[Openid-specs-fapi] EBA Opinion on eIDAS certs

Ralph Bragg ralph.bragg at raidiam.com
Wed Dec 12 16:47:29 UTC 2018 

Generally I agree there’s no FAPI considerations or changes that need to be factored in steming from this paper so far. The FAPI RW spec supports all models which additional specification and clarification required for the transport requirements by ASPSPs.

Cheers,
RB

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Reply-To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Date: Wednesday, 12 December 2018 at 16:45
To: Dave Tonge <dave.tonge at momentumft.co.uk>, Openid-specs Fapi <openid-specs-fapi at lists.openid.net>
Cc: Ralph Bragg <ralph.bragg at raidiam.com>, Barry O'Donohoe <barry.odonohoe at raidiam.com>, Mark Haine <mark.haine at raidiam.com>
Subject: Re: [Openid-specs-fapi] EBA Opinion on eIDAS certs

Hi Dave,

Your summary is a logical assessment and one that I support and I can confirm that of the three options raised in the EBA document several Banks will be supporting both Options 1 (QWAC+QSEAL in Parallel) and Option 2 (QWAC + OB Signing Material for the purpose of message integrity).

The reading from Raidaim is that ASPSPs can oblige TPP's to use

  *   ​Option 1: Both Types of eIDAS Certificates. (Typically MATLS + MTLS or private_key_jwt)
  *   Option 2: A QWAC Only (Typically MATLS + MTLS)
  *   O​​ption 3 (Reading A): (QSealC Only and ASPSP Q/WAC Certificate Only) required for using an "adapted customer interface” (private_key_jwt with token binding).
Additionally we’ve been notified of an alternative  reading of Option 3 being considered by some participant aspsps:

  *   Option 3 (Reading: B):  (QSEAL Only +  Requiring TPP's to obtain an OBWAC +  ASPSP OBWAC Certificate​)
Option 3A provides a way for an ASPSP to "provide an additional element that ensures secure communication" without requiring anything of the TPP except mandating Token Binding to prevent man in the middle.

Some banks however are considering implementation Option 3B by using ambiguity in the EBA documents to compel TPPs to use another transport certificate, device, factor type not support QWACS as part of the communication session a TPP establishes with an ASPSP.

It was a great Christmas present to have this drop on the ecosystem last night and one which unfortunately adds additional confusion in some areas as much as it clarifies in others.

Cheers,
Ralph


From: Dave Tonge <dave.tonge at momentumft.co.uk>
Date: Wednesday, 12 December 2018 at 14:19
To: Openid-specs Fapi <openid-specs-fapi at lists.openid.net>, Ralph Bragg <ralph.bragg at raidiam.com>
Cc: Nat Sakimura <nat at sakimura.org>, Freddi Gyara <Freddi.Gyara at openbanking.org.uk>, Barry O'Donohoe <barry.odonohoe at raidiam.com>, Mark Haine <mark.haine at raidiam.com>
Subject: Re: [Openid-specs-fapi] EBA Opinion on eIDAS certs

So @Ralph Bragg<mailto:ralph.bragg at raidiam.com> is an expert on this, but my perspective is:

 - QWAC are eIDAS certs that can be used either as client or server certs for TLS
 - QSealC are eIDAS certs to be used for message signing
 - The EBA doesn't have any requirement for banks to use QWACs as server certs
 - The EBA encourages TPPs to use QWACs as client certs for TLS mutual auth
 - The EBA also encourages TPPs to use QSealC to sign messages
 - The bank is the one who decides which certs the TPP has to use

From a FAPI perspective:
 - We support* the use of QWACs for mutual TLS for both client authentication and proof of possession of access tokens
 - We support* the use of QSealCs for signing JWTs, e.g. Request Object, or private_key_jwt client auth

* by support, I mean that we don't preclude the use of eIDAS certs. The underlying specs for oauth mutual TLS - allow the use of PKI based certs. The underlying specs for request object and private_key_jwt allow the use of keys that are backed by certs rather than just raw keys.

