<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Hi Anders</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Are you able to join one of the working group calls so that we can discuss this further?</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Thanks</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Dave</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 29 Sep 2019 at 09:16, Anders Rundgren via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Thanx Ralph,<br>
<br>
It is a little bit strange that ETSI rather than the IETF takes on this pretty universal topic.<br>
<br>
Anyway, there are two issues that need to be addressed:<br>
- How to deal with signed header data. This is what many people (including myself) consider being the trickiest problem.<br>
- How to represent the payload. Since ALL Open Banking solutions I'm aware of use clear text, it would be strange changing this now.<br>
<br>
Regarding the latter, canonicalization still offers major benefits over using plain HTTP bodies, including JSON serialization and embedding of signed data. That FAPI doesn't need counter signatures at the moment is true, but it may not always be the case. Other solutions out there including my Saturn project is entirely depending on such constructs. Implementations for JavaScript, Java, Python3, Go and C# (beginning with Net Core V3) shows that interoperability is essentially a no-issue.<br>
<br>
Countersigning, serialization, and embedding using Cavage or OBIE's current signature scheme is not feasible.<br>
<br>
thanx,<br>
Anders<br>
<a href="https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-12" rel="noreferrer" target="_blank">https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-12</a><br>
<br>
On 2019-09-29 08:45, Ralph Bragg wrote:<br>
> All,<br>
> <br>
> There was a meeting of the major standards bodies last week with ETSI coordinating. JWS detached and not detached will almost certainly be one of the agreed formats for AdES and subsequently message signing for PSD2.<br>
> <br>
> When the minutes are published I’ll share.<br>
> <br>
> Given that Cavage 11 includes the following.<br>
> WARNING: DO NOT IMPLEMENT THIS SPECIFICATION AND PUSH THE CODE INTO<br>
> PRODUCTION. THIS VERSION OF THE SPECIFICATION IS ONLY FOR<br>
> EXPERIMENTAL IMPLEMENTATIONS.<br>
> <br>
> The Berlin group and others have had to explicitly reference version 10 to avoid using a a spec that says “don’t use this”. This doesn’t leave them a way forward with this draft. I expect that ETSI will look at the desirable properties of the Cavages draft and try and come up with something that has the same characteristics.<br>
> <br>
> RB<br>
> <br>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
> *From:* Openid-specs-fapi <<a href="mailto:openid-specs-fapi-bounces@lists.openid.net" target="_blank">openid-specs-fapi-bounces@lists.openid.net</a>> on behalf of Anders Rundgren via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>><br>
> *Sent:* Sunday, September 29, 2019 7:20:33 AM<br>
> *To:* Financial API Working Group List <<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a>><br>
> *Cc:* Anders Rundgren <<a href="mailto:anders.rundgren.net@gmail.com" target="_blank">anders.rundgren.net@gmail.com</a>><br>
> *Subject:* [Openid-specs-fapi] Next step(s) for FAPI?<br>
> Dear FAPIers,<br>
> <br>
> Apparently the (in)famous <a href="https://datatracker.ietf.org/doc/draft-cavage-http-signatures/" rel="noreferrer" target="_blank">https://datatracker.ietf.org/doc/draft-cavage-http-signatures/</a> scheme has more or less become a de-facto standard.<br>
> <br>
> Convincing the Berlin Group to change their NextGenPSD2 API will probably not happen since no standardized alternative is available and OBIE's current signature solution isn't REST compliant.<br>
> <br>
> Anyway, there are other things FAPI could do to gather more interest. It may be worthwhile collecting such and then decide where to go.<br>
> <br>
> Here are a few known (and published) candidates:<br>
> 1. An HTTP signature scheme that supports JSON serialization and embedding.<br>
> 2. A scheme for enriching authorization requests.<br>
> 3. A scheme for using FAPI locally in banks.<br>
> <br>
> I'm currently plotting with #3 because it should be 100% backward compatible, while still being potentially quite useful. "Low hanging fruit" :) Note though that OAuth2 is not really my area of expertize so it would be great if this was a FAPI project!<br>
> <br>
> WDYT?<br>
> <br>
> Anders<br>
> <br>
> <a href="https://github.com/cyberphone/swedbank-psd2-saturn" rel="noreferrer" target="_blank">https://github.com/cyberphone/swedbank-psd2-saturn</a><br>
> <br>
> <br>
> _______________________________________________<br>
> Openid-specs-fapi mailing list<br>
> <a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
<br>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:"Open Sans";font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4"><div style="font-weight:400;color:rgb(51,51,51);line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4">CTO</div><div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165)" target="_blank"><img alt="Moneyhub Enterprise" height="50" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" width="200" style="border: none; padding: 0px; border-radius: 2px; margin: 7px;"></a></div><div style="padding:8px 0px"><div style="padding:8px 0px"><div style="letter-spacing:normal;line-height:normal"><div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px">Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL</span></div><span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br style="color:rgb(0,164,183);font-size:11px;line-height:15.925px"></div><div style="letter-spacing:normal;line-height:normal"><span style="font-size:11px;line-height:15.925px"><br></span></div><div style="color:rgb(97,97,97);font-family:"Open Sans";letter-spacing:normal"><div style="line-height:1.4"><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em;background-color:transparent">(FRN </span><span style="color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;font-size:10.5px;font-weight:700">809360</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. M</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:10.5px">oneyhub</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> Financial Technology is registered in England & Wales, company registration number </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> </span><span style="font-weight:bold;color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">06909772</span><span style="background-color:transparent"><font color="#333333" face="lato, open sans, arial, sans-serif"><span style="font-size:0.75em"> .</span></font></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:10.5px">Moneyhub</span><span style="background-color:transparent;font-size:0.75em"> Financial Technology Limited 2018 </span><span style="background-color:transparent;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:x-small">©</span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em"><br></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>