<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>There are too many acronyms in the following for me to be clear on the meaning, but it is concerning that it seems to give the tpp the ability to acquire user consent when it has little reason to have the users best interest in view.</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature"><blockquote type="cite" cite="mid:CAP-T6TSTPjbbtQ9n70=-K9k5=eyL1_pNvn=T08n2YNX+KQjsSg@mail.gmail.com"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div><blockquote type="cite" style="border-left-width: 2px; border-left-color: rgb(16, 16, 255); margin-left: 5px;"><div class="h5"><div dir="ltr"><div class="gmail_default"><blockquote><div class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123WordSection1"><p class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">The EC also supports the view that the TPP must be “free from constraints to innovate the design of the user interface for the PSU’s consent and authorisation journey for both PIS and AIS”</span></font></p></div></blockquote></div></div></div></blockquote></div></blockquote></div></div></blockquote><br>..Tom's phone</div><div><br>On Oct 12, 2017, at 5:31 AM, Henrik Biering via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>Hi Dave,<br>
you are certainly right that the cited clause (b) would not
prevent the PISP from transmitting and storing the users security
credentials. But the EU is simultaneously struggling to have banks
become eIDAS relying parties (and even joint co-IdP's) to easily
and securely manage customers from all EU countries.<br>
<br>
This aspiration may be incompatible with a broad interpretation of
clause (b):<br>
<br>
1. The bank may itself be required to redirect to the appropriate
eIDAS IDP - or (as is currently the case in Denmark) use an
special embedded flow secured by an IdP-provided browser extension
that prevents the bank (RP) from accessing the credentials.<br>
<br>
2. According to (at least <a moz-do-not-send="true" href="https://digitaliser.dk/resource/3436586">the DK
implementation</a>) of the eIDAS LOA definitions, IDP's must
require users not to provide their credentials to any third
parties. Otherwise the IdP status will be "Limited" which is a
special LOA level below the three common EU LOA levels. Which
means that the IdP will be be excluded from use in connection with
almost all public services - and it definitely cannot claim to
perform SCA for a bank.<br>
<br>
So it seems problematic to open for embedded pass-through flows
without a careful evaluation of the implications for the use of
eIDAS.</p>
<p>/Henrik<br>
</p>
<div class="moz-cite-prefix">Den 12-10-2017 kl. 09:51 skrev Dave
Tonge via Openid-specs-fapi:<br>
</div>
<blockquote type="cite" cite="mid:CAP-T6TSTPjbbtQ9n70=-K9k5=eyL1_pNvn=T08n2YNX+KQjsSg@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">HI Nat</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">Sorry, slight confusion - this
information is not from myself but from one of the members of
the ERPB PIS group - but I still think this is positive
movement as it provides a way for the industry to move beyond
screen scraping.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">The conversations are not yet in the
public domain, so I don't think I can provide any more details
at this point.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">Ths issue that concerns me is the line
that is being taken about redirect based APIs.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">CIBA is good as it allows "decoupled"
flows and doesn't count as redirection, BUT even with
decoupled flows many are arguing for "pass-through" or
"embedded" flows as well - where the banking credentials are
entered into a third party site and then "passed through" to
the bank via API.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">Unfortunately, the text of PSD2 supports
their argument:</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">The payment initiation
service provider shall:<br>
(a) not hold at any time the payer’s funds in connection
with the provision of the payment initiation service;<br>
(b) ensure that the personalised security credentials of the
payment service user are not, with the exception of the user
and the issuer of the personalised security credentials,
accessible to other parties and that <b>they are
transmitted by the payment initiation service provider
through safe and efficient channels</b>;</blockquote>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">PSD2 Article 66.3 </div>
<div><br>
</div>
<div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">I think we can make an argument that
any method that involves banking credentials being entered
on a third party site will severely reduce the "Strong
Customer Authentication" methods available for that bank to
use.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">Dave</div>
<br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 11 October 2017 at 17:59, Nat
Sakimura via Openid-specs-fapi <span dir="ltr"><<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-family:Verdana,Geneva,sans-serif">
<p>Thanks, Dave. </p>
<p>So, are you saying that <span>ERPB (European) industry
group on APIs which you are co-chairing will be
vetting the APIs for the compliance? That sounds very
