<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>​As an implementer creating the SSA I support this plan. <br>
</p>
<p><br>
</p>
<p>Cheers,</p>
<p>RB <br>
</p>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> on behalf of Pamela Dingle via Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Sent:</b> 29 September 2017 16:20<br>
<b>To:</b> Financial API Working Group List<br>
<b>Subject:</b> Re: [Openid-specs-fapi] Verification: non-compliant JWT audience</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div>
<div>We discussed the audience question on the call on Wednesday, and two options were discussed for compliance, removing the audience and adding a logical audience. 
<br>
<br>
</div>
Given our short time frame, the first goal is to get to spec compliance.   Based on feedback both during the call and on this thread I think we can safely move to request that audience be removed from the software statement.<br>
<br>
</div>
Long term,  I see a lot of advantage to creating a logical audience for the assertion, essentially the ASPSP would know itself by several names and respond to assertions designated for any name:
<div>
<div>
<div>
<ul>
<li>As itself, with an explicit issuer name</li><li>As a participant in UK Openbanking</li><li>As a an ASPSP in UK OpenBanking</li><li>Possibly as an ASPSP suppporting the AISP software role for UK Open Banking.. etc</li></ul>
<div>This may not be critical for the first phase, but I see the concept possibly becoming a big deal as additional competent authorities come online, and it becomes likely that a given ASPSP may start processing software statements issued by multiple authorities.<br>
</div>
</div>
<div><br>
</div>
<div>Any additional arguments for or against this plan or vendor insights or implementer reactions would be welcome.</div>
<div><br>
</div>
<div>Thanks!</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Sep 28, 2017 at 6:29 PM, Tom Jones <span dir="ltr">
<<a href="mailto:thomasclinganjones@gmail.com" target="_blank">thomasclinganjones@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">
<div>I agree.</div>
<div>AUD should not be in a s/w statement at all.</div>
<div><br>
</div>
<div>I also think that you should ban question like this that are not issues.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_6229154410005013343gmail_signature">
<div dir="ltr">
<div>Peace ..tom</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div>
<div class="h5">On Fri, Sep 22, 2017 at 3:53 PM, Pamela Dingle via Openid-specs-fapi
<span dir="ltr"><<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.<wbr>openid.net</a>></span> wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div>
<div class="h5">
<div dir="ltr">Hi FAPI'ers, 
<div><br>
</div>
<div>Can anyone here comment on whether they use or make technology that CANNOT override the standard RFC7519 JWT audience validation requirements?</div>
<div><br>
</div>
<div>I know that the jose4j library allows the ability to override the rules set out in <a href="https://tools.ietf.org/html/rfc7519#section-4.1.3" target="_blank">https://tools.ietf.org/html<wbr>/rfc7519#section-4.1.3</a> but I don't know if that is a common
 feature of other libraries.  As I read those rules, any entity that receives a JWT with an aud claim populated but which does not have the entity itself listed as a recipient should reject that JWT.</div>
<div><br>
</div>
<div>In this case we are talking about validating software statements in a dynamic client requests -- if the software statement is generated with an audience set to be the client requesting the software statement, technically every AS the client tries to post
 that statement to should reject the statement, since the aud claim does not reference them directly.  Any opinions on whether at the end of the day this is a serious compliance issue (or not), and/or a real problem for implementers (or not) would be welcome.</div>
<div><br>
</div>
<div>Cheers,</div>
<div><br>
</div>
<div>Pamela</div>
<span class="m_6229154410005013343HOEnZb"><font color="#888888">
<div><br>
</div>
<div>-- <br>
<div class="m_6229154410005013343m_-3881481806310258004gmail_signature">
<div style="padding:0px; margin:0px">
<table style="border-collapse:collapse; padding:0px; margin:0px">
<tbody>
<tr>
<td style="width:113px"><a href="https://www.pingidentity.com" target="_blank"></a><a href="https://www.pingidentity.com" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png"></a>
</td>
<td>
<table>
<tbody>
<tr>
