[Openid-specs-fapi] External : Dependencies on the OBE Registry

Anders Rundgren anders.rundgren.net at gmail.com
Thu Sep 24 09:20:59 UTC 2020

On 2020-09-24 10:56, Freddi Gyara wrote:
Thanx Freddy!

Let me briefly comment on your response.

First off, I'm not suggesting this as the next immediate step.

> Unfortunately, NCAs do not have the technical or process capability of maintaining a PKI and a proper electronic register.

This could eventually be provided as an "appliance" (or even as a cloud service), needing very moderate competence to run as well as integrate with the rest of the accreditation process.

> MTLS is convenient to implement - there is significant expertise in the industry, lots of vendor support - both through HSMs and hardware edge devices.

The technical part is fairly simple but not the way you manage it.  In this case things become quite complicated because an NCA effectively becomes an "RA" but without belonging to the issuers trust network.  This is the scalability issue behind this suggestion.  Most of the eIDAS issuers will probably go bust because dedicated trust networks work just fine.

If you have a link to the current NCA-TPP-eIDAS certification process, I would very much appreciate it.

> A similar level of understanding, vendor support, tooling and expertise just does not exist around signature based solutions.

I see.

> I agree with you, that non-MTLS, signature based systems are the direction that we should be travelling in.



> -----Original Message-----
> From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> On Behalf Of Anders Rundgren via Openid-specs-fapi
> Sent: 24 September 2020 07:38
> To: FAPI Working Group List <openid-specs-fapi at lists.openid.net>
> Cc: Anders Rundgren <anders.rundgren.net at gmail.com>
> Subject: External : [Openid-specs-fapi] Dependencies on the OBE Registry
> Having a central registry with TPPs seem natural until you are faced with the scaling issues.
> There is presumably a limited set of National Competent Authorities (NCAs) which could be a logical foundation for a distributed registry.
> To make this work each TPP request would contain a URL to an "Authority Record" hosted by its NCA.
> Authority Records would preferably be signed by the NCAs and be updated on a periodic basis to cope with changes including blocking misbehaving TPPs.
> In the long-run this could also eliminate the need for separately purchasing and managing eIDAS certificates; this would rather be an integral part of the NCA accreditation process.  A TPP certificate issued by an NCA would only be useful for Open Banking.
> Saturn uses this scheme but only publishes "certified signature (public) keys" in Authority Records since payments do not benefit from MTLS.  Personally, I would consider shelving MTLS for the entire Open Banking system.  FIDO shows that MTLS is not necessarily a necessity :)
> thanx,
> Anders
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> Please consider the environment before printing this email.
> This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.
> This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).

More information about the Openid-specs-fapi mailing list