positive. </span></p>
<p><span>On the topic of no-redirections, would something
like CIBA counts for redirection? IMHO, it does not
make sense from the security point of view to have the
user put his bearer token aka password into the TPP
apps. With CIBA, redirection is not involved but we
can still avoid the above problem. </span></p>
<p><span>Best, </span></p>
<p> </p>
<div>
<pre>---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation</pre>
</div>
<div>
<div class="h5">
<p>On 2017-10-11 23:21, Dave Tonge via
Openid-specs-fapi wrote:</p>
</div>
</div>
<blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px
solid;margin-left:5px">
<div>
<div class="h5">
<div dir="ltr">
<div class="gmail_default" style="font-family:'trebuchet ms',sans-serif">Dear
FAPI Working Group</div>
<div class="gmail_default" style="font-family:'trebuchet ms',sans-serif"> </div>
<div class="gmail_default" style="font-family:'trebuchet ms',sans-serif">As
discussed on the call, here is the latest
information we have on the RTS:</div>
<div class="gmail_default" style="font-family:'trebuchet ms',sans-serif"> </div>
<div class="gmail_default" style="font-family:'trebuchet ms',sans-serif">
<blockquote style="font-family:arial,sans-serif;font-size:12.8px">
<div class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123WordSection1">
<p class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph"><span style="color:#1f497d">1.<span style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span style="color:#1f497d">RTS is in the
final stages of approval by EC –
expected early Nov (effective date
likely to be Sept 2019). On screen
scraping (known as the fall back option)
the draft EC proposal is that PSP firms
will be able to seek a regulatory
exemption, to be granted by the
competent authority, to avoid having to
supporting screen scraping at all. To
obtain an exception will require a
vetting process based upon at least the
following criteria:<span style="text-decoration:underline"></span><span style="text-decoration:underline"></span></span></p>
<p class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph" style="margin-left:72pt"><span style="color:#1f497d">a.<span style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span style="color:#1f497d">The APIs are
technically PSD2/RTS compliant<span style="text-decoration:underline"></span><span style="text-decoration:underline"></span></span></p>
<p class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph" style="margin-left:72pt"><span style="color:#1f497d">b.<span style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span style="color:#1f497d">They are available
3 months ahead of implementation<span style="text-decoration:underline"></span><span style="text-decoration:underline"></span></span></p>
<p class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph" style="margin-left:72pt"><span style="color:#1f497d">c.<span style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span style="color:#1f497d">They have been
market tested<span style="text-decoration:underline"></span><span style="text-decoration:underline"></span></span></p>
<p class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph" style="margin-left:72pt"><span style="color:#1f497d">d.<span style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span style="color:#1f497d">They adhere to
specific performance criteria<span style="text-decoration:underline"></span><span style="text-decoration:underline"></span></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><span style="text-decoration:underline"></span> <span style="text-decoration:underline"></span></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span style="color:#1f497d">The EC also
proposes that the ERPB (European)
industry group on APIs, that I
established and which I co-chair, could,
de facto, become the industry group to
‘vet’ APIs with support and active
participation by EC (DG FISMA and DG
COMP) and including the national
competent authorities (like FCA). This
is a very significant and incredibly
positive development as the EC is
effectively saying </span><span style="color:#1f497d">that they</span><span style="color:#1f497d"> want to ‘bless’
industry to guide </span><span style="color:#1f497d">them</span><span style="color:#1f497d">, the regulators,</span><span style="color:#1f497d">to </span><span style="color:#1f497d">get this right.<span style="text-decoration:underline"></span><span style="text-decoration:underline"></span></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span style="color:#1f497d"><span style="text-decoration:underline"></span> <span style="text-decoration:underline"></span></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span style="color:#1f497d">Therefore</span><span style="color:#1f497d">, the</span><span style="color:#1f497d"> OB PSD2 APIs
would conceivably have to go through
this vetting and approval process, which
illustrates the importance of aligning
our PSD2 roadmap assumptions based on
the direction set at European level</span><span style="color:#1f497d">. This</span><span style="color:#1f497d"> will help to </span><span style="color:#1f497d">avoid </span><span style="color:#1f497d">divergence between
standards at </span><span style="color:#1f497d">the</span><span style="color:#1f497d"> national level.