<td style="vertical-align:top"><span style="color:rgb(230,29,60); display:inline-block; margin-bottom:3px; font-family:arial,helvetica,sans-serif; font-weight:bold; font-size:14px">Pam Dingle</span>
<br>
<span style="color:rgb(0,0,0); display:inline-block; margin-bottom:2px; font-family:arial,helvetica,sans-serif; font-weight:normal; font-size:14px">Principal Technical Architect</span>
<br>
<span style="font-family:arial,helvetica,sans-serif; font-size:14px; display:inline-block; margin-bottom:3px"><a href="mailto:pdingle@pingidentity.com" target="_blank">pdingle@pingidentity.com</a></span>
<br>
<span style="color:rgb(0,0,0); display:inline-block; margin-bottom:2px; font-family:arial,helvetica,sans-serif; font-weight:normal; font-size:14px">w:
<a href="tel:(303)%20999-5890" value="+13039995890" target="_blank">+1 303.999.5890</a></span>
<br>
<span style="color:rgb(0,0,0); display:inline-block; margin-bottom:2px; font-family:arial,helvetica,sans-serif; font-weight:normal; font-size:14px">c:
<a href="tel:(303)%20999-5890" value="+13039995890" target="_blank">+1 303.999.5890</a></span>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="2">
<table style="border-collapse:collapse; border:none; margin:8px 0px 0px; width:100%">
<tbody>
<tr style="height:40px; border-top:1px solid rgb(211,211,211); border-bottom:1px solid rgb(211,211,211)">
<td style="font-family:arial,helvetica,sans-serif; font-size:14px; font-weight:bold; color:rgb(64,71,75)">
Connect with us: </td>
<td style="padding:4px 0px 0px 20px"><a title="Ping on Glassdoor" href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" target="_blank" style="text-decoration:none; margin-right:16px"><img alt="Glassdoor logo" style="border:none; margin:0px" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-glassdoor.png"></a>
<a title="Ping on LinkedIn" href="https://www.linkedin.com/company/21870" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="LinkedIn logo" style="border:none; margin:0px" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-linkedin.png"></a>
<a title="Ping on Twitter" href="https://twitter.com/pingidentity" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="twitter logo" style="border:none; margin:0px" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-twitter.png"></a>
<a title="Ping on Facebook" href="https://www.facebook.com/pingidentitypage" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="facebook logo" style="border:none; margin:0px" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-facebook.png"></a>
<a title="Ping on Youtube" href="https://www.youtube.com/user/PingIdentityTV" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="youtube logo" style="border:none; margin:0px 0px 3px" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-youtube.png"></a>
<a title="Ping on Google+" href="https://plus.google.com/u/0/114266977739397708540" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="Google+ logo" style="border:none; margin:0px" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-googleplus.png"></a>
<a title="Ping Blog" href="https://www.pingidentity.com/en/blog.html" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="Blog logo" style="border:none; margin:0px" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-blog.png"></a>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<a href="https://www.pingidentity.com/en/lp/identify-2017.html" target="_blank"><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/identify2017-emailsignature_revised_NB.png"></a>
</div>
</div>
</div>
</font></span></div>
</div>
</div>
<span class="m_6229154410005013343HOEnZb"><font color="#888888"><br>
<span class=""><i style="margin:0px; padding:0px; border:0px; outline:0px; vertical-align:baseline; background:rgb(255,255,255); color:rgb(85,85,85)"><span style="margin:0px; padding:0px; border:0px; outline:0px; vertical-align:baseline; background:transparent; font-weight:600"><font size="2">CONFIDENTIALITY
 NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify
 the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></span></font></span><span class=""><br>
______________________________<wbr>_________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid<wbr>.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-fapi</a><br>
<br>
</span></blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature">
<div style="padding:0px; margin:0">
<table style="border-collapse:collapse; padding:0; margin:0">
<tbody>
<tr>
