<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>

</head>

<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">

<p>Brian et al,<br>

</p>

<p><br>

</p>

<p>Confluence access is open to all if you'd like to pass the comments on directly however i'll also make sure any comments are seen by the right people and fed in.<br>

</p>

<p><br>

</p>

<p>RB<br>

</p>

<div style="color: rgb(33, 33, 33);">

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Brian Campbell <bcampbell@pingidentity.com><br>

<b>Sent:</b> 10 July 2017 13:50<br>

<b>To:</b> FAPI-Openid-specs<br>

<b>Cc:</b> Ralph Bragg<br>

<b>Subject:</b> Fwd: [Openid-specs-fapi] Fwd: OPEN BANKING LAUNCHES ACCOUNT INFORMATION & PAYMENT INITIATION API SPECIFICATIONS</font>

<div> </div>

</div>

<div>

<div dir="ltr"><br>

<div>

<div>I'm sure this isn't the right forum for feedback but I suspect there are <span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline">

Open Banking folks on the FAPI list. And, after a quickish read through <a href="https://www.openbanking.org.uk/read-write-apis/account-transaction-api/v1-0-0/" target="_blank">

https://www.openbanking.org.uk<wbr>/read-write-apis/account-trans<wbr>action-api/v1-0-0/</a> and

<a href="https://www.openbanking.org.uk/read-write-apis/payment-initiation-api/v1-0-0/" target="_blank">

https://www.openbanking.org.<wbr>uk/read-write-apis/payment-<wbr>initiation-api/v1-0-0/</a> I feel compelled to give some feedback - at least in the small area that I know something about.

<br>

<br>

</span></div>

<span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline">The example content and

 code in the black boxes around JWS is rather problematic. This isn't an exhaustive list but encoding seems wrong (base64 vs. base64url) and/or incorrectly applied (shouldn't be encoding the HTTP body with the

</span><span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline"><span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline">RFC

 7797</span> b64 header set to false) and encryption/decryption is mentioned in the computing/verifying signature parts - which I guess might be right for some RSA schemes but there's more to it than that and it certainly isn't generally applicable with JWS

</span><span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline"><span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline">/

 RFC 7515</span>. There's an empty alg value in a sample JOSE header and the x-jws-signature headers aren't valid at all (so much so it's probably intentional).

<br>

<br>

</span></div>

<span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline">Sorry for the random

 critique email spam. But I'm hopeful maybe it'll be seen by someone that will be able to do something useful with it.</span><br>

<br>

<br>

<div class="gmail_quote">---------- Forwarded message ----------<br>

From: <b class="gmail_sendername">Joseph Heenan via Openid-specs-fapi</b> <span dir="ltr">

<<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openi<wbr>d.net</a>></span><br>

Date: Wed, Jul 5, 2017 at 8:43 AM<br>

Subject: [Openid-specs-fapi] Fwd: OPEN BANKING LAUNCHES ACCOUNT INFORMATION & PAYMENT INITIATION API SPECIFICATIONS<br>

To: Financial API Working Group List <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openi<wbr>d.net</a>><br>

<br>

<br>

<div>

<div>Hi all,</div>

<div><br>

</div>

As below, the UK OpenBanking IE have now published (some of) their specs, which may be of interest to others here.

<div><br>

</div>

<div>Direct link is: <a href="https://www.openbanking.org.uk/read-write-apis/" target="_blank">https://www.openbanking.or<wbr>g.uk/read-write-apis/</a></div>

<div><br>

</div>

<div><br>

</div>

<div>Joseph</div>

<div><br>

<div><br>

<blockquote type="cite">

<div>Begin forwarded message:</div>

<br class="m_817157755369881818gmail-m_7733774388699298235gmail-m_214435451082980136Apple-interchange-newline">

<div style="margin:0px"><span style="color:rgb(0,0,0)"><b>From: </b></span><span style="">Open Banking – Secretariat Challenger Banks Stakeholder Group <<a href="mailto:SecretariatChallengerBanksStakeholderGroup@openbanking.org.uk" target="_blank">SecretariatChallengerBanksSta<wbr>keholderGroup@openbanking.org.<wbr>uk</a>><br>

</span></div>

<div style="margin:0px"><span style="color:rgb(0,0,0)"><b>Subject: </b></span><span style=""><b>OPEN BANKING LAUNCHES ACCOUNT INFORMATION & PAYMENT INITIATION API SPECIFICATIONS</b><br>

