[Openid-specs-fapi] Proposal to use DDA specification in FAPI

Nat Sakimura nat at sakimura.org
Mon Aug 22 15:23:40 UTC 2016 

We can certainly constrain that it has to be sent in the header. 

Sent from iPad

2016/08/22 23:48、John Bradley via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> のメッセージ:

> It is a debate that we keep having, mostly around backwards compatibility and people wanting to send the acess token as a paramater rather than in a headder.
> 
> If we prohibit sending the AT as a query paramater, I am more than happy with GET for read only. 
> 
> John B. 
> 
> 
> On Aug 22, 2016 10:59 AM, "Luis SAIZ GIMENO via Openid-specs-fapi" <openid-specs-fapi at lists.openid.net> wrote:
> Hi,
> 
> Maybe it's not a subject for this list but it sounds odd to me the use of POST for "get" info. In order to be more consistent with REST APIs and to avoid mistakes in authorization rules/scopes I think it should be used GET for read-only operations and POST(PUT/DELETE) for write operations ("transfer" scope)
> 
> The use of GET vs POST for security reasons dates from the early HTTP RFC when TLS was uncommon (HTTP predates TLS). Nowadays and even more in a financial scenario, all transfers must be done under TLS and so no sensitive info can be leaked in proxies. Web servers has access to the full info regardless GET/POST, it's a server-side responsibility to configure web servers audit logs for not logging sensitive information
> 
> Recommendations of W3C:
> 
> https://www.w3.org/2001/tag/doc/whenToUseGet.html
> 
> 
> BTW, HEART WG explicitly refers to RESTful APIs but FAPI don't. Should we consider and discuss about it?
> 
> 
> Best,
> 
> Luis
> 
> -------
> "Crypto can't create trust It merely automates the trust that already exists for other reasons" -- John Gilmore 
> 
> 2016-06-09 2:34 GMT+02:00 Saxena, Anoop <Anoop_Saxena at intuit.com>:
>> Hello All,
>> 
>>  
>> 
>> FS-ISAC working group   ratified a solution that will replace credential based aggregation of data via screen scraping bank website with  OAUTH 2.x & DDA (durable data API).
>> 
>>  
>> 
>> Recommendation for Open Id FAPI working group to use Durable Data API as base which defines various entities definition (such as Account, transactions etc.. ).
>> 
>> These entities are returned under the scope of OAUTH token.
>> 
>>  
>> 
>>  
>> 
>> Note: See attachment for detail DDA Specification.
>> 
>>  
>> 
>> 
>>  
>> 
>> Thanks,
>> 
>>  
>> 
>> Anoop Saxena
>> 
>> Architect
>> Intuit | simplify the business of lifetm
>> 
>> 
>>  
>> 
>> 
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 
> 
> 
> -- 
> BBVA
> Luis Saiz Gimeno
> Innovation in Security
> Móvil +34 609703264 - Tel. +34 918073152 - luis.saiz at bbva.com
> Engineering - Architecture & Global Deployment – Monforte de Lemos, s/n, 28029
> Maps: https://www.google.es/maps/place/Av.+de+Monforte+de+Lemos,+28,+28029+Madrid/
> Antes de imprimir este mensaje, por favor comprueba que es necesario hacerlo. Before you print this message please consider if it is really necessary.
> 
> "Este mensaje está dirigido de manera exclusiva a su destinatario y puede contener información privada y confidencial. No lo reenvíe, copie o distribuya a terceros que no deban conocer su contenido. En caso de haberlo recibido por error,  rogamos lo notifique al remitente y proceda a su borrado, así como al de cualquier documento que pudiera adjuntarse.
> 
>  Por favor tenga en cuenta que los correos enviados vía Internet no permiten garantizar la confidencialidad de los mensajes ni su transmisión de forma íntegra.
> 
>  Las opiniones expresadas en el presente correo pertenecen únicamente al remitente y no representan necesariamente la opinión del Grupo BBVA."
> 
>  "This message is intended exclusively for the adressee and may contain privileged and confidential information. Please, do not disseminate, copy or distribute it to third parties who should not receive it. In case you have received it by mistake, please inform the sender and delete the message and attachments from your system.
> 
>  Please keep in mind that e-mails sent by Internet do not allow to guarantee neither the confidentiality or the integrity of the messages sent."
> 
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20160823/4053d35a/attachment.html>

More information about the Openid-specs-fapi mailing list