[Openid-specs-fapi] #OBEDocument: OBE JWS Profile [revised draft for review]

Thu Feb 6 21:59:49 UTC 2020

Few comments (on the parts that I was able to understand well enough to
make any comment):

There's a little typo in "2.5. Relationship between this profile with RFC
7151 (JWS)... " - it should have 7515 rather than 7151

With respect to "x-jws-signature", it's probably too late to change but my
understanding it that using the "x-" prefix is out of vogue these days -
i.e., see https://tools.ietf.org/html/rfc6648

With respect to 'RECOMMENDATION-15: "typ" Header parameter should be set to
"JOSE".', it seems like the type is already implied or known by the context
of use, i.e., as the value of "x-jws-signature", so it;s not clear that
using the "typ" header here in this way adds anything beyond making the JWS
a little bit bigger?

With respect to 'The JAdES "sigT" header parameter contains the claimed
signing time encoded using the JSON format for UTC (e.g.
"2019-11-19T17:28:15Z").', I'm not aware of a JSON format for UTC but if
there is such a thing, a reference is probably warranted. I also wonder why
something like JWT's NumericDate wasn't used here rather than a formatted
string?

I'd concur about x5t#o.

On Tue, Feb 4, 2020 at 4:50 AM Ralph Bragg via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> Thanks Mike – I’m sure the team working on it will sort it out.
>
>
>
> *From: *Mike Jones <Michael.Jones at microsoft.com>
> *Date: *Tuesday, 4 February 2020 at 10:50
> *To: *Financial API Working Group List <openid-specs-fapi at lists.openid.net
> >
> *Cc: *Ralph Bragg <ralph.bragg at raidiam.com>
> *Subject: *RE: #OBEDocument: OBE JWS Profile [revised draft for review]
>
>
>
> This spec seems to be generally solid and well-reasoned.
>
>
>
> I am a bit surprised by the requirement to use keys from X.509
> certificates in Section 5.3, rather than keys from JWKs.  But I understand
> that that may be the reality of the targeted deployment environments.
>
>
>
> I understand the reference to draft-cavage-http-signatures but everyone
> should be aware that this is a work in progress and is likely to change.
> If you want to keep the reference, the draft should probably explicitly say
> that the specification uses draft-cavage-http-signatures-10 – even though
> subsequent and potentially incompatible versions may be published.
>
>
>
> The x5t#o header parameter is pretty strange.  If new thumbprint
> algorithms are needed, it would be better to register new values, like
> x5t#S256 was, rather than to introduce a level of indirection to determine
> the digest algorithm.  It’s not the end of the world, but it’s certainly
> not how the JOSE working group would have added additional digest
> algorithms.
>
>
>
> Thanks for asking for the review.
>
>
>
>                                                        -- Mike
>
>
>
> *From:* Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> *On
> Behalf Of *Ralph Bragg via Openid-specs-fapi
> *Sent:* Wednesday, January 29, 2020 6:46 AM
> *To:* openid-specs-fapi at lists.openid.net
> *Cc:* Ralph Bragg <ralph.bragg at raidiam.com>
> *Subject:* [EXTERNAL] Re: [Openid-specs-fapi] #OBEDocument: OBE JWS
> Profile [revised draft for review]
>
>
>
> Hi All,
>
>
>
> Please see the proposed initial draft for JWS signatures, comments back to
> me if you’d like to influence the standard.
>
>
>
> Kind Regards,
>
> Ralph
>
>
>
> *From: *Joao Daniel Parracho <j.parracho at openbankingeurope.eu>
> *Date: *Friday, 24 January 2020 at 13:41
> *Subject: *#OBEDocument: OBE JWS Profile [revised draft for review]
>
>
>
> Dear colleagues,
>
>
>
> As agreed, please find attached the OBE JWS Profile document draft for
> review. We kindly ask you to submit any comments by *14th February*.
>
>
>
> Kind regards,
>
> João
>
> *João Parracho*
>
> *Communications & Engagement Consultant | Open Banking Europe*
>
> j.parracho at openbankingeurope.eu
>
>
>
> [image: A close up of a logo Description automatically generated]
>
> 40 rue de Courcelles | F-75008 Paris, France
>
> https://www.openbankingeurope.eu/
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openbankingeurope.eu%2F&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cf538e368c09746a5065508d7a4c9f5d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637159059632442685&sdata=xjkww%2Fl4qZQNCtXUE1T%2B4iGS%2B%2BygTM9tRHM7RaVsp%2Bc%3D&reserved=0>
>
>
>
> Open Banking Europe is owned by PRETA S.A.S. a wholly-owned subsidiary of
> ABE/EBA CLEARING S.A.S.
>
> PRETA S.A.S. is registered with RCS PARIS under no. 798 483 053 | VAT no.
> FR 27 798 483 053
>
> This message and any attachments (the "message") are confidential and
> intended solely for the addressees. Any unauthorized use or dissemination
> is prohibited. E-mails are susceptible to alteration. PRETA shall not be
> liable for the message if altered, changed or falsified.
>
> Ce message est confidentiel; son contenu ne représente en aucun cas un
> engagement de la part de PRETA sous réserve de tout accord conclu par
> écrit entre vous et PRETA. Toute publication, utilisation ou diffusion,
> même partielle, doit être autorisée préalablement.
>
> Si vous n'êtes pas destinataire de ce message, merci d'en avertir
> immédiatement l'expéditeur.
>
>
>
> P Please consider the environment before printing this email
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200206/aa91ff5e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10581 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200206/aa91ff5e/attachment-0001.png>