[Openid-specs-fapi] BG/Embedded SCA - Clinically free from OAuth

Torsten Lodderstedt torsten at lodderstedt.net
Sun Jul 26 14:18:03 UTC 2020

> Am 26.07.2020 um 15:01 schrieb Anders Rundgren <anders.rundgren.net at gmail.com>:
> On 2020-07-26 14:31, Torsten Lodderstedt wrote:
> <snip>
>>>>> The client is assumed to have a static and (per scheme) standardized payment credential, like in Apple Pay.
>>>> What is the client then in this approach?
>>> There is no client in OAuth terms, the TPP is effectively a traditional backend processor:
>>> Merchant->User/Device // Request payment
>>> User/Device->Merchant // Authorize request
>>> Merchant->TPP // Commit payment order
>>> TPP->Bank // Initiate payment using a single authenticated & authorized request
>>> Saturn takes this [since decades back established] concept one step further by replacing the TPP with a trivial identity service ran by the Merchant's Bank.  That is, reusing the four corner model.  I thought I was alone with this crazy/genial idea but I have recently found other folks pushing the very same concept!
>> But TPP and Akquirer act more or less similar, why do you consider the four corner model superior?
> TPP and Acquirer will indeed be the same in the BG Embedded SCA proposal.
> The "superiority" of the four corner approach is that the Merchant's Bank only vouches for the authenticity of the Merchant including its claimed creditor account through a light-weight discovery service.  The latter also eliminates the reliance on eIDAS certificates, NCAs, and the PRETA registry.  The rationale is simply reducing costs and fuzz.
> Sample service: https://mobilepki.org/webpay-payeebank/payees/86344
> Related: https://cyberphone.github.io/doc/research/casting-apis-in-stone.pdf

I think you are comparing apple to pear. Credit Card schemes are proprietary networks. Partipation is not opento everyone. Routing happens automagically within the network.

Open banking in contrast is supposed to be open and to remove intermediaries. Certificates issued by trusted 3rd parties and directories are a necessary infrastructure for such an open system.

Unfortunately, PSD2 is to heavy on regulation and to weak regarding openness and fostering of innovation. And the eIDAS certs were premature.

Btw: Are Akquirer required are to be TPPs?

> Anders
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3629 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200726/1f48b896/attachment-0001.p7s>

More information about the Openid-specs-fapi mailing list