[Openid-specs-fapi] Issue #178: Editorial: Specs should explain the risks of writing an RP library from scratch (openid/fapi)

OpenID Foundation Director director at oidf.org
Thu Sep 27 11:45:17 UTC 2018


The OpenID Foundation welcomes the contributions of "Libraries Products and Tools”<https://openid.net/developers/libraries/> for Finanacial Grade APIs and other Working Groups.

Please see https://openid.net/developers/libraries/


On Sep 27, 2018, at 7:41 AM, Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:

Hi,

There's a number of libraries that have been developed by OB or OB resources. I will see what we can do to get some of those "certified" by the FAPI conformance harness.

Guidance on the use of certified RP libraries is definately something we should include IMO.


RB
________________________________________
From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net<mailto:openid-specs-fapi-bounces at lists.openid.net>> on behalf of Joseph Heenan via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Sent: 27 September 2018 12:05
To: openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>
Cc: Joseph Heenan
Subject: [Openid-specs-fapi] Issue #178: Editorial: Specs should explain the risks of writing an RP library from scratch (openid/fapi)

New issue 178: Editorial: Specs should explain the risks of writing an RP library from scratch
https://bitbucket.org/openid/fapi/issues/178/editorial-specs-should-explain-the-risks

Joseph Heenan:

We're seeing in the UK OpenBanking community that people are again and again writing their own RP libraries from scratch. This is obvious from the number of very basic openid connect questions that a significant number of TPPs have asked.

I think to a lesser extent we also see this from the banks, at least one UK bank has created a AS from scratch, and another one has built on top of a product that doesn't support openid connect. (Thankfully the majority of banks used existing products that are already openid connect certified, and the were generally rewarded with much smoother rollouts.)

I think it's a significant risk to the whole ecosystem. I'm pretty certain that every TPP that has created their own RP code will have a significant number of security issues. TPPs are also not usually running conformance tests.

I think we should add to either the introduction or the security considerations (or both) some clear statements that these specs are not intended for people to follow to create clients from scratch, and that they are intended for a guide for people to use to create certified libraries, or something along those lines - and that there are definite risks associated with trying to roll your own openid client.

We can also emphasise the openid foundation / google efforts to create certified client libraries for many languages.

I think the OpenID Foundation should also be creating a separate list of FAPI supporting RP libraries. (which wouldn't form part of the FAPI specs, but the specs could perhaps link to.)


_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-fapi

Please consider the environment before printing this email.

This email is from Open Banking Limited, Company Number 10440081.  Our registered and postal address is 2 Thomas More Square, London, E1W 1YN.  Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.

This email and any attachments are confidential and are intended for the above named only.  They may also be legally privileged or covered by other legal rights and rules.  Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal.  If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-fapi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180927/8767b4b8/attachment.html>


More information about the Openid-specs-fapi mailing list