<span style="text-decoration:underline"></span><span style="text-decoration:underline"></span></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span style="color:#1f497d"><span style="text-decoration:underline"></span> <span style="text-decoration:underline"></span></span></p>
<p class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph">2.<span style="font-stretch:normal;font-size:7pt;line-height:normal"> </span><span style="color:#1f497d">There have been
some question</span><span style="color:#1f497d">s </span><span style="color:#1f497d">recently about the
redirection model for PSU authorisation
a</span><span style="color:#1f497d">nd</span><span style="color:#1f497d"> whether it is
PSD2 compliant. Directionally</span><span style="color:#1f497d">,</span><span style="color:#1f497d"> the EC supports
the view that “APIs must support all
authentication procedures provided by
the ASPSP to the PSU</span><span style="color:#1f497d">,</span><span style="color:#1f497d"> but <span style="text-decoration:underline">must
not require the TPP to have to use the
redirect option</span>”. Strictly
speaking</span><span style="color:#1f497d">,</span><span style="color:#1f497d"> the EC is not
banning redirection, but it does support
the view that a TPP should not have to
be forced to use it</span><span style="color:#1f497d">. </span><span style="color:#1f497d">Logically
therefore</span><span style="color:#1f497d">,</span><span style="color:#1f497d"> it cannot be the
only option available. The EC also
supports the view that the TPP must be
“free from constraints to innovate the
design of the user interface for the
PSU’s consent and authorisation journey
for both PIS and AIS”. Within the ERPB
API group we agreed yesterday in
Brussels to go into detail on this topic
to define what is acceptable based on
the three methods of redirect, pass</span><span style="color:#1f497d">-</span><span style="color:#1f497d">through and
embedded. The objective is to set </span><span style="color:#1f497d">a</span><span style="color:#1f497d"> ‘bar’ of
acceptability to be blessed by the EC as
a one of the criteria by which to ‘vet’
API standards for conformity with
PSD2/RTS.</span></p>
</div>
</blockquote>
</div>
<br clear="all">
<div> </div>
-- <br>
<div class="m_119826132494885966gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-size:1em;font-weight:bold;line-height:1.4">
<div style="color:#616161;font-family:'Open
Sans';font-size:14px;font-weight:normal;line-height:21px">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:#dc291e;font-weight:bold">
<div style="font-size:14px;font-weight:normal;color:#333333;font-family:lato,'open
sans',arial,sans-serif;line-height:normal">
<div style="color:#00a4b7;font-weight:bold;font-size:1em;line-height:1.4">Dave
Tonge</div>
<div style="font-size:0.8125em;line-height:1.4">CTO</div>
<div style="font-size:0.8125em;line-height:1.4;margin:0px"><a style="color:#835ea5;text-decoration:none" href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" target="_blank" moz-do-not-send="true"><img style="border:none;padding:0px;border-radius:2px;margin:7px" title="Moneyhub
Enterprise" src="http://./program/resources/blocked.gif" alt="Moneyhub
Enterprise" moz-do-not-send="true" height="50" width="200"></a></div>
<div style="padding:8px 0px"><span style="color:#00a4b7;font-size:11px;background-color:transparent">10
Temple Back, Bristol, BS1
6FL</span></div>
<span style="font-size:11px;line-height:15.925px;color:#00a4b7;font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span></div>
<div style="color:#616161;font-size:14px;font-weight:normal;font-family:lato,'open
sans',arial,sans-serif"><span style="color:#00a4b7"><span style="font-size:11px;line-height:15.925px"><br>
</span></span>
<div style="color:#333333;line-height:1.4"><span style="font-size:0.75em">Moneyhub
Enterprise is a trading
style of Momentum
Financial Technology
Limited which is
authorised and regulated
by the Financial Conduct
Authority
("FCA"). Momentum
Financial Technology is
entered on the Financial
Services Register </span><span style="font-size:0.75em;background-color:transparent">(FRN </span><span style="font-size:0.75em;background-color:transparent;color:#00a4b7;font-weight:bold">561538</span><span style="font-size:0.75em;background-color:transparent">) at <a href="http://fca.org.uk/register" target="_blank" moz-do-not-send="true">fca.org.uk/register</a>.
