<div dir="ltr"><div>Few comments (on the parts that I was able to understand well enough to make any comment): <br></div><div><br></div><div>There's a little typo in "2.5. Relationship between this profile with RFC 7151 (JWS)... " - it should have 7515 rather than 7151 <br></div><div><br></div><div>With respect to "x-jws-signature", it's probably too late to change but my understanding it that using the "x-" prefix is out of vogue these days - i.e., see <a href="https://tools.ietf.org/html/rfc6648">https://tools.ietf.org/html/rfc6648</a> <br></div><div><br></div><div>With respect to 'RECOMMENDATION-15: "typ" Header parameter should be set to "JOSE".', it seems like the type is already implied or known by the context of use, i.e., as the value of "x-jws-signature", so it;s not clear that using the "typ" header here in this way adds anything beyond making the JWS a little bit bigger?</div><div><br></div><div>With respect to 'The JAdES "sigT" header parameter contains the claimed signing time encoded using the JSON format for UTC (e.g. "2019-11-19T17:28:15Z").', I'm not aware of a JSON format for UTC but if there is such a thing, a reference is probably warranted. I also wonder why something like JWT's NumericDate wasn't used here rather than a formatted string? <br></div><div><br></div><div>I'd concur about x5t#o.</div><div><br></div><div><br></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 4, 2020 at 4:50 AM Ralph Bragg via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-GB">
<div class="gmail-m_-8622102771333005598WordSection1">
<p class="MsoNormal"><span class="gmail-m_-8622102771333005598EmailStyle19">Thanks Mike – I’m sure the team working on it will sort it out.</span><span><u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<div style="border-color:rgb(181,196,223) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12pt;color:black">From: </span></b><span style="font-size:12pt;color:black">Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>><br>
<b>Date: </b>Tuesday, 4 February 2020 at 10:50<br>
<b>To: </b>Financial API Working Group List <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>><br>
<b>Cc: </b>Ralph Bragg <<a href="mailto:ralph.bragg@raidiam.com" target="_blank">ralph.bragg@raidiam.com</a>><br>
<b>Subject: </b>RE: #OBEDocument: OBE JWS Profile [revised draft for review]<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">This spec seems to be generally solid and well-reasoned.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">I am a bit surprised by the requirement to use keys from X.509 certificates in Section 5.3, rather than keys from JWKs. But I understand that that may be the reality of the targeted deployment environments.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">I understand the reference to draft-cavage-http-signatures but everyone should be aware that this is a work in progress and is likely to change. If you want to keep the reference, the draft should probably explicitly
say that the specification uses draft-cavage-http-signatures-10 – even though subsequent and potentially incompatible versions may be published.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">The x5t#o header parameter is pretty strange. If new thumbprint algorithms are needed, it would be better to register new values, like x5t#S256 was, rather than to introduce a level of indirection to determine
the digest algorithm. It’s not the end of the world, but it’s certainly not how the JOSE working group would have added additional digest algorithms.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">Thanks for asking for the review.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> -- Mike</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> </span><u></u><u></u></p>
<div>
<div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b>From:</b> Openid-specs-fapi <<a href="mailto:openid-specs-fapi-bounces@lists.openid.net" target="_blank">openid-specs-fapi-bounces@lists.openid.net</a>>
<b>On Behalf Of </b>Ralph Bragg via Openid-specs-fapi<br>
<b>Sent:</b> Wednesday, January 29, 2020 6:46 AM<br>
<b>To:</b> <a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a><br>
<b>Cc:</b> Ralph Bragg <<a href="mailto:ralph.bragg@raidiam.com" target="_blank">ralph.bragg@raidiam.com</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [Openid-specs-fapi] #OBEDocument: OBE JWS Profile [revised draft for review]<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Hi All,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Please see the proposed initial draft for JWS signatures, comments back to me if you’d like to influence the standard.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Kind Regards,<u></u><u></u></p>
