<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">So <a class="gmail_plusreply" id="gmail-plusReplyChip-1" href="mailto:ralph.bragg@raidiam.com" tabindex="-1">@Ralph Bragg</a> is an expert on this, but my perspective is:</div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"> - QWAC are eIDAS certs that can be used either as client or server certs for TLS<br> - <span style="font-family:Arial,Helvetica,sans-serif">QSealC are eIDAS certs to be used for message signing<br> - The EBA doesn't have any requirement for banks to use QWACs as server certs <br> - The EBA encourages TPPs to use QWACs as client certs for TLS mutual auth<br> - The EBA also encourages TPPs to use </span><span style="font-family:Arial,Helvetica,sans-serif">QSealC to sign messages<br> - The bank is the one who decides which certs the TPP has to use<br><br>From a FAPI perspective:</span></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><span style="font-family:Arial,Helvetica,sans-serif"> - We support* the use of QWACs for mutual TLS for both client authentication and proof of possession of access tokens<br> - We support* the use of QSealCs for signing JWTs, e.g. Request Object, or private_key_jwt client auth</span></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><span style="font-family:Arial,Helvetica,sans-serif"><br></span></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><span style="font-family:Arial,Helvetica,sans-serif">* by support, I mean that we don't preclude the use of eIDAS certs. The underlying specs for oauth mutual TLS - allow the use of PKI based certs. The underlying specs for request object and private_key_jwt allow the use of keys that are backed by certs rather than just raw keys.<br><br>So I think FAPI does support both uses proposed by the EBA. In terms of guidance for implementers I can think of the following:</span></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><span style="font-family:Arial,Helvetica,sans-serif"> - because an eIDAS cert is "org level" rather than "software level" it is strongly advisable to have a means of the RP communicating to the OP which certs should be associated with it</span></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><span style="font-family:Arial,Helvetica,sans-serif"> - jwks_uri is a good place for the RP to let the OP know which certs it will use for signing, and allows easy rotation</span></div><div class="gmail_default"><span style="font-family:Arial,Helvetica,sans-serif"> - client registration metadata such as `</span>tls_client_auth_subject_dn` is a good place for the RP to let the OP know the DN of the certs it will use for client authentication<br><br>We have discussed previously some sort of "Implementers Guidelines" for FAPI, and I would support the creation of such a document. This working group has a lot of expertise relating to the implementation of FAPI and related specs in a financial context that it would be good to capture, but which sit outside of the current specs. </div><div class="gmail_default"><br></div><div class="gmail_default">Dave</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 12 Dec 2018 at 14:55, Nat Sakimura via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On the first read, it looks like FAPI will be OK if the MTLS's client <br>
certs is the QSealC and the bank's web site certs is QWAC but I may be <br>
wrong.<br>
<br>
Your guidance is sought > Dave<br>
<br>
---<br>
Nat Sakimura<br>
Research Fellow, Nomura Research Institute<br>
Chairman of the Board, OpenID Foundation<br>
<br>
On 2018-12-12 22:46, Rob Otto via Openid-specs-fapi wrote:<br>
> Dave and others - is there any scope or precedent for amending or<br>
> extending the FAPI profiles to take this guidance into account? Could<br>
> or should there be a "FAPI over EIDAS" profile that takes this<br>
> guidance and turns it into something concrete and implementable by the<br>
> industry? <br>
> <br>
> On Wed, 12 Dec 2018 at 12:35, Dave Tonge via Openid-specs-fapi<br>
> <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>> wrote:<br>
> <br>
>> Hi all,<br>
>> <br>
>> This has just been published:<br>
>> <br>
>> <br>
> <a href="https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-use-of-eidas-certificates-under-psd2" rel="noreferrer" target="_blank">https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-use-of-eidas-certificates-under-psd2</a><br>
>> [1]<br>
>> <br>
>> The EBA are strongly advocating message signing as well as mutual<br>
>> TLS.<br>
>> <br>
>> --<br>
>> <br>
>> Dave Tonge<br>
>> CTO<br>
>> [2]<br>
>> <br>
>> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol,<br>
>> BS1 6FLt: +44 (0)117 280 5120<br>
>> <br>
>> Moneyhub Enterprise is a trading style of Moneyhub Financial<br>
>> Technology Limited which is authorised and regulated by the<br>
>> Financial Conduct Authority ("FCA"). Moneyhub Financial Technology<br>
>> is entered on the Financial Services Register (FRN 809360) at<br>
>> <a href="http://fca.org.uk/register" rel="noreferrer" target="_blank">fca.org.uk/register</a> [3]. Moneyhub Financial Technology is<br>
>> registered in England & Wales, company registration<br>
>> number 06909772 .<br>
>> Moneyhub Financial Technology Limited 2018 ©<br>
>> <br>
>> DISCLAIMER: This email (including any attachments) is subject to<br>
>> copyright, and the information in it is confidential. Use of this<br>
>> email or of any information in it other than by the addressee is<br>
>> unauthorised and unlawful. Whilst reasonable efforts are made to<br>
>> ensure that any attachments are virus-free, it is the recipient's<br>
>> sole responsibility to scan all attachments for viruses. All calls<br>
