[Openid-specs-fapi] External : Re: External : Re: External : FW: OBE JWS Profile - Version 0.10b for Approval

Freddi Gyara Freddi.Gyara at openbanking.org.uk
Tue Sep 22 16:44:02 UTC 2020

RFC 7797 was referenced for the b64 claim.

Considering that:
(i) Library support is poor and
(ii) Its not really required for detached signatures as stated in RFC-7515 Appendix F,

we removed it from the standard.

The ETSI draft has the b64 back in there (possibly because they forked the OBIE standard at some point). Our experience with the ecosystem indicates that we should eliminate it

-----Original Message-----
From: Anders Rundgren <anders.rundgren.net at gmail.com>
Sent: 22 September 2020 17:18
To: FAPI Working Group List <openid-specs-fapi at lists.openid.net>; Freddi Gyara <Freddi.Gyara at openbanking.org.uk>
Cc: Brian Campbell <bcampbell at pingidentity.com>
Subject: External : Re: [Openid-specs-fapi] External : Re: External : FW: OBE JWS Profile - Version 0.10b for Approval

On 2020-09-22 17:55, Brian Campbell via Openid-specs-fapi wrote:
> Thanks Freddi,
>  From that it also sounds like the "crit" header wasn't being
> processed correctly. Or wasn't being set per the RFC
> https://tools.ietf.org/html/rfc7797#section-6

Does the OBIE specification actually build on RFC 7797?
I thought this was rather the core: https://tools.ietf.org/html/rfc7515#appendix-F

 From 7797:
The "b64" value is a JSON boolean, with a default value of "true".  When used, this Header Parameter MUST be integrity protected; therefore, it MUST occur only within the JWS Protected Header.  Use of this Header Parameter is OPTIONAL.

I see no reason for bothering with b64 or crit since JWS is used in the default mode.


> Fun stuff..
> On Tue, Sep 22, 2020 at 2:39 AM Freddi Gyara <Freddi.Gyara at openbanking.org.uk <mailto:Freddi.Gyara at openbanking.org.uk>> wrote:

> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

Please consider the environment before printing this email.

This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.

This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).

More information about the Openid-specs-fapi mailing list