<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Dave,<br>
you are certainly right that the cited clause (b) would not
prevent the PISP from transmitting and storing the users security
credentials. But the EU is simultaneously struggling to have banks
become eIDAS relying parties (and even joint co-IdP's) to easily
and securely manage customers from all EU countries.<br>
<br>
This aspiration may be incompatible with a broad interpretation of
clause (b):<br>
<br>
1. The bank may itself be required to redirect to the appropriate
eIDAS IDP - or (as is currently the case in Denmark) use an
special embedded flow secured by an IdP-provided browser extension
that prevents the bank (RP) from accessing the credentials.<br>
<br>
2. According to (at least <a moz-do-not-send="true"
href="https://digitaliser.dk/resource/3436586">the DK
implementation</a>) of the eIDAS LOA definitions, IDP's must
require users not to provide their credentials to any third
parties. Otherwise the IdP status will be "Limited" which is a
special LOA level below the three common EU LOA levels. Which
means that the IdP will be be excluded from use in connection with
almost all public services - and it definitely cannot claim to
perform SCA for a bank.<br>
<br>
So it seems problematic to open for embedded pass-through flows
without a careful evaluation of the implications for the use of
eIDAS.</p>
<p>/Henrik<br>
</p>
<div class="moz-cite-prefix">Den 12-10-2017 kl. 09:51 skrev Dave
Tonge via Openid-specs-fapi:<br>
</div>
<blockquote type="cite"
cite="mid:CAP-T6TSTPjbbtQ9n70=-K9k5=eyL1_pNvn=T08n2YNX+KQjsSg@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">HI Nat</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">Sorry, slight confusion - this
information is not from myself but from one of the members of
the ERPB PIS group - but I still think this is positive
movement as it provides a way for the industry to move beyond
screen scraping.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">The conversations are not yet in the
public domain, so I don't think I can provide any more details
at this point.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">Ths issue that concerns me is the line
that is being taken about redirect based APIs.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">CIBA is good as it allows "decoupled"
flows and doesn't count as redirection, BUT even with
decoupled flows many are arguing for "pass-through" or
"embedded" flows as well - where the banking credentials are
entered into a third party site and then "passed through" to
the bank via API.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">Unfortunately, the text of PSD2 supports
their argument:</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">The payment initiation
service provider shall:<br>
(a) not hold at any time the payer’s funds in connection
with the provision of the payment initiation service;<br>
(b) ensure that the personalised security credentials of the
payment service user are not, with the exception of the user
and the issuer of the personalised security credentials,
accessible to other parties and that <b>they are
transmitted by the payment initiation service provider
through safe and efficient channels</b>;</blockquote>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">PSD2 Article 66.3 </div>
<div><br>
</div>
<div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">I think we can make an argument that
any method that involves banking credentials being entered
on a third party site will severely reduce the "Strong
Customer Authentication" methods available for that bank to
use.</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif">Dave</div>
<br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet
ms",sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 11 October 2017 at 17:59, Nat
Sakimura via Openid-specs-fapi <span dir="ltr"><<a
href="mailto:openid-specs-fapi@lists.openid.net"
target="_blank" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-family:Verdana,Geneva,sans-serif">
<p>Thanks, Dave. </p>
<p>So, are you saying that <span>ERPB (European) industry
group on APIs which you are co-chairing will be
vetting the APIs for the compliance? That sounds very
positive. </span></p>
<p><span>On the topic of no-redirections, would something
like CIBA counts for redirection? IMHO, it does not
make sense from the security point of view to have the
user put his bearer token aka password into the TPP
apps. With CIBA, redirection is not involved but we
can still avoid the above problem. </span></p>
<p><span>Best, </span></p>
<p> </p>
<div>
<pre>---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation</pre>
</div>
<div>
<div class="h5">
<p>On 2017-10-11 23:21, Dave Tonge via
Openid-specs-fapi wrote:</p>
</div>
</div>