<p class="MsoNormal">Ralph<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div style="border-color:rgb(181,196,223) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12pt;color:black">From: </span></b><span style="font-size:12pt;color:black">Joao Daniel Parracho <<a href="mailto:j.parracho@openbankingeurope.eu" target="_blank">j.parracho@openbankingeurope.eu</a>><br>
<b>Date: </b>Friday, 24 January 2020 at 13:41<br>
<b>Subject: </b>#OBEDocument: OBE JWS Profile [revised draft for review]</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<p class="MsoNormal">Dear colleagues,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">As agreed, please find attached the OBE JWS Profile document draft for review. We kindly ask you to submit any comments by
<u>14<sup>th</sup> February</u>. <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Kind regards,<u></u><u></u></p>
<p class="MsoNormal">João<u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:rgb(27,75,104)" lang="DE">João Parracho</span></b><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><b><span style="font-size:10pt;font-family:"Arial Narrow",sans-serif;color:rgb(27,75,104)" lang="DE">Communications & Engagement Consultant | Open Banking Europe</span></b><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(34,34,34)" lang="DE"><a href="mailto:j.parracho@openbankingeurope.eu" target="_blank"><span style="color:rgb(5,99,193)">j.parracho@openbankingeurope.eu</span></a></span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(34,34,34)" lang="DE"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(34,34,34)" lang="DE"><img style="width: 1.7604in; height: 0.6979in;" id="gmail-m_-8622102771333005598Picture_x0020_2" src="cid:1701c5764944cff311" alt="A close up of a logo
Description automatically generated" width="169" height="67" border="0"></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Arial",sans-serif;color:rgb(34,34,34);background:white none repeat scroll 0% 0%" lang="FR-BE">40 rue de Courcelles | F-75008 Paris, France</span><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(34,34,34);background:white none repeat scroll 0% 0%" lang="DE"> </span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:9pt;font-family:"Arial",sans-serif"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openbankingeurope.eu%2F&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cf538e368c09746a5065508d7a4c9f5d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637159059632442685&sdata=xjkww%2Fl4qZQNCtXUE1T%2B4iGS%2B%2BygTM9tRHM7RaVsp%2Bc%3D&reserved=0" target="_blank"><span style="color:rgb(5,99,193)">https://www.openbankingeurope.eu/</span></a></span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(34,34,34)" lang="DE"> </span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="DE">Open Banking Europe is owned by PRETA S.A.S. a wholly-owned subsidiary of ABE/EBA CLEARING S.A.S.</span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="DE">PRETA S.A.S. is registered with RCS PARIS under no. 798 483 053 | VAT no. FR 27 798 483 053</span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="DE">This message and any attachments (the "message") are confidential and intended solely for the addressees. Any
unauthorized use or dissemination is prohibited. E-mails are susceptible to alteration. PRETA shall not be liable for the message if altered, changed or falsified.</span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="FR">Ce message est confidentiel; son contenu ne représente en aucun cas un engagement de la part de </span><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="FR-BE">PRETA </span><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="FR">sous
réserve de tout accord conclu par écrit entre vous et </span><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="FR-BE">PRETA</span><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="FR">. Toute publication,
utilisation ou diffusion, même partielle, doit être autorisée préalablement.</span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:8pt;font-family:"Arial",sans-serif;color:gray" lang="FR">Si vous n'êtes pas destinataire de ce message, merci d'en avertir immédiatement l'expéditeur.</span><u></u><u></u></p>
<p class="MsoNormal" style="text-align:justify;background:white none repeat scroll 0% 0%"><span style="font-size:8pt;font-family:"Arial",sans-serif;color:rgb(34,34,34)" lang="PT"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Webdings;color:rgb(0,176,80)">P</span><span style="font-size:8pt;font-family:"Arial",sans-serif;color:rgb(0,176,80)"> Please consider the environment before printing this email</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>