[Openid-specs-fapi] PSD2 - FAPI Client Registration

Ralph Bragg ralph.bragg at raidiam.com
Sat Aug 1 20:49:57 UTC 2020


Hi,

Resharing the comparison and analysis previously shared with this group, given that in a JAdES signature, the body and headers are signed as part of the request, non-repudiation is achieved. I’ll admit, I prefer the OBIE current approach as it’s nicely tied up in a bow / single message but both mechanisms offer non repudiation.

Also the original TDA decision with input from the Major Banks can be found on the OBIE TDA website which debated various different methods. You might find this useful crafting the way forward for DCR for Berlin. If there is a desire to see the UK model of a signed DCR request being picked up out of the UK then it should be standardized so I’m keen to see how this progresses.

RB

From: Francis Pouatcha <fpo at adorsys.de>
Date: Saturday, 1 August 2020 at 21:15
To: Ralph Bragg <ralph.bragg at raidiam.com>
Cc: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Subject: Re: [Openid-specs-fapi] PSD2 - FAPI Client Registration

Hello Ralph,

The draft ETSI JAdES standard is what I refer to  with "JSON Web Signature Profile for Open Banking" that is designed to be JAdES compliant.. Berlin Group is also behind the standard, as they are listed among the contributors.

Although the OBIE approach is criticized, it is the only option I met so far that provides non repudiation for DCR.

Considering heavy regulation of the financial industry, not covering non repudiation is not an option.

Best regards.
/Francis

On Sat, Aug 1, 2020 at 3:12 PM Ralph Bragg <ralph.bragg at raidiam.com<mailto:ralph.bragg at raidiam.com>> wrote:
Hi Francis,

I can only take partial credit for its adoption in the obie specifications the other credit belongs to the talented Pam Dingle.  The draft ETSI JAdES standard for payload signing should also be consulted (though it’s a detached format for signing) if you want something that’s future proof and a European wide standard for JSON payload signing.

All standards bodies Are being encouraged to adopt  JAdES by ETSI when it is published so check if that is still the intention for Berlin group.

I should also point out that the obie approach isn’t necessarily universally liked by this community as the inner jwt has to be unpacked to obtain the key locations in order to validate the outer payload. It’s not an ietf or oidf standard however there is wide spread support for processing this request format from  all major idps.

Ralph Bragg
Raidiam Services Ltd

Sent from a mobile device. Please excuse brevity and typos.
________________________________
From: Francis Pouatcha <fpo at adorsys.de<mailto:fpo at adorsys.de>>
Sent: Friday, July 31, 2020 10:35:16 PM
To: Ralph Bragg <ralph.bragg at raidiam.com<mailto:ralph.bragg at raidiam.com>>
Cc: Financial API Working Group List <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Subject: Re: [Openid-specs-fapi] PSD2 - FAPI Client Registration

Hello Ralph,

excellent work done here (https://openbankinguk.github.io/dcr-docs-pub/v3.3/dynamic-client-registration.html#software-statement). realy! We can build on top of this.

For authentication of TPP with ASPSP's AS, we will use: tls_client_auth. This is included.

OBIE signing the entire registration request provides for non repudiation for the registration call. This is a great first step. If we can add the QSealC to the header of the request, we will be complete here.

Last part missing would be the non repudiation for all other back channel requests from TPP to ASPSP's AS.

To FAPI Working Group:

IT makes sense to add the option of having (all) requests from TPP to ASPSP's AS signed (e.g.: QSealC). We could call this authentication method: "signed_http_request".

The signature scheme supported by the AS could be published with AS metadata. IT could be:
- JSON Web Signature Profile for Open Banking (See EBA Clearing)
- draft-ietf-httpbis-message-signatures
- Or any other scheme providing non repudiation over HTTP messages.

The AS metadata could define the header field where to put the signature certificate (Like in NextGenPSD2 the TPP-Signature-Certificate).

