[Openid-specs-fapi] External : Dependencies on the OBE Registry

Francis Pouatcha fpo at adorsys.de
Sun Sep 27 01:45:35 UTC 2020


CT Logs are the way to go! But as you know, NCA are always a couple of
years behind.

On Thu, Sep 24, 2020 at 5:21 AM Anders Rundgren via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> On 2020-09-24 10:56, Freddi Gyara wrote:
> Thanx Freddy!
>
> Let me briefly comment on your response.
>
> First off, I'm not suggesting this as the next immediate step.
>
>
> > Unfortunately, NCAs do not have the technical or process capability of
> maintaining a PKI and a proper electronic register.
>
> This could eventually be provided as an "appliance" (or even as a cloud
> service), needing very moderate competence to run as well as integrate with
> the rest of the accreditation process.
>
> >
> > MTLS is convenient to implement - there is significant expertise in the
> industry, lots of vendor support - both through HSMs and hardware edge
> devices.
>
> The technical part is fairly simple but not the way you manage it.  In
> this case things become quite complicated because an NCA effectively
> becomes an "RA" but without belonging to the issuers trust network.  This
> is the scalability issue behind this suggestion.  Most of the eIDAS issuers
> will probably go bust because dedicated trust networks work just fine.
>
> If you have a link to the current NCA-TPP-eIDAS certification process, I
> would very much appreciate it.
>
>
> > A similar level of understanding, vendor support, tooling and expertise
> just does not exist around signature based solutions.
>
> I see.
>
> >
> > I agree with you, that non-MTLS, signature based systems are the
> direction that we should be travelling in.
>
> Good!
>
> Regards,
> Anders
>
>
> >
> > -----Original Message-----
> > From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> On
> Behalf Of Anders Rundgren via Openid-specs-fapi
> > Sent: 24 September 2020 07:38
> > To: FAPI Working Group List <openid-specs-fapi at lists.openid.net>
> > Cc: Anders Rundgren <anders.rundgren.net at gmail.com>
> > Subject: External : [Openid-specs-fapi] Dependencies on the OBE Registry
> >
> > Having a central registry with TPPs seem natural until you are faced
> with the scaling issues.
> >
> > There is presumably a limited set of National Competent Authorities
> (NCAs) which could be a logical foundation for a distributed registry.
> >
> > To make this work each TPP request would contain a URL to an "Authority
> Record" hosted by its NCA.
> >
> > Authority Records would preferably be signed by the NCAs and be updated
> on a periodic basis to cope with changes including blocking misbehaving
> TPPs.
> >
> > In the long-run this could also eliminate the need for separately
> purchasing and managing eIDAS certificates; this would rather be an
> integral part of the NCA accreditation process.  A TPP certificate issued
> by an NCA would only be useful for Open Banking.
> >
> > Saturn uses this scheme but only publishes "certified signature (public)
> keys" in Authority Records since payments do not benefit from MTLS.
> Personally, I would consider shelving MTLS for the entire Open Banking
> system.  FIDO shows that MTLS is not necessarily a necessity :)
> >
> > thanx,
> > Anders
> >
> > _______________________________________________
> > Openid-specs-fapi mailing list
> > Openid-specs-fapi at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> >
> >
> > Please consider the environment before printing this email.
> >
> > This email is from Open Banking Limited, Company Number 10440081. Our
> registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any
> views or opinions are solely those of the author and do not necessarily
> represent those of Open Banking Limited.
> >
> > This email and any attachments are confidential and are intended for the
> above named only. They may also be legally privileged or covered by other
> legal rights and rules. Unauthorised dissemination or copying of this email
> and any attachments, and any use or disclosure of them, is strictly
> prohibited and may be illegal. If you have received them in error, please
> delete them and all copies from your system and notify the sender
> immediately by return email. You can also view our privacy policy (
> https://www.openbanking.org.uk/privacy-policy).
> >
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>


-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200926/dd18f87a/attachment.html>


More information about the Openid-specs-fapi mailing list