[Openid-specs-fapi] PSD2 - FAPI Client Registration

Francis Pouatcha fpo at adorsys.de
Sat Aug 1 20:15:39 UTC 2020


Hello Ralph,

The draft ETSI JAdES standard is what I refer to  with "JSON Web Signature
Profile for Open Banking" that is designed to be JAdES compliant.. Berlin
Group is also behind the standard, as they are listed among the
contributors.

Although the OBIE approach is criticized, it is the only option I met so
far that provides non repudiation for DCR.

Considering heavy regulation of the financial industry, not covering non
repudiation is not an option.

Best regards.
/Francis

On Sat, Aug 1, 2020 at 3:12 PM Ralph Bragg <ralph.bragg at raidiam.com> wrote:

> Hi Francis,
>
> I can only take partial credit for its adoption in the obie specifications
> the other credit belongs to the talented Pam Dingle.  The draft ETSI JAdES
> standard for payload signing should also be consulted (though it’s a
> detached format for signing) if you want something that’s future proof and
> a European wide standard for JSON payload signing.
>
> All standards bodies Are being encouraged to adopt  JAdES by ETSI when it
> is published so check if that is still the intention for Berlin group.
>
> I should also point out that the obie approach isn’t necessarily
> universally liked by this community as the inner jwt has to be unpacked to
> obtain the key locations in order to validate the outer payload. It’s not
> an ietf or oidf standard however there is wide spread support for
> processing this request format from  all major idps.
>
> Ralph Bragg
> Raidiam Services Ltd
>
> Sent from a mobile device. Please excuse brevity and typos.
> ------------------------------
> *From:* Francis Pouatcha <fpo at adorsys.de>
> *Sent:* Friday, July 31, 2020 10:35:16 PM
> *To:* Ralph Bragg <ralph.bragg at raidiam.com>
> *Cc:* Financial API Working Group List <openid-specs-fapi at lists.openid.net
> >
> *Subject:* Re: [Openid-specs-fapi] PSD2 - FAPI Client Registration
>
> Hello Ralph,
>
> excellent work done here (
> https://openbankinguk.github.io/dcr-docs-pub/v3.3/dynamic-client-registration.html#software-statement).
> realy! We can build on top of this.
>
> For authentication of TPP with ASPSP's AS, we will use: tls_client_auth.
> This is included.
>
> OBIE signing the entire registration request provides for non repudiation
> for the registration call. This is a great first step. If we can add the
> QSealC to the header of the request, we will be complete here.
>
> Last part missing would be the non repudiation for all other back channel
> requests from TPP to ASPSP's AS.
>
> To FAPI Working Group:
>
> IT makes sense to add the option of having (all) requests from TPP to
> ASPSP's AS signed (e.g.: QSealC). We could call this authentication method:
> "signed_http_request".
>
> The signature scheme supported by the AS could be published with AS
> metadata. IT could be:
> - JSON Web Signature Profile for Open Banking (See EBA Clearing)
> - draft-ietf-httpbis-message-signatures
> - Or any other scheme providing non repudiation over HTTP messages.
>
> The AS metadata could define the header field where to put the signature
> certificate (Like in NextGenPSD2 the TPP-Signature-Certificate).
>
> Canonicalization shall also be defined by the chosen signature standard.
>
> Does this look like a change request to FAPI?
>
> Best regards
> /Francis
>
>
> On Fri, Jul 31, 2020 at 2:07 AM Ralph Bragg <ralph.bragg at raidiam.com>
> wrote:
>
> Hi Francis,
>
>
>
> See here for the OBIE DCR Spec.
>
>
> https://openbankinguk.github.io/dcr-docs-pub/v3.3/dynamic-client-registration.html#software-statement
>
>
>
> It supports both a federation provider issued Software Statement Assertion
> and a Self Signed Software Statement Assertion and is an example of a DCR
> request sent as a JWT to bind both the SSA and the Request together.
>
>
>
> The same approach can be achieved by using standard DCR (JSON) with
> ecosystem defined ‘initial access token’ as a JWT provided the request is
> sent over a tamper resistant transport channel such as an Mutually
> Authenticated TLS channel where both parties are using QWACs to identify
> each other.
>
>
>
> Rgds,
>
> RB
>
>
>
>
>
> *From: *Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on
> behalf of Ralph Bragg via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net>
> *Reply to: *Financial API Working Group List <
> openid-specs-fapi at lists.openid.net>
> *Date: *Friday, 31 July 2020 at 06:03
> *To: *Financial API Working Group List <openid-specs-fapi at lists.openid.net
> >
> *Cc: *Ralph Bragg <ralph.bragg at raidiam.com>, Francis Pouatcha <
> fpo at adorsys.de>
> *Subject: *Re: [Openid-specs-fapi] PSD2 - FAPI Client Registration
>
>
>
> Hi Francis,
>
>
>
> There are two approaches. 1. Sign the entire registration request. Look a
> the obie dynamic client registration approach for an example of how this is
> performed.
>
>
>
> 2. Craft and define an “initial access token” which can be defined as a
> jwt that a tpp can use as part of registration. I have examples of both
> approaches if you drop me a line.
>
>
>
> The obie is publishing a list of trusted qtsp certificates issuing and I
> believe the root authorities as well they is created by processing the EU
> list of trust listed.  banks should have no excuses for not being able to
> determine the set of issuing authorities to trust up front.
>
>
>
> Kind Regards,
>
> Ralph
>
>
>
>
> ------------------------------
>
> *From:* Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on
> behalf of Francis Pouatcha via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net>
> *Sent:* Friday, July 31, 2020 3:09:15 AM
> *To:* Openid-specs Fapi <openid-specs-fapi at lists.openid.net>
> *Cc:* Francis Pouatcha <fpo at adorsys.de>
> *Subject:* [Openid-specs-fapi] PSD2 - FAPI Client Registration
>
>
>
> In our attempt to use FAPI to implement the NextGenPSD2 oAuth approach, we
> are facing the following problem.
>
>
>
> The PSD2 trust framework assumes each ASPSP maintains the list of
> legitimated certification authorities (rootCAs). This is, regulators expect
> ASPSP to accept requests from any licensed TPP that present a valid
> QWAC/QSealC certificate.
>
>
>
> We have been looking for a way to use dynamic client registration to allow
> the TPP to register with ASPSP's OP/AS prior to sending their first
> requests.
>
>
>
> OP can get access to TPP's authenticated information:
>
> - If TPP uses mTLS (QWAC) at the OP interface.
>
> - If TPP uses QSealC to sign the client registration request, seems to be
> the best approach, as it also provides non repudiation.
>
>
>
> Request Signature:
>
> Alt-1: I prefer signing the whole http request (see
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/).
> Not sure if this is covered by FAPI.
>
> Alt-2: QSealC could be used to produce a private_key_jwt that will be
> included to the registration request. QSealC can be added to the token, to
> avoid pre-registration. Digest of the request body could be added to the
> private_key_jwt to provide for non repudiation.
>
>
>
> What am I missing? Are we still in the scope of OIDC/FAPI or getting out
> of bound?
>
>
>
> Thanks in advance for feedback.
>
> --
>
> Francis Pouatcha
>
> Co-Founder and Technical Lead
>
> adorsys GmbH & Co. KG
>
> https://adorsys-platform.de/solutions/
>
>
>
> --
> Francis Pouatcha
> Co-Founder and Technical Lead
> adorsys GmbH & Co. KG
> https://adorsys-platform.de/solutions/
>


-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200801/0993b355/attachment-0001.html>


More information about the Openid-specs-fapi mailing list