[Openid-specs-fapi] FAPI meeting request - Mobile app access (Ralph Bragg)

Anders Rundgren anders.rundgren.net at gmail.com
Sat Jul 25 06:27:58 UTC 2020


On 2020-07-24 20:47, Ralph Bragg via Openid-specs-fapi wrote:
> Couldn’t agree more. Likewise I don’t believe there is a technical reason why FAPI, particular when leveraging self-signed certs for token binding, can’t be used by a mobile OAuth client to obtain access to information from banks directly.

Well, the number of on-line banking application out there that uses MTLS is probably pretty close to zero.

Authenticating/securing a for the Bank potentially unknown TPP handling sensitive data and actions for a gazillion users is not in any way comparable to authenticating/securing the Bank's own clients using secure keys deployed by the Bank itself and building on a by the Bank trusted application.

Regarding PSD2/CMA: none of the Open Banking APIs specify anything regarding the Merchant interface which makes the Merchants' situation quite difficult.  The competition including Apple Pay doesn't have this problem.

However, this and *the pitiful UI offered by systems based on OBIE/FAPI specifications* [1] will potentially be "corrected" by the Berlin Group's Embedded SCA for EMV.

I leave it there unless somebody is daring enough to accept my invite :)
The motives are extremely simple: make Open Banking APIs useful for all consumer payments.

As an "exercise" I urge you (all) to consider how mobile P2P payments like "Swish" would work in an OBIE/FAPI or NextGenPSD2 setting.  It may be a eye-opener.

Regards,
Anders

1] https://www.linkedin.com/posts/andersrundgren_although-it-would-be-cool-if-apple-pay-supported-activity-6623931366759251968-bhuk/



> 
> *From: *Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Francis Pouatcha via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
> *Reply to: *Financial API Working Group List <openid-specs-fapi at lists.openid.net>
> *Date: *Friday, 24 July 2020 at 19:44
> *To: *Openid-specs Fapi <openid-specs-fapi at lists.openid.net>
> *Cc: *Francis Pouatcha <fpo at adorsys.de>
> *Subject: *Re: [Openid-specs-fapi] FAPI meeting request - Mobile app access (Ralph Bragg)
> 
> Hello Anders, Nat, Ralph,
> 
> There are a lot of reasons why the PSD2 directive mandates qualified certificates (QWAC, QSeal) for access to open API. None of these reasons is technical. The PSD2 legal framework sets up liability models between TPPs and Banks by law.
> 
> Open Banking Legal Contract:
> 
> This PSD2 legal framework obliges a bank to accept a request sent by a TPP, without prior establishment of any sort of contract between these two parties.
> 
> Secure Connectivity:
> 
> As we know banks are not experienced with operating public APIs. Mandating a bank to accept requests from unknown sources is exposing the bank to risk of foreing sources. The best technical way of closing those public APIs from unwanted request sources is to introduce mutual TLS with a limited class of client certificates. This is what QWAC is designed for.
> 
> Liability Management and Non Repudiation:
> 
> In case an initiated payment ends up being qualified as fraudulent:
> 
> - Some entities will have to bear the damage. This is not the PSU but either the TPP or the Banks. For this TPP needs some sort of liability insurance. The same thing legislators require from car holders (In public road & infrastructure sharing contracts).
> 
> - For a bank to make sure the payment initiation request came from the TPP, Bank needs some sort of non repudiable proof that the request came from that TPP . This is what the QSeal is designed for.
> 
> Certification of TPPs
> 
> The purpose of regulating TPPs is to make sure they do their homework in the open banking legal contract. It is proof the TPP has his liability insurance, has done his GDPR home work, has verified the merchant on which behalf he is initiating payment. If a bank receives a payment request from a merchant/tpp, how does the bank knows that this merchant is not a scam? As the bank is required not to have any prior relationship with the merchant/tpp, the bank has a way of checking that due diligence has been taken care of by the regulator.
> 
> Criticizing PSD2 for not exposing banking APIs to mobile phones is sort of naïve.
> 
> Best regards,
> 
> /Francis
> 
> 
>     Message: 1
>     Date: Fri, 24 Jul 2020 08:04:19 +0200
>     From: Anders Rundgren <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>>
>     To: Financial API Working Group List
>              <Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>>
>     Cc: Dave Tonge <dave.tonge at momentumft.co.uk <mailto:dave.tonge at momentumft.co.uk>>, Nat Sakimura
>              <nat at sakimura.org <mailto:nat at sakimura.org>>
>     Subject: [Openid-specs-fapi] FAPI meeting request - Mobile app access
>     Message-ID: <336dee65-3e88-f094-77b3-a783527e51c6 at gmail.com <mailto:336dee65-3e88-f094-77b3-a783527e51c6 at gmail.com>>
>     Content-Type: text/plain; charset=utf-8; format=flowed
> 
>     Hi FAPIers,
> 
>     Currently FAPI methods are only accessible by TPPs.
> 
>     This may be "by design" but it also makes the API less universal and force banks to create competing APIs.
> 
>     As an example some mobile wallets provide real-time account balances.  This obviously requires a direct call to the associated bank.
> 
>     Could we have a meeting on this topic?
> 
>     Sincerely,
>     Anders Rundgren
> 
> 
>     ------------------------------
> 
>     Message: 2
>     Date: Fri, 24 Jul 2020 15:20:31 +0900
>     From: Nat Sakimura <nat at sakimura.org <mailto:nat at sakimura.org>>
>     To: Financial API Working Group List
>              <Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>>, Anders Rundgren
>              <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>>
>     Subject: Re: [Openid-specs-fapi] FAPI meeting request - Mobile app
>              access
>     Message-ID: <d7423ae5-4bb2-4068-afa0-0d0ec424bf59 at Spark>
>     Content-Type: text/plain; charset="utf-8"
> 
>     Hi.
> 
>     Certainly we can take it up as an agenda item but I would like to understand what you mean by FAPI methods. Could you please elaborate on it?
> 
>     Nat Sakimura
>     Chairman, OpenID Foundation
>     https://nat.sakimura.org
>     2020?7?24? 15:04 +0900?Anders Rundgren <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>>????:
>      > Hi FAPIers,
>      >
>      > Currently FAPI methods are only accessible by TPPs.
>      >
>      > This may be "by design" but it also makes the API less universal and force banks to create competing APIs.
>      >
>      > As an example some mobile wallets provide real-time account balances. This obviously requires a direct call to the associated bank.
>      >
>      > Could we have a meeting on this topic?
>      >
>      > Sincerely,
>      > Anders Rundgren
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200724/f46e2608/attachment-0001.html>
> 
>     ------------------------------
> 
>     Message: 3
>     Date: Fri, 24 Jul 2020 06:30:25 +0000
>     From: Stuart Low <stuart at biza.io <mailto:stuart at biza.io>>
>     To: Financial API Working Group List
>              <Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>>
>     Cc: Anders Rundgren <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>>, Nat Sakimura
>              <nat at sakimura.org <mailto:nat at sakimura.org>>
>     Subject: Re: [Openid-specs-fapi] FAPI meeting request - Mobile app
>              access
>     Message-ID:
>              <SG2PR04MB2998548590900E00D0C1106BA7770 at SG2PR04MB2998.apcprd04.prod.outlook.com <mailto:SG2PR04MB2998548590900E00D0C1106BA7770 at SG2PR04MB2998.apcprd04.prod.outlook.com>>
> 
>     Content-Type: text/plain; charset="utf-8"
> 
>     Hi Anders,
> 
>     I'm confused. FAPI is a profile on a number of specs and can be implemented by any party without constraint courtesy of the OIDF IPR.
> 
>     What an individual ecosystem chooses to enforce as far as membership requirements is up to them but this doesn't seem like part of the FAPI remit? Case in point is that the FAPI spec does not currently provide specific guidance on admission control.
> 
>     Stuart
> 
>     ?On 24/7/20, 4:04 pm, "Openid-specs-fapi on behalf of Anders Rundgren via Openid-specs-fapi" <openid-specs-fapi-bounces at lists.openid.net <mailto:openid-specs-fapi-bounces at lists.openid.net> on behalf of openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
> 
>          Hi FAPIers,
> 
>          Currently FAPI methods are only accessible by TPPs.
> 
>          This may be "by design" but it also makes the API less universal and force banks to create competing APIs.
> 
>          As an example some mobile wallets provide real-time account balances.  This obviously requires a direct call to the associated bank.
> 
>          Could we have a meeting on this topic?
> 
>          Sincerely,
>          Anders Rundgren
>          _______________________________________________
>          Openid-specs-fapi mailing list
>     Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 
>     ------------------------------
> 
>     Message: 4
>     Date: Fri, 24 Jul 2020 06:37:37 +0000
>     From: Ralph Bragg <ralph.bragg at raidiam.com <mailto:ralph.bragg at raidiam.com>>
>     To: Financial API Working Group List
>              <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>>, Anders Rundgren
>              <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>>
>     Cc: Nat Sakimura <nat at sakimura.org <mailto:nat at sakimura.org>>
>     Subject: Re: [Openid-specs-fapi] FAPI meeting request - Mobile app
>              access
>     Message-ID:
>              <LNXP265MB0809FDF99C26121A73039FB2F6770 at LNXP265MB0809.GBRP265.PROD.OUTLOOK.COM <mailto:LNXP265MB0809FDF99C26121A73039FB2F6770 at LNXP265MB0809.GBRP265.PROD.OUTLOOK.COM>>
> 
>     Content-Type: text/plain; charset="iso-2022-jp"
> 
>     Hi Anders,
> 
>     Further to Nats questions, there is nothing stopping a confidential client being run on a mobile device. Indeed this is how a lot of Banks Mobile applications are written. With a confidential client on a mobile device there is nothing stopping the app from interacting with a providers APIs using the FAPI Security profiles.
> 
>     Joseph calls this out explicitly in implementation guidance section however there are significant challenges for implementation of this model under PSD2. The use of qualified certificates for 'identification' makes this almost impossible for a TPP to do safely or at least in a way that would be appropriate from a risk point of view however, if a TPP wanted to do this they could.
> 
>     Be interested to know where the specs technically don't work for confidential clients on a mobile.
> 
>     RB
>     ________________________________
>     From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net <mailto:openid-specs-fapi-bounces at lists.openid.net>> on behalf of Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>>
>     Sent: Friday, July 24, 2020 6:20 AM
>     To: Financial API Working Group List <Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>>; Anders Rundgren <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>>
>     Cc: Nat Sakimura <nat at sakimura.org <mailto:nat at sakimura.org>>
>     Subject: Re: [Openid-specs-fapi] FAPI meeting request - Mobile app access
> 
>     Hi.
> 
>     Certainly we can take it up as an agenda item but I would like to understand what you mean by FAPI methods. Could you please elaborate on it?
> 
>     Nat Sakimura
>     Chairman, OpenID Foundation
>     https://nat.sakimura.org
>     2020?7?24? 15:04 +0900?Anders Rundgren <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>>????:
>     Hi FAPIers,
> 
>     Currently FAPI methods are only accessible by TPPs.
> 
>     This may be "by design" but it also makes the API less universal and force banks to create competing APIs.
> 
>     As an example some mobile wallets provide real-time account balances. This obviously requires a direct call to the associated bank.
> 
>     Could we have a meeting on this topic?
> 
>     Sincerely,
>     Anders Rundgren
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200724/9ed40c0b/attachment.html>
> 
>     ------------------------------
> 
>     Subject: Digest Footer
> 
>     _______________________________________________
>     Openid-specs-fapi mailing list
>     Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 
> 
>     ------------------------------
> 
>     End of Openid-specs-fapi Digest, Vol 210, Issue 3
>     *************************************************
> 
> 
> -- 
> 
> Francis Pouatcha
> 
> Co-Founder and Technical Lead
> 
> adorsys GmbH & Co. KG
> 
> https://adorsys-platform.de/solutions/
> 
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 



More information about the Openid-specs-fapi mailing list