<blockquote type="cite"
style="padding-left:5px;border-left:#1010ff 2px
solid;margin-left:5px">
<div>
<div class="h5">
<div dir="ltr">
<div class="gmail_default"
style="font-family:'trebuchet ms',sans-serif">Dear
FAPI Working Group</div>
<div class="gmail_default"
style="font-family:'trebuchet ms',sans-serif"> </div>
<div class="gmail_default"
style="font-family:'trebuchet ms',sans-serif">As
discussed on the call, here is the latest
information we have on the RTS:</div>
<div class="gmail_default"
style="font-family:'trebuchet ms',sans-serif"> </div>
<div class="gmail_default"
style="font-family:'trebuchet ms',sans-serif">
<blockquote
style="font-family:arial,sans-serif;font-size:12.8px">
<div
class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123WordSection1">
<p
class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph"><span
style="color:#1f497d">1.<span
style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span
style="color:#1f497d">RTS is in the
final stages of approval by EC –
expected early Nov (effective date
likely to be Sept 2019). On screen
scraping (known as the fall back option)
the draft EC proposal is that PSP firms
will be able to seek a regulatory
exemption, to be granted by the
competent authority, to avoid having to
supporting screen scraping at all. To
obtain an exception will require a
vetting process based upon at least the
following criteria:<span
style="text-decoration:underline"></span><span
style="text-decoration:underline"></span></span></p>
<p
class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph"
style="margin-left:72pt"><span
style="color:#1f497d">a.<span
style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span
style="color:#1f497d">The APIs are
technically PSD2/RTS compliant<span
style="text-decoration:underline"></span><span
style="text-decoration:underline"></span></span></p>
<p
class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph"
style="margin-left:72pt"><span
style="color:#1f497d">b.<span
style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span
style="color:#1f497d">They are available
3 months ahead of implementation<span
style="text-decoration:underline"></span><span
style="text-decoration:underline"></span></span></p>
<p
class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph"
style="margin-left:72pt"><span
style="color:#1f497d">c.<span
style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span
style="color:#1f497d">They have been
market tested<span
style="text-decoration:underline"></span><span
style="text-decoration:underline"></span></span></p>
<p
class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph"
style="margin-left:72pt"><span
style="color:#1f497d">d.<span
style="font-stretch:normal;font-size:7pt;line-height:normal"> </span></span><span
style="color:#1f497d">They adhere to
specific performance criteria<span
style="text-decoration:underline"></span><span
style="text-decoration:underline"></span></span></p>
<p class="MsoNormal"><span
style="color:#1f497d"><span
style="text-decoration:underline"></span> <span
style="text-decoration:underline"></span></span></p>
<p class="MsoNormal"
style="margin-left:36pt"><span
style="color:#1f497d">The EC also
proposes that the ERPB (European)
industry group on APIs, that I
established and which I co-chair, could,
de facto, become the industry group to
‘vet’ APIs with support and active
participation by EC (DG FISMA and DG
COMP) and including the national
competent authorities (like FCA). This
is a very significant and incredibly
positive development as the EC is
effectively saying </span><span
style="color:#1f497d">that they</span><span
style="color:#1f497d"> want to ‘bless’
industry to guide </span><span
style="color:#1f497d">them</span><span
style="color:#1f497d">, the regulators,</span><span
style="color:#1f497d">to </span><span
style="color:#1f497d">get this right.<span
style="text-decoration:underline"></span><span
style="text-decoration:underline"></span></span></p>
<p class="MsoNormal"
style="margin-left:36pt"><span
style="color:#1f497d"><span
style="text-decoration:underline"></span> <span
style="text-decoration:underline"></span></span></p>
<p class="MsoNormal"
style="margin-left:36pt"><span
style="color:#1f497d">Therefore</span><span
style="color:#1f497d">, the</span><span
style="color:#1f497d"> OB PSD2 APIs
would conceivably have to go through
this vetting and approval process, which
illustrates the importance of aligning
our PSD2 roadmap assumptions based on
the direction set at European level</span><span
style="color:#1f497d">. This</span><span
style="color:#1f497d"> will help to </span><span
style="color:#1f497d">avoid </span><span
style="color:#1f497d">divergence between
standards at </span><span
style="color:#1f497d">the</span><span
style="color:#1f497d"> national level.