<td style="width:113px"><a href="https://www.pingidentity.com" target="_blank"></a><a href="https://www.pingidentity.com" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png"></a>
</td>
<td>
<table>
<tbody>
<tr>
<td style="vertical-align:top"><span style="color:#e61d3c; display:inline-block; margin-bottom:3px; font-family:arial,helvetica,sans-serif; font-weight:bold; font-size:14px">Pam Dingle</span>
<br>
<span style="color:#000000; display:inline-block; margin-bottom:2px; font-family:arial,helvetica,sans-serif; font-weight:normal; font-size:14px">Principal Technical Architect</span>
<br>
<span style="font-family:arial,helvetica,sans-serif; font-size:14px; display:inline-block; margin-bottom:3px"><a href="mailto:pdingle@pingidentity.com" target="_blank">pdingle@pingidentity.com</a></span>
<br>
<span style="color:#000000; display:inline-block; margin-bottom:2px; font-family:arial,helvetica,sans-serif; font-weight:normal; font-size:14px">w: +1 303.999.5890</span>
<br>
<span style="color:#000000; display:inline-block; margin-bottom:2px; font-family:arial,helvetica,sans-serif; font-weight:normal; font-size:14px">c: +1 303.999.5890</span>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="2">
<table style="border-collapse:collapse; border:none; margin:8px 0 0 0; width:100%">
<tbody>
<tr style="height:40px; border-top:1px solid #d3d3d3; border-bottom:1px solid #d3d3d3">
<td style="font-family:arial,helvetica,sans-serif; font-size:14px; font-weight:bold; color:#40474b">
Connect with us: </td>
<td style="padding:4px 0 0 20px"><a href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" title="Ping on Glassdoor" target="_blank" style="text-decoration:none; margin-right:16px"><img alt="Glassdoor logo" style="border:none; margin:0" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-glassdoor.png"></a>
<a href="https://www.linkedin.com/company/21870" title="Ping on LinkedIn" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="LinkedIn logo" style="border:none; margin:0" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-linkedin.png"></a>
<a href="https://twitter.com/pingidentity" title="Ping on Twitter" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="twitter logo" style="border:none; margin:0" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-twitter.png"></a>
<a href="https://www.facebook.com/pingidentitypage" title="Ping on Facebook" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="facebook logo" style="border:none; margin:0" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-facebook.png"></a>
<a href="https://www.youtube.com/user/PingIdentityTV" title="Ping on Youtube" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="youtube logo" style="border:none; margin:0 0 3px 0" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-youtube.png"></a>
<a href="https://plus.google.com/u/0/114266977739397708540" title="Ping on Google+" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="Google+ logo" style="border:none; margin:0" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-googleplus.png"></a>
<a href="https://www.pingidentity.com/en/blog.html" title="Ping Blog" target="_blank" style="text-decoration:none; margin-right:16px">
<img alt="Blog logo" style="border:none; margin:0" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-blog.png"></a>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<a href="https://www.pingidentity.com/en/lp/identify-2017.html" target="_blank"><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/identify2017-emailsignature_revised_NB.png"></a>
</div>
</div>
</div>
<br>
<i style="margin:0px; padding:0px; border:0px; outline:0px; vertical-align:baseline; background:rgb(255,255,255); color:rgb(85,85,85)"><span style="margin:0px; padding:0px; border:0px; outline:0px; vertical-align:baseline; background:transparent; font-weight:600"><font size="2">CONFIDENTIALITY
 NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify
 the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></div>
</div>
<br clear="both">
Please consider the environment before printing this email.<BR>
<BR>
This email is from Open Banking Limited, Company Number 10440081.  Our registered and postal address is 2 Thomas More Square, London, E1W 1YN.  Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.  <BR>
<BR>
This email and any attachments are confidential and are intended for the above named only.  They may also be legally privileged or covered by other legal rights and rules.  Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal.  If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email.<BR>
</body>
</html>