[Openid-specs-fapi] External : Dependencies on the OBE Registry
fpo at adorsys.de
Sun Sep 27 01:45:35 UTC 2020
CT Logs are the way to go! But as you know, NCA are always a couple of
On Thu, Sep 24, 2020 at 5:21 AM Anders Rundgren via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:
> On 2020-09-24 10:56, Freddi Gyara wrote:
> Thanx Freddy!
> Let me briefly comment on your response.
> First off, I'm not suggesting this as the next immediate step.
> > Unfortunately, NCAs do not have the technical or process capability of
> maintaining a PKI and a proper electronic register.
> This could eventually be provided as an "appliance" (or even as a cloud
> service), needing very moderate competence to run as well as integrate with
> the rest of the accreditation process.
> > MTLS is convenient to implement - there is significant expertise in the
> industry, lots of vendor support - both through HSMs and hardware edge
> The technical part is fairly simple but not the way you manage it. In
> this case things become quite complicated because an NCA effectively
> becomes an "RA" but without belonging to the issuers trust network. This
> is the scalability issue behind this suggestion. Most of the eIDAS issuers
> will probably go bust because dedicated trust networks work just fine.
> If you have a link to the current NCA-TPP-eIDAS certification process, I
> would very much appreciate it.
> > A similar level of understanding, vendor support, tooling and expertise
> just does not exist around signature based solutions.
> I see.
> > I agree with you, that non-MTLS, signature based systems are the
> direction that we should be travelling in.
> > -----Original Message-----
> > From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> On
> Behalf Of Anders Rundgren via Openid-specs-fapi
> > Sent: 24 September 2020 07:38
> > To: FAPI Working Group List <openid-specs-fapi at lists.openid.net>
> > Cc: Anders Rundgren <anders.rundgren.net at gmail.com>
> > Subject: External : [Openid-specs-fapi] Dependencies on the OBE Registry
> > Having a central registry with TPPs seem natural until you are faced
> with the scaling issues.
> > There is presumably a limited set of National Competent Authorities
> (NCAs) which could be a logical foundation for a distributed registry.
> > To make this work each TPP request would contain a URL to an "Authority
> Record" hosted by its NCA.
> > Authority Records would preferably be signed by the NCAs and be updated
> on a periodic basis to cope with changes including blocking misbehaving
> > In the long-run this could also eliminate the need for separately
> purchasing and managing eIDAS certificates; this would rather be an
> integral part of the NCA accreditation process. A TPP certificate issued
> by an NCA would only be useful for Open Banking.
> > Saturn uses this scheme but only publishes "certified signature (public)
> keys" in Authority Records since payments do not benefit from MTLS.
> Personally, I would consider shelving MTLS for the entire Open Banking
> system. FIDO shows that MTLS is not necessarily a necessity :)
> > thanx,
> > Anders
> > _______________________________________________
> > Openid-specs-fapi mailing list
> > Openid-specs-fapi at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> > Please consider the environment before printing this email.
> > This email is from Open Banking Limited, Company Number 10440081. Our
> registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any
> views or opinions are solely those of the author and do not necessarily
> represent those of Open Banking Limited.
> > This email and any attachments are confidential and are intended for the
> above named only. They may also be legally privileged or covered by other
> legal rights and rules. Unauthorised dissemination or copying of this email
> and any attachments, and any use or disclosure of them, is strictly
> prohibited and may be illegal. If you have received them in error, please
> delete them and all copies from your system and notify the sender
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi