[Openid-specs-fapi] Issue #136: responsibility (openid/fapi)
thomasclinganjones at gmail.com
Mon Mar 5 13:26:16 UTC 2018
Note that the FCA claims it it there to protect the user
It has fixed up some of the language since this thread began. Now the only
problem that i have with the fca docs is that the user experience in not
I would like to see fapi pt 2 be adequate from a user experience
The OAUTH spec does recognize the need for trust, but does not explain the
I believe that any useful Financial API needs to address the need for
trust, and i would like it to mandate at least something about the
mechanism for obtaining that trust.
On Mon, Mar 5, 2018 at 5:05 AM, Tom Jones <thomasclinganjones at gmail.com>
> perhaps my language is not clear then.
> As i understand it, the AS gets a grant, which actually comes from the
> client and responds with a token, the explicit assumption is that the user
> trust the OP to make that at the user's consent.
> What i believe MUST be in scope for this to make any sense is that the
> user knows who the client is and trust the clients to act on the user's
> If that is not in scope then this spec is actually meaningless from the
> users perspective.
> I understand that is out of scope in Open ID Connect, but must be fro this
> profile. That is why i also added the strong ID part for the client.
> In a nutshell:
> THE USER MUST BE ABLE TO TRUST ANY ENTITY THAT ACTS ON THE USER'S BEHALF
> TO TAKE MONEY OUT OF THE USER ACCOUNT..
> my assertion;
> If that is not in scope we have failed the user.
> Peace ..tom
> On Fri, Mar 2, 2018 at 3:05 PM, tomcjones via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>> New issue 136: responsibility
>> Add a clarifying comment to FAPI #2
>> Following this profile as written is not sufficient to prove the user
>> bears responsibility for the security of the transaction.
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi