[Openid-specs-fapi] Strong MERCHANT Authentication

Anders Rundgren anders.rundgren.net at gmail.com
Thu Apr 9 16:20:53 UTC 2020


On 2020-04-09 16:30, Francis Pouatcha wrote:
<snip>
> 
>     Personally, I'm into "moderately smart contracts" that are targeted at a more conventional payment market:
>     https://cyberphone.github.io/doc/payments/y2020-strong-merchant-authorization.pdf
> 
> Great illustration. This is the way to go. Banking Protocols like EBICS (http://www.ebics.org/home-page/) has been making use of the  signature key-pairs in the corporate context for a while. Now it is also open for individual customers. We will slowly be witnessing progress in this direction.

Thanks!  I hope you are right :)

EBICS was new to me.  It looks quite interesting.

In my particular use case, secure lookup services are used rather than X.509 certificates due to the amount of structured and certified data needed by verifiers:
https://mobilepki.org/webpay-payeebank/payees/86344
This makes the scheme scale trust-wise in the same way as the bank network itself without introducing new parties in the soup.  Merchant hosting services may though be needed since banks typically are not equipped for dealing with small merchants.

The use of the lookup in messages:
{
      "authorityUrl": "https://mobilepki.org/webpay-payeebank/payees/86344",
         ...actual message data comes here...
      "requestSignature": {
          "algorithm": "ES256",
          "publicKey": {
              "kty": "EC",
              "crv": "P-256",
              "x": "_7bQ8JTt6_r1lh46kwmwypqMkZOJ0cYs-w2LHWOYt5M",
              "y": "tLcyLWDQoAk4cMaWY7BdV3JaywQQoLxO2WQ30Klj6fc"
          },
          "value": "gzB2o0mDTh_xzV9xHm44xI2Y93T63b1c....BnCJlEetYSiGUqUUeroqbFxbQWF8lD3g"
      }
}

Regards,
Anders

> 
> 
> -- 
> Francis Pouatcha
> Co-Founder and Technical Lead at adorys
> https://adorsys-platform.de/solutions/



More information about the Openid-specs-fapi mailing list