[Openid-specs-fapi] EBA Opinion on eIDAS certs

Dave Tonge dave.tonge at momentumft.co.uk
Wed Dec 12 14:19:00 UTC 2018


So @Ralph Bragg <ralph.bragg at raidiam.com> is an expert on this, but my
perspective is:

 - QWAC are eIDAS certs that can be used either as client or server certs
for TLS
 - QSealC are eIDAS certs to be used for message signing
 - The EBA doesn't have any requirement for banks to use QWACs as server
certs
 - The EBA encourages TPPs to use QWACs as client certs for TLS mutual auth
 - The EBA also encourages TPPs to use QSealC to sign messages
 - The bank is the one who decides which certs the TPP has to use

>From a FAPI perspective:
 - We support* the use of QWACs for mutual TLS for both client
authentication and proof of possession of access tokens
 - We support* the use of QSealCs for signing JWTs, e.g. Request Object, or
private_key_jwt client auth

* by support, I mean that we don't preclude the use of eIDAS certs. The
underlying specs for oauth mutual TLS - allow the use of PKI based certs.
The underlying specs for request object and private_key_jwt allow the use
of keys that are backed by certs rather than just raw keys.

So I think FAPI does support both uses proposed by the EBA. In terms of
guidance for implementers I can think of the following:
 - because an eIDAS cert is "org level" rather than "software level" it is
strongly advisable to have a means of the RP communicating to the OP which
certs should be associated with it
 - jwks_uri is a good place for the RP to let the OP know which certs it
will use for signing, and allows easy rotation
 - client registration metadata such as `tls_client_auth_subject_dn` is a
good place for the RP to let the OP know the DN of the certs it will use
for client authentication

We have discussed previously some sort of "Implementers Guidelines" for
FAPI, and I would support the creation of such a document. This working
group has a lot of expertise relating to the implementation of FAPI and
related specs in a financial context that it would be good to capture, but
which sit outside of the current specs.

Dave

On Wed, 12 Dec 2018 at 14:55, Nat Sakimura via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> On the first read, it looks like FAPI will be OK if the MTLS's client
> certs is the QSealC and the bank's web site certs is QWAC but I may be
> wrong.
>
> Your guidance is sought > Dave
>
> ---
> Nat Sakimura
> Research Fellow, Nomura Research Institute
> Chairman of the Board, OpenID Foundation
>
> On 2018-12-12 22:46, Rob Otto via Openid-specs-fapi wrote:
> > Dave and others - is there any scope or precedent for amending or
> > extending the FAPI profiles to take this guidance into account? Could
> > or should there be a "FAPI over EIDAS" profile that takes this
> > guidance and turns it into something concrete and implementable by the
> > industry?
> >
> > On Wed, 12 Dec 2018 at 12:35, Dave Tonge via Openid-specs-fapi
> > <openid-specs-fapi at lists.openid.net> wrote:
> >
> >> Hi all,
> >>
> >> This has just been published:
> >>
> >>
> >
> https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-use-of-eidas-certificates-under-psd2
> >> [1]
> >>
> >> The EBA are strongly advocating message signing as well as mutual
> >> TLS.
> >>
> >> --
> >>
> >> Dave Tonge
> >> CTO
> >> [2]
> >>
> >> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol,
> >> BS1 6FLt: +44 (0)117 280 5120
> >>
> >> Moneyhub Enterprise is a trading style of Moneyhub Financial
> >> Technology Limited which is authorised and regulated by the
> >> Financial Conduct Authority ("FCA"). Moneyhub Financial Technology
> >> is entered on the Financial Services Register (FRN 809360) at
> >> fca.org.uk/register [3]. Moneyhub Financial Technology is
> >> registered in England & Wales, company registration
> >> number  06909772 .
> >> Moneyhub Financial Technology Limited 2018 ©
> >>
> >> DISCLAIMER: This email (including any attachments) is subject to
> >> copyright, and the information in it is confidential. Use of this
> >> email or of any information in it other than by the addressee is
> >> unauthorised and unlawful. Whilst reasonable efforts are made to
> >> ensure that any attachments are virus-free, it is the recipient's
> >> sole responsibility to scan all attachments for viruses. All calls
> >> and emails to and from this company may be monitored and recorded
> >> for legitimate purposes relating to this company's business. Any
> >> opinions expressed in this email (or in any attachments) are those
> >> of the author and do not necessarily represent the opinions of
> >> Moneyhub Financial Technology Limited or of any other group company.
> >> _______________________________________________
> >> Openid-specs-fapi mailing list
> >> Openid-specs-fapi at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-specs-fapi [4]
> >
> > --
> >
> >                [5] [5]
> >
> >  Rob Otto
> >  EMEA Field CTO/Solutions Architect
> >  robotto at pingidentity.com
> >
> >  c: +44 (0) 777 135 6092
> >
> >               Connect with us:
> >                [6] [7] [8] [9] [10] [11] [12]
> >
> >  [13]
> >  _CONFIDENTIALITY NOTICE: This email may contain confidential and
> > privileged material for the sole use of the intended recipient(s). Any
> > review, use, distribution or disclosure by others is strictly
> > prohibited.  If you have received this communication in error, please
> > notify the sender immediately by e-mail and delete the message and any
> > file attachments from your computer. Thank you._
> >
> > Links:
> > ------
> > [1]
> >
> https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-use-of-eidas-certificates-under-psd2
> > [2]
> >
> http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A
> > [3] http://fca.org.uk/register
> > [4] http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> > [5] https://www.pingidentity.com
> > [6]
> >
> https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm
> > [7] https://www.linkedin.com/company/21870
> > [8] https://twitter.com/pingidentity
> > [9] https://www.facebook.com/pingidentitypage
> > [10] https://www.youtube.com/user/PingIdentityTV
> > [11] https://plus.google.com/u/0/114266977739397708540
> > [12] https://www.pingidentity.com/en/blog.html
> > [13]
> >
> https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ
> >
> > _______________________________________________
> > Openid-specs-fapi mailing list
> > Openid-specs-fapi at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 809360) at fca.org.uk/register.
Moneyhub Financial
Technology is registered in England & Wales, company registration number
06909772 .
Moneyhub Financial Technology Limited 2018 ©

DISCLAIMER: This email (including any attachments) is subject to copyright,
and the information in it is confidential. Use of this email or of any
information in it other than by the addressee is unauthorised and unlawful.
Whilst reasonable efforts are made to ensure that any attachments are
virus-free, it is the recipient's sole responsibility to scan all
attachments for viruses. All calls and emails to and from this company may
be monitored and recorded for legitimate purposes relating to this
company's business. Any opinions expressed in this email (or in any
attachments) are those of the author and do not necessarily represent the
opinions of Moneyhub Financial Technology Limited or of any other group
company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20181212/3372af33/attachment-0001.html>


More information about the Openid-specs-fapi mailing list