[Openid-specs-fapi] External : Dependencies on the OBE Registry

Freddi Gyara Freddi.Gyara at openbanking.org.uk
Thu Sep 24 08:56:41 UTC 2020

Unfortunately, NCAs do not have the technical or process capability of maintaining a PKI and a proper electronic register.

MTLS is convenient to implement - there is significant expertise in the industry, lots of vendor support - both through HSMs and hardware edge devices. A similar level of understanding, vendor support, tooling and expertise just does not exist around signature based solutions.

I agree with you, that non-MTLS, signature based systems are the direction that we should be travelling in.

-----Original Message-----
From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> On Behalf Of Anders Rundgren via Openid-specs-fapi
Sent: 24 September 2020 07:38
To: FAPI Working Group List <openid-specs-fapi at lists.openid.net>
Cc: Anders Rundgren <anders.rundgren.net at gmail.com>
Subject: External : [Openid-specs-fapi] Dependencies on the OBE Registry

Having a central registry with TPPs seem natural until you are faced with the scaling issues.

There is presumably a limited set of National Competent Authorities (NCAs) which could be a logical foundation for a distributed registry.

To make this work each TPP request would contain a URL to an "Authority Record" hosted by its NCA.

Authority Records would preferably be signed by the NCAs and be updated on a periodic basis to cope with changes including blocking misbehaving TPPs.

In the long-run this could also eliminate the need for separately purchasing and managing eIDAS certificates; this would rather be an integral part of the NCA accreditation process.  A TPP certificate issued by an NCA would only be useful for Open Banking.

Saturn uses this scheme but only publishes "certified signature (public) keys" in Authority Records since payments do not benefit from MTLS.  Personally, I would consider shelving MTLS for the entire Open Banking system.  FIDO shows that MTLS is not necessarily a necessity :)


Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net

Please consider the environment before printing this email.

This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.

This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).

More information about the Openid-specs-fapi mailing list