[Openid-specs-mobile-profile] Feedback on CIBA

Dave Tonge dave.tonge at momentumft.co.uk
Thu Jun 14 15:58:24 UTC 2018 

Hi John

Thanks for the info.

In terms of the risk of an attacker gaining control of the client
notification endpoint then the OP presenting a cert wont help?
It would help if the client notification endpoint was protected with a
certificate issued by a federation operator (e.g. OpenBanking). However
such a requirement would increase the operational complexity of many
ecosystems.

I know its a bit late in the day, but I'd argue that the cost of an extra
API call required by this approach is far outweighed by the benefits.

Is the notification mode being adopted by Mobile Connect?

Thanks

Dave

On 13 June 2018 at 17:20, John Bradley <ve7jtb at ve7jtb.com> wrote:

> I think something like that was suggested earlier in the spec discussion.
>
> I think there was push back around the extra call required.
>
> For the post it can be over a mutual TLS connection.  I don’t know that
> MATLS from the client is that much more secure than MATLS to the client.
>
> For the FAPI profile we may want to provide advice on certificate
> validation.
>
> On the other hand I think polling is probably the better option in most
> cases.
>
> The reason for post back are perceived concerns about delay and load.
>
> John B.
>
>
> On Jun 13, 2018, at 1:10 AM, Dave Tonge <dave.tonge at momentumft.co.uk>
> wrote:
>
> Hi Mike
>
> Its a good point with regards to pushing tokens and that mode is unlikely
> to be supported by UK OpenBanking - they'll rely on the polling method.
>
> From a FAPI perspective we currently do include the notification mode, but
> on reflection I think that it would be preferable to change the
> notification mode to NOT deliver the token, but rather to inform the client
> that they can go and fetch the token. i.e. the payload for client
> notification could contain the auth_req_id, but nothing else. The client
> would then need to make an authenticated call to the token endpoint to get
> the token. This is how webhooks work in the banks that support them - no
> sensitive data or token is sent via webhook, rather ids are sent which can
> be used by an authenticated client to access resources.
>
> John, Bjorn, Gonzalo what do you think about this approach? It would
> simplify the document quite a bit and in my mind brings the best of both
> worlds: no polling but secure token delivery.
>
> Dave
>
>
>
> On 7 June 2018 at 20:11, Mike Schwartz <mike at gluu.org> wrote:
>
>> MODRNA Group,
>>
>> CIBA was discussed on the UMA WG call today. Eve has been working on a
>> compare/contrast analysis between UMA and CIBA. And this discussion got me
>> thinking a little more...
>>
>> One point from Justin Richer was that you are sending tokens back to the
>> Client Notification Endpoint. This is risky, as you are trusting DNS. UMA
>> makes the client authenticate at the token endpoint to obtain the tokens.
>> Pushing tokens was discussed and dismissed as lacking security. I'm
>> surprised the Open Banking group was ok with this.
>>
>> I also wonder if the response from the bc_authorize should include an
>> id_token--I think it should be some other signed JWT assertion (with many
>> of the claims present in an id_token). It seems weird to me to return an
>> id_token to a client when the subject is not the person connected to the
>> user agent.
>>
>> IMHO, CIBA could be accomplished using UMA as the security mechanism,
>> with bc_authorize as the RS (protected endpoint on the OP). Its request and
>> response would be defined much as you did.
>>
>> If you are starting from scratch, is it easier to implement CIBA with UMA
>> for security, or CIBA plus it's one-off security model? Personally, I think
>> UMA would be cheaper because we'd get more re-use.
>>
>> If I get some time in the next week, I'll try to write up a draft of CIBA
>> using UMA. HEART also uses UMA, so it's not unheard of for an OpenID WG to
>> use it as part of a solution.
>>
>> I know everyone wants to ship ASAP, so it's probably too late to bring
>> this stuff up.
>>
>> - Mike
>>
>> _______________________________________________
>> Openid-specs-mobile-profile mailing list
>> Openid-specs-mobile-profile at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>>
>
>
>
> --
> Dave Tonge
> CTO
> [image: Moneyhub Enterprise]
> <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
> Moneyhub Financial Technology, 2nd Floor, Whitefriars Business Centre,
> Lewins Mead, Bristol, BS1 2NT
> t: +44 (0)117 280 5120
>
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Moneyhub Financial Technology is entered on the
> Financial Services Register (FRN 561538) at fca.org.uk/register. Moneyhub Financial
> Technology is registered in England & Wales, company registration number
> 06909772 © . Moneyhub Financial Technology Limited 2018. DISCLAIMER: This
> email (including any attachments) is subject to copyright, and the
> information in it is confidential. Use of this email or of any information
> in it other than by the addressee is unauthorised and unlawful. Whilst
> reasonable efforts are made to ensure that any attachments are virus-free,
> it is the recipient's sole responsibility to scan all attachments for
> viruses. All calls and emails to and from this company may be monitored and
> recorded for legitimate purposes relating to this company's business. Any
> opinions expressed in this email (or in any attachments) are those of the
> author and do not necessarily represent the opinions of Momentum Financial
> Technology Limited or of any other group company.
>
>
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
Moneyhub Financial Technology, 2nd Floor, Whitefriars Business Centre,
Lewins Mead, Bristol, BS1 2NT
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register.
Moneyhub Financial
Technology is registered in England & Wales, company registration number
06909772 © . Moneyhub Financial Technology Limited 2018. DISCLAIMER: This
email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180614/9373967b/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list