</span></div>

<div style="margin:0px"><span style="color:rgb(0,0,0)"><b>Date: </b></span><span style="">5 July 2017 at 11:49:12 BST</span></div>

<br>

<div>

<div class="m_817157755369881818gmail-m_7733774388699298235gmail-m_214435451082980136WordSection1" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px">

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

Dear Members<u></u><u></u></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<b><u></u> <u></u></b></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<b>The Next Step in the Transformation and Opening Up of the UK Banking Industry<u></u><u></u></b></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<u></u> <u></u></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

We are pleased to announce that we have released Account Information and Payment Initiation API specifications today on<span class="m_817157755369881818gmail-m_7733774388699298235gmail-m_214435451082980136Apple-converted-space"> </span><a href="http://www.openbanking.org.uk/" target="_blank" style="color:purple; text-decoration:underline">www.openbanking.org.uk</a><u></u><u></u></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<u></u> <u></u></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

As our Trustee, Imran Gulamhuseinwala<span style="color:rgb(31,73,125)">,</span><span class="m_817157755369881818gmail-m_7733774388699298235gmail-m_214435451082980136Apple-converted-space"> </span>states in the announcement, the specifications we are releasing

 today, which will be live from January next year, provide the platform for developers from banks, fintechs and other organisations to build new web and mobile applications that will deliver a safer, more personalised and easier banking experience for consumers

 wishing to search, select and switch financial products in a secure environment.<u></u><u></u></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<u></u> <u></u></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

A copy of our announcement can be read in the attached document.<u></u><u></u></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<u></u> <u></u></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<b><u></u> <u></u></b></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<b>The Open Banking Team<u></u><u></u></b></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<span style="color:rgb(31,73,125)"><u></u> <u></u></span></div>

<div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<b><span style="color:rgb(31,73,125)">W</span></b><span style="color:rgb(31,73,125)">: <a href="http://www.openbanking.org.uk/" target="_blank" style="color:purple; text-decoration:underline"><span style="color:blue">www.openbanking.org.uk</span></a>.   <u></u><u></u></span></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<b><span style="color:rgb(31,73,125)">A:</span></b><span style="color:rgb(31,73,125)">  2 Thomas More Square, London, E1W 1YN<u></u><u></u></span></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<span style="color:rgb(31,73,125)"><u></u> <u></u></span></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<span style="color:rgb(31,73,125)"></span></div>

</div>

</div>

</div>

</blockquote>

</div>

</div>

</div>

<br>

<div>

<div>

<div class="m_817157755369881818gmail-m_7733774388699298235gmail-m_-595404421873566115AppleOriginalContents">

<blockquote type="cite">

<div>

<div class="m_817157755369881818gmail-m_7733774388699298235gmail-m_-595404421873566115WordSection1" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px">

<div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<span style="color:rgb(31,73,125)"><u></u><u></u></span></div>

</div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<span style="color:rgb(31,73,125)"><u></u> <u></u></span></div>

<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">

<u></u> <u></u></div>

</div>

<br clear="all" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px">

<span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline">Please consider the environment

 before printing this email.</span><br style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px">

<br style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px">

<span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline">This email is from Open

 Banking Limited. Our postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking.<span class="m_817157755369881818gmail-m_7733774388699298235gmail-m_-595404421873566115Apple-converted-space"> </span></span><br style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px">

<br style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px">

<span style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; float:none; display:inline">This email and any attachments

 are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly

 prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email.</span><br style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px">

</div>

</blockquote>

</div>

</div>

</div>

<br>

<div>

<div>

<div>

<blockquote type="cite">

<div></div>

</blockquote>

</div>

<br>

</div>

</div>

<br>

______________________________<wbr>_________________<br>

Openid-specs-fapi mailing list<br>

<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid<wbr>.net</a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-fapi</a><br>

<br>

</div>

<br>

</div>

<br>

<i style="margin:0px; padding:0px; border:0px; outline:0px; vertical-align:baseline; background:rgb(255,255,255); color:rgb(85,85,85)"><span style="margin:0px; padding:0px; border:0px; outline:0px; vertical-align:baseline; background:transparent; font-weight:600"><font size="2">CONFIDENTIALITY

 NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify

 the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></div>

</div>

<br clear="both">

Please consider the environment before printing this email.<BR>

<BR>

This email is from Open Banking Limited. Our postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking. <BR>

<BR>

This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email.<BR>

</body>

</html>