Canonicalization shall also be defined by the chosen signature standard.

Does this look like a change request to FAPI?

Best regards
/Francis


On Fri, Jul 31, 2020 at 2:07 AM Ralph Bragg <ralph.bragg at raidiam.com<mailto:ralph.bragg at raidiam.com>> wrote:

Hi Francis,



See here for the OBIE DCR Spec.

https://openbankinguk.github.io/dcr-docs-pub/v3.3/dynamic-client-registration.html#software-statement



It supports both a federation provider issued Software Statement Assertion and a Self Signed Software Statement Assertion and is an example of a DCR request sent as a JWT to bind both the SSA and the Request together.



The same approach can be achieved by using standard DCR (JSON) with ecosystem defined ‘initial access token’ as a JWT provided the request is sent over a tamper resistant transport channel such as an Mutually Authenticated TLS channel where both parties are using QWACs to identify each other.



Rgds,

RB





From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net<mailto:openid-specs-fapi-bounces at lists.openid.net>> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Reply to: Financial API Working Group List <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Date: Friday, 31 July 2020 at 06:03
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Cc: Ralph Bragg <ralph.bragg at raidiam.com<mailto:ralph.bragg at raidiam.com>>, Francis Pouatcha <fpo at adorsys.de<mailto:fpo at adorsys.de>>
Subject: Re: [Openid-specs-fapi] PSD2 - FAPI Client Registration



Hi Francis,



There are two approaches. 1. Sign the entire registration request. Look a the obie dynamic client registration approach for an example of how this is performed.



2. Craft and define an “initial access token” which can be defined as a jwt that a tpp can use as part of registration. I have examples of both approaches if you drop me a line.



The obie is publishing a list of trusted qtsp certificates issuing and I believe the root authorities as well they is created by processing the EU list of trust listed.  banks should have no excuses for not being able to determine the set of issuing authorities to trust up front.



Kind Regards,

Ralph





________________________________

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net<mailto:openid-specs-fapi-bounces at lists.openid.net>> on behalf of Francis Pouatcha via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Sent: Friday, July 31, 2020 3:09:15 AM
To: Openid-specs Fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Cc: Francis Pouatcha <fpo at adorsys.de<mailto:fpo at adorsys.de>>
Subject: [Openid-specs-fapi] PSD2 - FAPI Client Registration



In our attempt to use FAPI to implement the NextGenPSD2 oAuth approach, we are facing the following problem.



The PSD2 trust framework assumes each ASPSP maintains the list of legitimated certification authorities (rootCAs). This is, regulators expect ASPSP to accept requests from any licensed TPP that present a valid QWAC/QSealC certificate.



We have been looking for a way to use dynamic client registration to allow the TPP to register with ASPSP's OP/AS prior to sending their first requests.



OP can get access to TPP's authenticated information:

- If TPP uses mTLS (QWAC) at the OP interface.

- If TPP uses QSealC to sign the client registration request, seems to be the best approach, as it also provides non repudiation.



Request Signature:

Alt-1: I prefer signing the whole http request (see https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/). Not sure if this is covered by FAPI.

Alt-2: QSealC could be used to produce a private_key_jwt that will be included to the registration request. QSealC can be added to the token, to avoid pre-registration. Digest of the request body could be added to the private_key_jwt to provide for non repudiation.



What am I missing? Are we still in the scope of OIDC/FAPI or getting out of bound?



Thanks in advance for feedback.

--

Francis Pouatcha

Co-Founder and Technical Lead

adorsys GmbH & Co. KG

https://adorsys-platform.de/solutions/


--
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/


--
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200801/c5c55d35/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Raidiam ETSI OBE OBIE Signature Formats v0.2[2].docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 2493560 bytes
Desc: Raidiam ETSI OBE OBIE Signature Formats v0.2[2].docx
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200801/c5c55d35/attachment-0001.docx>


More information about the Openid-specs-fapi mailing list