[Openid-specs-fapi] External : FW: OBE JWS Profile - Version 0.10b for Approval

Ralph Bragg ralph.bragg at raidiam.com
Thu Sep 17 09:01:39 UTC 2020


+ More Information and Background.

Hi Freddi,

This was raised with OBE, it will be interesting to watch the feedback from the other standards bodies.

Something to note, that whilst all standards bodies have “committed” to aligning to this spec in Europe there is no agreed timescales to do so. So with the b64 flag requirement, like we did in the U.K., the specification may be used as a driver to get the community to address the JWS library implementations handling of the b64 flag.

The kid header and requirement to make others mandatory was noted however as this profile is meant to be used with eIDAS certs and has a goal of a deterministic universal key identifier without requiring reference to additional specs or key stores,  the group felt that the x5t headers should be the mandatory values. Regarding the impact to the OBIE, this isn’t actually a massive change for the OBIE itself as we include kid, x5t and x5t256 in the directory hosted keysets already.

What is something that the OBIE ecosystem will need to consider however is that trust framework supports key material that are NOT certificate based. i.e key pairs uploaded to the directory for signing and encryption. These obviously will not have these certificate header values available and so this specification can’t be used with those key types and remain compliant as it won’t include an x5t. Again it’s not a huge issue if Banks are supporting key identifier lookup using more than one potential property in a JWK header.  This requirement was flagged to the OBIE TDA when the presentation of the last draft was tabled – hopefully the Banks have assessed this requirement by now.

One area that’s already been raised briefly during FAPI WG discussions, is where does OIDF / OpenID Connect Core see the intersection of this and other json signing specifications with the structures already defined for id_tokens and Authorization Request objects and the like.

It’s less of an issue if we bound the discussion to “resource request signing” only but we will have two different signing standards in play, one for the OP and one for the RS’s it might be something that the Core WG might want to consider.

Ralph Bragg
Raidiam Services Ltd


From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Reply to: FAPI Working Group List <openid-specs-fapi at lists.openid.net>
Date: Thursday, 17 September 2020 at 09:41
To: Freddi Gyara <Freddi.Gyara at openbanking.org.uk>, FAPI Working Group List <openid-specs-fapi at lists.openid.net>, Chris Michael <Chris.Michael at openbanking.org.uk>
Cc: Ralph Bragg <ralph.bragg at raidiam.com>
Subject: Re: [Openid-specs-fapi] External : FW: OBE JWS Profile - Version 0.10b for Approval

Hi Freddi,

This was raised with OBE, it will be interesting to watch the feedback from the other standards bodies.

Some to note, that whilst all standards bodies have “commuted” to aligning to this spec in Europe there is no agreed timescales to do so so with the b64 flag requirement, like we did in the U.K., the specification may be used as a driver to get address the library implementations handling of the b64 flag.

The kid flag and requirement was noted however as this profile is meant to be used with eidas certs where one of the goals was deterministic universal key identifiers without requiring reference to additional specs that define other header key identified values the group felt that these headers should be the mandatory values.

One area that’s already been raised in discussion, and should be again, is where does oidf / openid connect core see the intersection of this and other json signing specifications with the strictures already defined for id_tokens and Authorization Request objects and the like.

It’s less of an issue if we bound the discussion to “resource request signing” only but it’s an interesting question as we will have two signing standards in play. OP and RS’s. Is this something that we will always want to have going forward?

Ralph Bragg
Raidiam Services Ltd

Sent from a mobile device. Please excuse brevity and typos.
________________________________
From: Freddi Gyara <Freddi.Gyara at openbanking.org.uk>
Sent: Thursday, September 17, 2020 9:33:05 AM
To: FAPI Working Group List <openid-specs-fapi at lists.openid.net>; Chris Michael <Chris.Michael at openbanking.org.uk>; Ralph Bragg <ralph.bragg at raidiam.com>
Subject: RE: External : [Openid-specs-fapi] FW: OBE JWS Profile - Version 0.10b for Approval




I want to raise a concern about “REQUIREMENT-2: The JWS header shall include b64 header parameter, as defined in RFC 7797 [3], set to false."



This is a breaking change from the signatures at Open Banking (which explicitly do not use this as we found that library support and interop issues that ensued as a result.



It would be good to understand the rationale for requiring this flag. If this was included to be aligned with OBIE, the situation on the ground has now actually changed.



Requirements in 5.3.2 are also a breaking change for OBIE (we rely on using `kid` alone to identify the signing key).







From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> On Behalf Of Ralph Bragg via Openid-specs-fapi
Sent: 16 September 2020 17:43
To: openid-specs-fapi at lists.openid.net
Cc: Ralph Bragg (raidiam) <ralph.bragg at raidiam.com>
Subject: External : [Openid-specs-fapi] FW: OBE JWS Profile - Version 0.10b for Approval



FYI – speak now or forever hold your peace.



Kind Regads,

Ralph



From: Joao Daniel Parracho <j.parracho at openbankingeurope.eu<mailto:j.parracho at openbankingeurope.eu>>
Date: Wednesday, 16 September 2020 at 17:27
Cc: Nick Pope <nick.pope at openbankingeurope.eu<mailto:nick.pope at openbankingeurope.eu>>, "John Broxis (j.broxis at preta.eu<mailto:j.broxis at preta.eu>)" <j.broxis at preta.eu<mailto:j.broxis at preta.eu>>
Subject: OBE JWS Profile - Version 0.10b for Approval



Dear Colleagues,



OBE is pleased to distribute the OBE JWS Profile version 0.10b for your approval.  This has minor changes from the version 0.0.9 distributed earlier this year as listed in the document “Comments on OBE JWS profile v 0.9” and with specific revisions shown in document “PRETA-OBE-ID-000-010b-OBE JWS- proposed final draft for approval-with revs”.



It is proposed to finalise this approval at a meeting API and ETSI signature format experts on 22nd October at 15:00 CEST.  Can you let us known if you approve or have any remaining concerns with this document at least 1 week before this meeting date?  Also, if you wish to attend the meeting on 22nd October and are unable to make this date please let us know  as soon as possible.



Kind regards,

João

João Parracho

Communications & Engagement Consultant | Open Banking Europe

j.parracho at openbankingeurope.eu<mailto:j.parracho at openbankingeurope.eu>



[A close up of a logo  Description automatically generated]

40 rue de Courcelles | F-75008 Paris, France

https://www.openbankingeurope.eu/



Open Banking Europe is owned by PRETA S.A.S. a wholly-owned subsidiary of ABE/EBA CLEARING S.A.S.

PRETA S.A.S. is registered with RCS PARIS under no. 798 483 053 | VAT no. FR 27 798 483 053

This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorized use or dissemination is prohibited. E-mails are susceptible to alteration. PRETA shall not be liable for the message if altered, changed or falsified.

Ce message est confidentiel; son contenu ne représente en aucun cas un engagement de la part de PRETA sous réserve de tout accord conclu par écrit entre vous et PRETA. Toute publication, utilisation ou diffusion, même partielle, doit être autorisée préalablement.

Si vous n'êtes pas destinataire de ce message, merci d'en avertir immédiatement l'expéditeur.



P Please consider the environment before printing this email




Please consider the environment before printing this email.

This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.

This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200917/886a6932/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10571 bytes
Desc: image001.png
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200917/886a6932/attachment-0001.png>


More information about the Openid-specs-fapi mailing list