[Openid-specs-fapi] A change suggestion to the Forward of our specs

Dave Tonge dave.tonge at momentumft.co.uk
Tue Nov 28 06:25:29 UTC 2017


Hi Nat,

This sounds good.
I aim to submit a pull request with some changes to the CIBA profile
shortly (based on the discussions at the face to face meeting).

Tom - there are several use-cases where it will be beneficial to have a
separation from the authentication device and the consumption device, e.g.

   - Paying at a POS terminal - an identifier is entered at the POS
   terminal, but auth happens on the user's phone
   - A call centre agent requesting access to an account for support
   purposes - the call centre agent initiates the auth flow, the customer
   approves the request to give the call centre agent access to the account

In addition, whether we agree with it or not, there is a recognised need
for a "decoupled" mode of auth in Europe to support PSD2. A decoupled mode,
based on CIBA, could support all number of interactions. For example, it
may be a better user experience for a person connecting their bank accounts
to a personal finance dashboard on their laptop, to not be redirected, but
to rather authenticate and authorise the connecting on their mobile device.

Dave

On 28 November 2017 at 05:07, Tom Jones via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> I have not been able to come up with any use case where an FI would use
> CIBA.
> Can someone please provide one?
> thx ..tomj
>
> Peace ..tom
>
> On Mon, Nov 27, 2017 at 6:42 PM, Nat Sakimura via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
>> Dear FAPIers:
>>
>> I and Edmund are preparing for a next draft to be pushed to openid.net
>> site. In doing so, the following paragraph in the Forward section came to
>> my attention.
>>
>>     Financial API consists of the following parts:
>>
>>     Part 1: Read-Only API Security Profile
>>     Part 2: Read and Write API Security Profile
>>     Part 3: Open Data API
>>     Part 4: Protected Data API and Schema - Read-Only
>>     Part 5: Protected Data API and Schema - Read and Write
>>
>>     This does not reflect our current thinking.
>>
>> I thought maybe it is better to replace with something like:
>>
>>     Financial API consists of the following parts:
>>
>>     Part 1: Read-Only API Security Profile
>>     Part 2: Read and Write API Security Profile
>>     Part 3: Client Initiated Backchannel Authentication Profile
>>
>>     Further parts may follow.
>>
>> What do you think?
>>
>> Nat
>>
>> --
>> Nat Sakimura
>> Research Fellow, Nomura Research Institute
>> Chairman of the Board, OpenID Foundation
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171128/d1ffcda4/attachment-0001.html>


More information about the Openid-specs-fapi mailing list