<span
style="text-decoration:underline"></span><span
style="text-decoration:underline"></span></span></p>
<p class="MsoNormal"
style="margin-left:36pt"><span
style="color:#1f497d"><span
style="text-decoration:underline"></span> <span
style="text-decoration:underline"></span></span></p>
<p
class="m_119826132494885966gmail-m_5119645816753680022gmail-m_7159559134696043123MsoListParagraph">2.<span
style="font-stretch:normal;font-size:7pt;line-height:normal"> </span><span
style="color:#1f497d">There have been
some question</span><span
style="color:#1f497d">s </span><span
style="color:#1f497d">recently about the
redirection model for PSU authorisation
a</span><span style="color:#1f497d">nd</span><span
style="color:#1f497d"> whether it is
PSD2 compliant. Directionally</span><span
style="color:#1f497d">,</span><span
style="color:#1f497d"> the EC supports
the view that “APIs must support all
authentication procedures provided by
the ASPSP to the PSU</span><span
style="color:#1f497d">,</span><span
style="color:#1f497d"> but <span
style="text-decoration:underline">must
not require the TPP to have to use the
redirect option</span>”. Strictly
speaking</span><span
style="color:#1f497d">,</span><span
style="color:#1f497d"> the EC is not
banning redirection, but it does support
the view that a TPP should not have to
be forced to use it</span><span
style="color:#1f497d">. </span><span
style="color:#1f497d">Logically
therefore</span><span
style="color:#1f497d">,</span><span
style="color:#1f497d"> it cannot be the
only option available. The EC also
supports the view that the TPP must be
“free from constraints to innovate the
design of the user interface for the
PSU’s consent and authorisation journey
for both PIS and AIS”. Within the ERPB
API group we agreed yesterday in
Brussels to go into detail on this topic
to define what is acceptable based on
the three methods of redirect, pass</span><span
style="color:#1f497d">-</span><span
style="color:#1f497d">through and
embedded. The objective is to set </span><span
style="color:#1f497d">a</span><span
style="color:#1f497d"> ‘bar’ of
acceptability to be blessed by the EC as
a one of the criteria by which to ‘vet’
API standards for conformity with
PSD2/RTS.</span></p>
</div>
</blockquote>
</div>
<br clear="all">
<div> </div>
-- <br>
<div class="m_119826132494885966gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div
style="font-size:1em;font-weight:bold;line-height:1.4">
<div
style="color:#616161;font-family:'Open
Sans';font-size:14px;font-weight:normal;line-height:21px">
<div
style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:#dc291e;font-weight:bold">
<div
style="font-size:14px;font-weight:normal;color:#333333;font-family:lato,'open
sans',arial,sans-serif;line-height:normal">
<div
style="color:#00a4b7;font-weight:bold;font-size:1em;line-height:1.4">Dave
Tonge</div>
<div
style="font-size:0.8125em;line-height:1.4">CTO</div>
<div
style="font-size:0.8125em;line-height:1.4;margin:0px"><a
style="color:#835ea5;text-decoration:none"
href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A"
target="_blank"
moz-do-not-send="true"><img
style="border:none;padding:0px;border-radius:2px;margin:7px"
title="Moneyhub
Enterprise"
src="http://./program/resources/blocked.gif"
alt="Moneyhub
Enterprise"
moz-do-not-send="true"
height="50" width="200"></a></div>
<div style="padding:8px 0px"><span
style="color:#00a4b7;font-size:11px;background-color:transparent">10
Temple Back, Bristol, BS1
6FL</span></div>
<span
style="font-size:11px;line-height:15.925px;color:#00a4b7;font-weight:bold">t: </span><span
style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span></div>
<div
style="color:#616161;font-size:14px;font-weight:normal;font-family:lato,'open
sans',arial,sans-serif"><span
style="color:#00a4b7"><span
style="font-size:11px;line-height:15.925px"><br>
</span></span>
<div
style="color:#333333;line-height:1.4"><span
style="font-size:0.75em">Moneyhub
Enterprise is a trading
style of Momentum
Financial Technology
Limited which is
authorised and regulated
by the Financial Conduct
Authority
("FCA"). Momentum
Financial Technology is
entered on the Financial
Services Register </span><span
style="font-size:0.75em;background-color:transparent">(FRN </span><span
style="font-size:0.75em;background-color:transparent;color:#00a4b7;font-weight:bold">561538</span><span
style="font-size:0.75em;background-color:transparent">) at <a
href="http://fca.org.uk/register"
target="_blank"
moz-do-not-send="true">fca.org.uk/register</a>.
Momentum Financial
Technology is registered
in England & Wales,
company registration
number </span><span
style="font-size:0.75em;color:#00a4b7;font-weight:bold;background-color:transparent">06909772</span><span
style="font-size:0.75em;background-color:transparent"> </span><span
style="color:#222222;font-family:arial,sans-serif;background-color:transparent"><span
style="font-size:xx-small">©</span></span><span
style="font-size:0.75em;background-color:transparent"> . </span><span
style="background-color:transparent;font-size:0.75em">Momentum Financial
Technology Limited 2016. </span><span
style="background-color:transparent;font-size:0.75em;color:#888888">DISCLAIMER:
This email (including any
attachments) is subject to
copyright, and the
information in it is
confidential. Use of this
email or of any
information in it other
than by the addressee is
unauthorised and unlawful.
Whilst reasonable efforts
are made to ensure that
any attachments are
virus-free, it is the
recipient's sole
responsibility to scan all
attachments for viruses.
All calls and emails to
and from this company may
be monitored and recorded
for legitimate purposes
relating to this company's
business. Any opinions
expressed in this email
(or in any attachments)
are those of the author
and do not necessarily
represent the opinions of
Momentum Financial
Technology Limited or of
any other group company.</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
Openid-specs-fapi mailing list
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank" moz-do-not-send="true">Openid-specs-fapi@lists.<wbr>openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank" moz-do-not-send="true">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>fapi</a>
</pre>
</blockquote>
</div>
<br>
______________________________<wbr>_________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net"
moz-do-not-send="true">Openid-specs-fapi@lists.<wbr>openid.net</a><br>
<a
href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>fapi</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div
style="font-size:1em;font-weight:bold;line-height:1.4">
<div style="color:rgb(97,97,97);font-family:'Open
Sans';font-size:14px;font-weight:normal;line-height:21px">
<div
style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold">
<div
style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open
sans",arial,sans-serif;line-height:normal">
<div
style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave
Tonge</div>
<div
style="font-size:0.8125em;line-height:1.4">CTO</div>
<div
style="font-size:0.8125em;line-height:1.4;margin:0px"><a
href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A"
style="color:rgb(131,94,165);text-decoration:none" target="_blank"
moz-do-not-send="true"><img
alt="Moneyhub Enterprise"
src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png"
title="Moneyhub Enterprise"
style="border:none;padding:0px;border-radius:2px;margin:7px"
moz-do-not-send="true" height="50"
width="200"></a></div>
<div style="padding:8px 0px"><span
style="color:rgb(0,164,183);font-size:11px;background-color:transparent">10
Temple Back, Bristol, BS1 6FL</span></div>
<span
style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span
style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br>
</div>
<div
style="color:rgb(97,97,97);font-size:14px;font-weight:normal;font-family:lato,"open
sans",arial,sans-serif"><font
color="#00a4b7"><span
style="font-size:11px;line-height:15.925px"><br>
</span></font>
<div
style="color:rgb(51,51,51);line-height:1.4"><span
style="font-size:0.75em">Moneyhub
Enterprise is a trading style of
Momentum Financial Technology Limited
which is authorised and regulated by the
Financial Conduct Authority
("FCA"). Momentum Financial Technology
is entered on the Financial Services
Register </span><span
style="font-size:0.75em;background-color:transparent">(FRN </span><span
style="font-size:0.75em;background-color:transparent;color:rgb(0,164,183);font-weight:bold">561538</span><span
style="font-size:0.75em;background-color:transparent">) at <a
href="http://fca.org.uk/register"
target="_blank" moz-do-not-send="true">fca.org.uk/register</a>.
Momentum Financial Technology is
registered in England & Wales,
company registration number </span><span
style="font-size:0.75em;color:rgb(0,164,183);font-weight:bold;background-color:transparent">06909772</span><span
style="font-size:0.75em;background-color:transparent"> </span><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;background-color:transparent"><font
size="1">©</font></span><span
style="font-size:0.75em;background-color:transparent"> . </span><span
style="background-color:transparent;font-size:0.75em">Momentum Financial
Technology Limited 2016. </span><span
style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER:
This email (including any attachments)
is subject to copyright, and the
information in it is confidential. Use
of this email or of any information in
it other than by the addressee is
unauthorised and unlawful. Whilst
reasonable efforts are made to ensure
that any attachments are virus-free, it
is the recipient's sole responsibility
to scan all attachments for viruses. All
calls and emails to and from this
company may be monitored and recorded
for legitimate purposes relating to this
company's business. Any opinions
expressed in this email (or in any
attachments) are those of the author and
do not necessarily represent the
opinions of Momentum Financial
Technology Limited or of any other group
company.</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-fapi mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a>
</pre>
</blockquote>
<br>
</body>
</html>