>> and emails to and from this company may be monitored and recorded<br>
>> for legitimate purposes relating to this company's business. Any<br>
>> opinions expressed in this email (or in any attachments) are those<br>
>> of the author and do not necessarily represent the opinions of<br>
>> Moneyhub Financial Technology Limited or of any other group company.<br>
>> _______________________________________________<br>
>> Openid-specs-fapi mailing list<br>
>> <a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a> [4]<br>
> <br>
> --<br>
> <br>
> [5] [5]<br>
> <br>
> Rob Otto<br>
> EMEA Field CTO/Solutions Architect<br>
> <a href="mailto:robotto@pingidentity.com" target="_blank">robotto@pingidentity.com</a><br>
> <br>
> c: +44 (0) 777 135 6092<br>
> <br>
> Connect with us:<br>
> [6] [7] [8] [9] [10] [11] [12]<br>
> <br>
> [13]<br>
> _CONFIDENTIALITY NOTICE: This email may contain confidential and<br>
> privileged material for the sole use of the intended recipient(s). Any<br>
> review, use, distribution or disclosure by others is strictly<br>
> prohibited. If you have received this communication in error, please<br>
> notify the sender immediately by e-mail and delete the message and any<br>
> file attachments from your computer. Thank you._<br>
> <br>
> Links:<br>
> ------<br>
> [1]<br>
> <a href="https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-use-of-eidas-certificates-under-psd2" rel="noreferrer" target="_blank">https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-use-of-eidas-certificates-under-psd2</a><br>
> [2]<br>
> <a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" rel="noreferrer" target="_blank">http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A</a><br>
> [3] <a href="http://fca.org.uk/register" rel="noreferrer" target="_blank">http://fca.org.uk/register</a><br>
> [4] <a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
> [5] <a href="https://www.pingidentity.com" rel="noreferrer" target="_blank">https://www.pingidentity.com</a><br>
> [6]<br>
> <a href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" rel="noreferrer" target="_blank">https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm</a><br>
> [7] <a href="https://www.linkedin.com/company/21870" rel="noreferrer" target="_blank">https://www.linkedin.com/company/21870</a><br>
> [8] <a href="https://twitter.com/pingidentity" rel="noreferrer" target="_blank">https://twitter.com/pingidentity</a><br>
> [9] <a href="https://www.facebook.com/pingidentitypage" rel="noreferrer" target="_blank">https://www.facebook.com/pingidentitypage</a><br>
> [10] <a href="https://www.youtube.com/user/PingIdentityTV" rel="noreferrer" target="_blank">https://www.youtube.com/user/PingIdentityTV</a><br>
> [11] <a href="https://plus.google.com/u/0/114266977739397708540" rel="noreferrer" target="_blank">https://plus.google.com/u/0/114266977739397708540</a><br>
> [12] <a href="https://www.pingidentity.com/en/blog.html" rel="noreferrer" target="_blank">https://www.pingidentity.com/en/blog.html</a><br>
> [13]<br>
> <a href="https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ" rel="noreferrer" target="_blank">https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ</a><br>
> <br>
> _______________________________________________<br>
> Openid-specs-fapi mailing list<br>
> <a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:"Open Sans";font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4"><div style="font-weight:400;color:rgb(51,51,51);line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4">CTO</div><div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165)" target="_blank"><img alt="Moneyhub Enterprise" height="50" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" width="200" style="border: none; padding: 0px; border-radius: 2px; margin: 7px;"></a></div><div style="padding:8px 0px"><div style="padding:8px 0px"><div style="letter-spacing:normal;line-height:normal"><div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px">Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL</span></div><span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br style="color:rgb(0,164,183);font-size:11px;line-height:15.925px"></div><div style="letter-spacing:normal;line-height:normal"><span style="font-size:11px;line-height:15.925px"><br></span></div><div style="color:rgb(97,97,97);font-family:"Open Sans";letter-spacing:normal"><div style="line-height:1.4"><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em;background-color:transparent">(FRN </span><span style="color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;font-size:10.5px;font-weight:700">809360</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. M</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:10.5px">oneyhub</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> Financial Technology is registered in England & Wales, company registration number </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> </span><span style="font-weight:bold;color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">06909772</span><span style="background-color:transparent"><font color="#333333" face="lato, open sans, arial, sans-serif"><span style="font-size:0.75em"> .</span></font></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:10.5px">Moneyhub</span><span style="background-color:transparent;font-size:0.75em"> Financial Technology Limited 2018 </span><span style="background-color:transparent;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:x-small">©</span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em"><br></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>