[Openid-specs-fapi] Fwd: Re: [Openid-lc] Letter to the Euro Retail Payments Board

Nat Sakimura nat at sakimura.org
Thu May 11 05:02:38 UTC 2017


Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

-------- Original Message --------
Subject: Re: [Openid-lc] Letter to the Euro Retail Payments Board
Date: 2017-05-11 14:00
 From: Nat Sakimura via Openid-lc <openid-lc at lists.openid.net>
To: Dave Tonge <dave.tonge at moneyhub.com>
Cc: Openid-lc at lists.openid.net
Reply-To: Nat Sakimura <nat at sakimura.org>

Thanks Dave for coming up with this.

A couple of suggestions.

1. Insert  (https://openid.net/) after the "OpenID Foundation" so that 
it becomes

     The OpenID Foundation (https://openid.net/) is a nonprofit

2. Change (Nomura) to (Nomura Research Institute)

3. List the highlighted risk as sub-bullets of "2. To highlight the 
risks with some of the technical proposals that are being considered 
across Europe". Align the section headers with it. e.g.

- Risk of not having an authorisation standard
- Risk of private key compromise through using a single certificate for 
all operations
- Risk of using Man-in-the-middle for PSP authentication

4. Change "are" to "includes" so that it will become:

     Its members includes key authors for many of the IETF standards 
relating to OAuth 2.0 and OpenID Connect.

5. Change "ISO TC68" to "ISO/TC68".

6. Change x509 to X.509.

7. Number each heading so that it will be easier to reference the 

8. On a more general note, I was not very sure of what we are trying to 
express in "The Need for an Authorisation Standard" because I do not 
know what they are trying to do. What are they trying to do and what 
risk are we trying to communicate? If it could be expressed clearer, it 
would be great.

9. In "Using a single certificate for all operations is bad practice", 
at the end, perhaps we can talk about the use of the software statement 
and the dynamic registration leveraging on the work UK OB did.


Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

On 2017-05-10 17:29, Dave Tonge wrote:
> Dear List Members,
> I would like to send the attached letter to the Co-Chairs of the
> Payment Initiation Services Identification Subgroup at the Working
> Group on Payment Initiation Services at the Euro Retail Payments
> Board.
> This working group was established to help establish technical
> standards for PSD2 [1] (the EU 2nd Payment Services Directive). I
> would like to establish a relationship with the working group and make
> them aware of the FAPI WG. In the letter I am also expressing concern
> at some of the technical solutions currently being proposed by the
> working group.
> I have attached the letter as a PDF, it is also available via Google
> Docs
> here: https://docs.google.com/document/d/1SB8ZRiOH5GJOtAl2KYJv9M4-kMua_zBAsGZDYNlGuj0/edit?usp=sharing
> [2]
> I welcome any comments or feedback on the letter.
> Thank you
> --
> Dave Tonge
> , Moneyhub
> Links:
> ------
> [1]
> https://www.ecb.europa.eu/paym/retpaym/shared/pdf/6th-ERPB-meeting/Pan-European_integration_of_payment_initiation_services_PIS.pdf?6cd5510c82f6e7d2fa308cc46b68279c
> [2]
> https://docs.google.com/document/d/1SB8ZRiOH5GJOtAl2KYJv9M4-kMua_zBAsGZDYNlGuj0/edit?usp=sharing
Openid-lc mailing list
Openid-lc at lists.openid.net

More information about the Openid-specs-fapi mailing list