[Openid-specs-fapi] Issue #136: responsibility (openid/fapi)
nat at sakimura.org
Mon Mar 5 23:57:39 UTC 2018
If you have a concrete text proposal, that would be lovely.
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
On 2018-03-05 22:26, Tom Jones via Openid-specs-fapi wrote:
> Note that the FCA claims it it there to protect the user
> https://www.fca.org.uk/about/protecting-consumers 
> It has fixed up some of the language since this thread began. Now the only problem that i have with the fca docs is that the user experience in not adequate.
> I would like to see fapi pt 2 be adequate from a user experience perspective.
> The OAUTH spec does recognize the need for trust, but does not explain the mechanism.
> I believe that any useful Financial API needs to address the need for trust, and i would like it to mandate at least something about the mechanism for obtaining that trust.
> Peace ..tom
> On Mon, Mar 5, 2018 at 5:05 AM, Tom Jones <thomasclinganjones at gmail.com> wrote:
> perhaps my language is not clear then.
> As i understand it, the AS gets a grant, which actually comes from the client and responds with a token, the explicit assumption is that the user trust the OP to make that at the user's consent.
> What i believe MUST be in scope for this to make any sense is that the user knows who the client is and trust the clients to act on the user's behalf.
> If that is not in scope then this spec is actually meaningless from the users perspective.
> I understand that is out of scope in Open ID Connect, but must be fro this profile. That is why i also added the strong ID part for the client.
> In a nutshell:
> THE USER MUST BE ABLE TO TRUST ANY ENTITY THAT ACTS ON THE USER'S BEHALF TO TAKE MONEY OUT OF THE USER ACCOUNT..
> my assertion;
> If that is not in scope we have failed the user.
> Peace ..tom
> On Fri, Mar 2, 2018 at 3:05 PM, tomcjones via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> New issue 136: responsibility
> https://bitbucket.org/openid/fapi/issues/136/responsibility 
> Add a clarifying comment to FAPI #2
> Following this profile as written is not sufficient to prove the user bears responsibility for the security of the transaction.
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi 
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi