[Openid-specs-fapi] Responding to OBE JWS Profile version 0.10b
fpo at adorsys.de
Thu Oct 1 02:45:56 UTC 2020
Hello Dave, here is my feedback:
Section 3 and 4 are written as a summary of extracts of RFC7515 and
RFC7797. This can be confusing when text is not transfered untempered. Both
section summarize into following requirements:
-> compact serialization
-> unencoded payload
-> detached payload
Section 5.3.2 deals with key management, representation and validation.
This is too tight to PSD2/eiDAS legislation. OBE is correct as the document
is written for the PSD2 legislation area, but it makes the document
unusable for other markets.
RECOMMENDATION-24 is confusing.
As for the canonicalization of the content to be signed (headers, boddy),
I understand why OBE relies on draft-cavage-http-signatures-10 and RFC3230
as they will otherwise have to reinvent the wheel.
- Suggest the draft of a legislation independent specification on how to
sign FAPI messages. This spec shall abstracted from Key and Certificate
specifics so as to allow each legislation to derive a profile fitting into
it's trust framework (e.g. OBE/ETSI JAdES for PSD2).
- This specification could be hosted by FAPI, based on the current OBE
draft and driven by OBE and current FAPI members.
On Wed, Sep 30, 2020 at 11:41 AM Dave Tonge via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:
> Dear WG
> We discussed on the call today that it may be a good idea to prepare a
> response to Open Banking Europe based on their soon to be published JWS
> It would be good to get some feedback from WG members.
> Discussion so far has been around:
> - base64 encoding
> - recommending that sensitive data is put in request body rather than
> - the reliance on draft-cavage for info on how to prepare the signing
> It would be good to get some further feedback so that we can agree on a
> Please can members who have an interest in this area, review the attached
> and reply to this email.
> Dave Tonge
> FAPI WG Co-Chair
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Moneyhub Financial Technology is entered on the
> Financial Services Register (FRN 809360) at https://register.fca.org.uk/.
> Moneyhub Financial Technology is registered in England & Wales, company
> registration number 06909772. Moneyhub Financial Technology Limited 2020 ©
> Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1
> DISCLAIMER: This email (including any attachments) is subject to
> copyright, and the information in it is confidential. Use of this email or
> of any information in it other than by the addressee is unauthorised and
> unlawful. Whilst reasonable efforts are made to ensure that any attachments
> are virus-free, it is the recipient's sole responsibility to scan all
> attachments for viruses. All calls and emails to and from this company may
> be monitored and recorded for legitimate purposes relating to this
> company's business. Any opinions expressed in this email (or in any
> attachments) are those of the author and do not necessarily represent the
> opinions of Moneyhub Financial Technology Limited or of any other group
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
adorsys GmbH & Co. KG
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi