz.
Sample service: https://mobilepki.org/webpay-payeebank/payees/86344

Related: https://cyberphone.github.io/doc/research/casting-apis-in-stone.pdf

Anders