[Openid-specs-fapi] Fwd: Letter from Vice-President Valdis Dombrovskis: Comments about Redirection

Anders Rundgren anders.rundgren.net at gmail.com
Wed Feb 27 06:48:12 UTC 2019


On 2019-02-24 23:07, Tom Jones via Openid-specs-fapi wrote:
> Boy, you hit the nail on the head there. The bank regulators will take the side of the merchant and pisp over the bank and its customer.  What could possibly go wrong?


Tom,
Just for my curiosity, could you elaborate a bit about what *new* security issues PISPs bring to the table and if you see any remedies to them?

Anders

> Peace ..tom
> 
> 
> On Sun, Feb 24, 2019 at 12:15 PM Dave Tonge <dave.tonge at momentumft.co.uk <mailto:dave.tonge at momentumft.co.uk>> wrote:
> 
>     Big merchants will become PISPs, but its not worth it for smaller merchants.
>     The UX doesn't need to be too bad though in a 4 party model - the PISP can collect consent in a widget on the merchant site before redirecting to the bank.
> 
>     The negativity against redirection is quite strange as PSD2 essentially brought in two competing requirements:
>       - third party payment initiation
>       - strong customer authentication
> 
>     Those against redirect have in their mind the mental model of card based payments where the user enters some numbers in the merchant website and never interacts with the bank who issued the card. However all card payments will end up having to be redirected because of the strong customer authentication requirements - so it is a contradictory position to hold.
> 
>     I think that most regulators will take a pragmatic position on this based on whether the bank is putting up "obstacles".
> 
>     Dave
> 
>     On Sat, 23 Feb 2019 at 05:09, Tom Jones via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
> 
>         Why would the merchant not seek to become the pisp? Then the ux is pretty, but highly insecure. Isn't that what PSD is all about?
> 
>         thx ..Tom (mobile)
> 
>         On Fri, Feb 22, 2019, 7:45 PM Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
> 
>             On 2019-02-22 13:25, nat at sakimura.org <mailto:nat at sakimura.org> wrote:
>              > And interestingly, the Nordic countries support OpenID Connect in the redirect modes. It is actually quite interesting that people gets impression that redirects are user unfriendly where in fact if done correctly, it is hardly noticeable by the user. I probably should bmake a  YouTube video about it.
> 
>             In a two-party scenario like a Fintech + Bank it can work fairly smooth.
> 
>             For a three-party scenario like Merchant + PISP + Bank, the UX part as a whole seems like a challenge.  That's the video I would like to see!
> 
>             Anders
> 
>             _______________________________________________
>             Openid-specs-fapi mailing list
>             Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>             http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 
>         _______________________________________________
>         Openid-specs-fapi mailing list
>         Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>         http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 
> 
> 
> 
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 



More information about the Openid-specs-fapi mailing list