[Openid-specs-fapi] Responding to OBE JWS Profile version 0.10b

Francis Pouatcha fpo at adorsys.de
Thu Oct 1 02:45:56 UTC 2020

Hello Dave, here is my feedback:

Section 3 and 4 are written as a summary of extracts of RFC7515 and
RFC7797. This can be confusing when text is not transfered untempered. Both
section summarize into following requirements:
-> compact serialization
-> unencoded payload
-> detached payload

Section 5.3.2 deals with key management, representation and validation.
This is too tight to PSD2/eiDAS legislation. OBE is correct as the document
is written for the PSD2 legislation area, but it makes the document
unusable for other markets.

RECOMMENDATION-24 is confusing.

As for the canonicalization of the content to be signed (headers, boddy),
I understand why OBE relies on draft-cavage-http-signatures-10 and RFC3230
as they will otherwise have to reinvent the wheel.

My suggestion:
- Suggest the draft of a legislation independent specification on how to
sign FAPI messages. This spec shall abstracted from Key and Certificate
specifics so as to allow each legislation to derive a profile fitting into
it's trust framework (e.g. OBE/ETSI JAdES for PSD2).
- This specification could be hosted by FAPI, based on the current OBE
draft and driven by OBE and current FAPI members.

Best regards.

On Wed, Sep 30, 2020 at 11:41 AM Dave Tonge via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> Dear WG
> We discussed on the call today that it may be a good idea to prepare a
> response to Open Banking Europe based on their soon to be published JWS
> profile.
> It would be good to get some feedback from WG members.
> Discussion so far has been around:
>  - base64 encoding
>  - recommending that sensitive data is put in request body rather than
> headers
>  - the reliance on draft-cavage for info on how to prepare the signing
> material
> It would be good to get some further feedback so that we can agree on a
> response.
> Please can members who have an interest in this area, review the attached
> and reply to this email.
> Thanks
> Dave Tonge
> FAPI WG Co-Chair
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Moneyhub Financial Technology is entered on the
> Financial Services Register (FRN 809360) at https://register.fca.org.uk/.
> Moneyhub Financial Technology is registered in England & Wales, company
> registration number 06909772. Moneyhub Financial Technology Limited 2020 ©
> Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1
> 6EA.
> DISCLAIMER: This email (including any attachments) is subject to
> copyright, and the information in it is confidential. Use of this email or
> of any information in it other than by the addressee is unauthorised and
> unlawful. Whilst reasonable efforts are made to ensure that any attachments
> are virus-free, it is the recipient's sole responsibility to scan all
> attachments for viruses. All calls and emails to and from this company may
> be monitored and recorded for legitimate purposes relating to this
> company's business. Any opinions expressed in this email (or in any
> attachments) are those of the author and do not necessarily represent the
> opinions of Moneyhub Financial Technology Limited or of any other group
> company.
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

Francis Pouatcha
Technical Lead
adorsys GmbH & Co. KG
https:// <https://adorsys-platform.de/solutions/>www.adorsys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200930/2c22bf0b/attachment.html>

More information about the Openid-specs-fapi mailing list