So I think FAPI does support both uses proposed by the EBA. In terms of guidance for implementers I can think of the following:
 - because an eIDAS cert is "org level" rather than "software level" it is strongly advisable to have a means of the RP communicating to the OP which certs should be associated with it
 - jwks_uri is a good place for the RP to let the OP know which certs it will use for signing, and allows easy rotation
 - client registration metadata such as `tls_client_auth_subject_dn` is a good place for the RP to let the OP know the DN of the certs it will use for client authentication

We have discussed previously some sort of "Implementers Guidelines" for FAPI, and I would support the creation of such a document. This working group has a lot of expertise relating to the implementation of FAPI and related specs in a financial context that it would be good to capture, but which sit outside of the current specs.

Dave

On Wed, 12 Dec 2018 at 14:55, Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
On the first read, it looks like FAPI will be OK if the MTLS's client
certs is the QSealC and the bank's web site certs is QWAC but I may be
wrong.

Your guidance is sought > Dave

---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

On 2018-12-12 22:46, Rob Otto via Openid-specs-fapi wrote:
> Dave and others - is there any scope or precedent for amending or
> extending the FAPI profiles to take this guidance into account? Could
> or should there be a "FAPI over EIDAS" profile that takes this
> guidance and turns it into something concrete and implementable by the
> industry?
>
> On Wed, 12 Dec 2018 at 12:35, Dave Tonge via Openid-specs-fapi
> <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
>
>> Hi all,
>>
>> This has just been published:
>>
>>
> https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-use-of-eidas-certificates-under-psd2
>> [1]
>>
>> The EBA are strongly advocating message signing as well as mutual
>> TLS.
>>
>> --
>>
>> Dave Tonge
>> CTO
>> [2]
>>
>> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol,
>> BS1 6FLt: +44 (0)117 280 5120
>>
>> Moneyhub Enterprise is a trading style of Moneyhub Financial
>> Technology Limited which is authorised and regulated by the
>> Financial Conduct Authority ("FCA"). Moneyhub Financial Technology
>> is entered on the Financial Services Register (FRN 809360) at
>> fca.org.uk/register<http://fca.org.uk/register> [3]. Moneyhub Financial Technology is
>> registered in England & Wales, company registration
>> number  06909772 .
>> Moneyhub Financial Technology Limited 2018 ©
>>
>> DISCLAIMER: This email (including any attachments) is subject to
>> copyright, and the information in it is confidential. Use of this
>> email or of any information in it other than by the addressee is
>> unauthorised and unlawful. Whilst reasonable efforts are made to
>> ensure that any attachments are virus-free, it is the recipient's
>> sole responsibility to scan all attachments for viruses. All calls
>> and emails to and from this company may be monitored and recorded
>> for legitimate purposes relating to this company's business. Any
>> opinions expressed in this email (or in any attachments) are those
>> of the author and do not necessarily represent the opinions of
>> Moneyhub Financial Technology Limited or of any other group company.
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi [4]
>
> --
>
>                [5] [5]
>
>  Rob Otto
>  EMEA Field CTO/Solutions Architect
>  robotto at pingidentity.com<mailto:robotto at pingidentity.com>
>
>  c: +44 (0) 777 135 6092
>
>               Connect with us:
>                [6] [7] [8] [9] [10] [11] [12]
>
>  [13]
>  _CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited.  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any
> file attachments from your computer. Thank you._
>
> Links:
> ------
> [1]
> https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-use-of-eidas-certificates-under-psd2
> [2]
> http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A
> [3] http://fca.org.uk/register
> [4] http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> [5] https://www.pingidentity.com
> [6]
> https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm
> [7] https://www.linkedin.com/company/21870
> [8] https://twitter.com/pingidentity
> [9] https://www.facebook.com/pingidentitypage
> [10] https://www.youtube.com/user/PingIdentityTV
> [11] https://plus.google.com/u/0/114266977739397708540
> [12] https://www.pingidentity.com/en/blog.html
> [13]
> https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi


--
Dave Tonge
CTO
[Image removed by sender. Moneyhub Enterprise]<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at fca.org.uk/register<http://fca.org.uk/register>. Moneyhub Financial Technology is registered in England & Wales, company registration number  06909772 .
Moneyhub Financial Technology Limited 2018 ©

DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20181212/d4d54f4c/attachment-0001.html>

More information about the Openid-specs-fapi mailing list