[Openid-specs-fapi] Issue #140: New name for FAPI (openid/fapi)

Dave Tonge dave.tonge at momentumft.co.uk
Thu May 10 14:52:16 UTC 2018


(reposting to the list)



So I agree that it would be good to change the name.

I'm not sure if we need the name to bear a resemblance to FAPI. The main
references in the current spec are used in header names. For example:

Required: x-fapi-interaction-id x-fapi-financial-id

Optional x-fapi-auth-date x-fapi-customer-ip-address

We've already had a debate that the usage of "x-" isn't ideal. In addition
we have the issue that such values aren't signed.

At the moment "financial-id" seems unnecessary in most use cases. I will
raise a separate issue recommending that it is removed and we make it
mandatory that each financial institution has separate endpoints (I believe
this is the case with all OpenBanking integrations).

The other three parameters should ideally use standardised names rather
than using the fapi prefix. auth-date and ip-address would seem to be more
appropriately put into a SET (security event token) that the RP sends to
the OP. At least then they would be signed.

Even while we have the fapi prefix I suggest that we go for a generic name
for the profile that doesn't use the FAPI initials. My suggestions would be:

   - High assurance
   - High security

or something similar...

On 2 May 2018 at 06:12, Nat Sakimura via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> New issue 140: New name for FAPI
> https://bitbucket.org/openid/fapi/issues/140/new-name-for-fapi
>
> Nat Sakimura:
>
> In March Board meeting, the board requested the name for FAPI to be
> generalized so that it will match the wider applicability of the security
> profiles.
>
> This is a fair request but the catch is that the string 'fapi' is already
> used in the protocol parameters and we do not want to change it.
>
> Thus we have a constrained name search: the new name should have an
> acronym that would result in **FAPI**.
>
> This ticket collects some candidates on it.
>
> Some of the initial ideas:
>
> * Fully Assured Protection Interoperable
> * Fair Assurance Protection Interface
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>



-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
Moneyhub Financial Technology, 2nd Floor, Whitefriars Business Centre,
Lewins Mead, Bristol, BS1 2NT
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register.
Moneyhub Financial
Technology is registered in England & Wales, company registration number
06909772 © . Moneyhub Financial Technology Limited 2018. DISCLAIMER: This
email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180510/6ce514c5/attachment-0001.html>


More information about the Openid-specs-fapi mailing list