Momentum Financial
Technology is registered
in England & Wales,
company registration
number </span><span style="font-size:0.75em;color:#00a4b7;font-weight:bold;background-color:transparent">06909772</span><span style="font-size:0.75em;background-color:transparent"> </span><span style="color:#222222;font-family:arial,sans-serif;background-color:transparent"><span style="font-size:xx-small">©</span></span><span style="font-size:0.75em;background-color:transparent"> . </span><span style="background-color:transparent;font-size:0.75em">Momentum Financial
Technology Limited 2016. </span><span style="background-color:transparent;font-size:0.75em;color:#888888">DISCLAIMER:
This email (including any
attachments) is subject to
copyright, and the
information in it is
confidential. Use of this
email or of any
information in it other
than by the addressee is
unauthorised and unlawful.
Whilst reasonable efforts
are made to ensure that
any attachments are
virus-free, it is the
recipient's sole
responsibility to scan all
attachments for viruses.
All calls and emails to
and from this company may
be monitored and recorded
for legitimate purposes
relating to this company's
business. Any opinions
expressed in this email
(or in any attachments)
are those of the author
and do not necessarily
represent the opinions of
Momentum Financial
Technology Limited or of
any other group company.</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
Openid-specs-fapi mailing list
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank" moz-do-not-send="true">Openid-specs-fapi@lists.<wbr>openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank" moz-do-not-send="true">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>fapi</a>
</pre>
</blockquote>
</div>
<br>
______________________________<wbr>_________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" moz-do-not-send="true">Openid-specs-fapi@lists.<wbr>openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>fapi</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-size:1em;font-weight:bold;line-height:1.4">
<div style="color:rgb(97,97,97);font-family:'Open
Sans';font-size:14px;font-weight:normal;line-height:21px">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold">
<div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open
sans",arial,sans-serif;line-height:normal">
<div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave
Tonge</div>
<div style="font-size:0.8125em;line-height:1.4">CTO</div>
<div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165);text-decoration:none" target="_blank" moz-do-not-send="true"><img alt="Moneyhub Enterprise" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" style="border:none;padding:0px;border-radius:2px;margin:7px" moz-do-not-send="true" height="50" width="200"></a></div>
<div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px;background-color:transparent">10
Temple Back, Bristol, BS1 6FL</span></div>
<span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br>
</div>
<div style="color:rgb(97,97,97);font-size:14px;font-weight:normal;font-family:lato,"open
sans",arial,sans-serif"><font color="#00a4b7"><span style="font-size:11px;line-height:15.925px"><br>
</span></font>
<div style="color:rgb(51,51,51);line-height:1.4"><span style="font-size:0.75em">Moneyhub
Enterprise is a trading style of
Momentum Financial Technology Limited
which is authorised and regulated by the
Financial Conduct Authority
("FCA"). Momentum Financial Technology
is entered on the Financial Services
Register </span><span style="font-size:0.75em;background-color:transparent">(FRN </span><span style="font-size:0.75em;background-color:transparent;color:rgb(0,164,183);font-weight:bold">561538</span><span style="font-size:0.75em;background-color:transparent">) at <a href="http://fca.org.uk/register" target="_blank" moz-do-not-send="true">fca.org.uk/register</a>.
Momentum Financial Technology is
registered in England & Wales,
company registration number </span><span style="font-size:0.75em;color:rgb(0,164,183);font-weight:bold;background-color:transparent">06909772</span><span style="font-size:0.75em;background-color:transparent"> </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;background-color:transparent"><font size="1">©</font></span><span style="font-size:0.75em;background-color:transparent"> . </span><span style="background-color:transparent;font-size:0.75em">Momentum Financial
Technology Limited 2016. </span><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER:
This email (including any attachments)
is subject to copyright, and the
information in it is confidential. Use
of this email or of any information in
it other than by the addressee is
unauthorised and unlawful. Whilst
reasonable efforts are made to ensure
that any attachments are virus-free, it
is the recipient's sole responsibility
to scan all attachments for viruses. All
calls and emails to and from this
company may be monitored and recorded
for legitimate purposes relating to this
company's business. Any opinions
expressed in this email (or in any
attachments) are those of the author and
do not necessarily represent the
opinions of Momentum Financial
Technology Limited or of any other group
company.</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-fapi mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a>
</pre>
</blockquote>
<br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-fapi mailing list</span><br><span><a href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></span><br></div></blockquote></body></html>