<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"MS PGothic";}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0mm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"游ゴシック",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:99.25pt 30.0mm 30.0mm 30.0mm;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=JA link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hi Philippe, </span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I initially thought of it, but then got disturbed with his statement about Nordic countries where they are provided by banks. </span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Re: redirecting to public entities – I am not that familiar with eIDAS so it would help me if you could tell me if the regulators will be liable if the Bank depends on them and the transaction were fraudulent? By depending on the external authentication and not getting the client land on the page that the bank controls, the bank loses the opportunity to obtain risk signals like device location, cookie and local storage states, etc. Hence, banks will be exposed to higher risk, you know. </span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Best, </span><span lang=EN-US style='font-size:12.0pt'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Nat Sakimura<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0mm 0mm 0mm'><p class=MsoNormal style='border:none;padding:0mm'><b>差出人<span lang=EN-US>: </span></b><span lang=EN-US><a href="mailto:philippe.leothaud@42crunch.com">Philippe Leothaud</a><br></span><b>送信日時<span lang=EN-US>: </span></b><span lang=EN-US>2019</span>年<span lang=EN-US>3</span>月<span lang=EN-US>10</span>日<span lang=EN-US> 0:20<br></span><b>宛先<span lang=EN-US>: </span></b><span lang=EN-US><a href="mailto:openid-specs-fapi@lists.openid.net">Financial API Working Group List</a><br><b>CC: </b><a href="mailto:nat@sakimura.org">nat</a><br></span><b>件名<span lang=EN-US>: </span></b><span lang=EN-US>Re: [Openid-specs-fapi] Fwd: Letter from Vice-President ValdisDombrovskis: Comments about Redirection</span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"MS Pゴシック",sans-serif'><o:p> </o:p></span></p><div><p class=MsoNormal align=left style='text-align:left'><span lang=EN-US>HI Nat,</span><span lang=EN-US style='font-size:12.0pt'><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>I suspect his problem is not the redirection per se, but a redirection "to the Banks' Web pages or apps"</span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>I guess he would prefer to have redirection to a public OP and not to the banks' ones though it's just me guessing</span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Thanks,</span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Philippe </span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><div><p class=MsoNormal><span lang=EN-US>On Sat, Mar 9, 2019 at 3:31 PM nat via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:</span></p></div></div><p class=MsoNormal style='margin-left:4.8pt'><span lang=EN-US>Restarting the thread as I want to make a youtube video on this one and <br>want to hear your opinions.<br><br>So, Mr Dombrovskis says:<br><br>"I would like to encourage industry players to shift their attention <br>away from authentication methods that are redirecting TPP customers to <br>the banks' webpages (or apps). This cannot be the basis for innovative <br>and competitive European payment services. Instead, the focus should in <br>my view be on the development of convenient and secure new <br>authentication methods. Such new forms of authentication, which are now <br>more and more widely used, can be linked to e-IDs, issued by public <br>authorities or private entities as in the Nordic countries, that may be <br>used by customers with numerous market participants..."<br><br>What I do not understand is that why he thinks "Such new forms of <br>authentication" does not involve a redirect.<br>As far as I understand, "private entities as in the Nordic countries" <br>uses either SAML or OpenID Connect and make use of "redirect" to perform <br>the user authentication that is linked to e-IDs, and they are provided <br>by banks. If I am right, then the above statement is saying:<br><br>"Shift their attention away from authentication methods that are <br>redirecting TPP customers to the banks' webpages (or apps) to <br>authentication methods that are redirecting TPP customers to the banks' <br>webpages (or apps)."<br><br>It just does not make sense...<br><br>I could go on with a generic Youtube video showing how redirecting can <br>be non-intrusing but I wanted to understand the above statement better.<br><br>Best,<br><br>Nat<br><br>On 2019-02-22 18:25, Dave Tonge via Openid-specs-fapi wrote:<br>> Dear FAPI WG<br>> <br>> I just received this and think it may be of interest to you:<br>> <br>> Please find attached a letter and attachment from Commission Vice<br>> President Dombrovskis.<br>> <br>> He has made some discouraging comments about redirection to webpages<br>> and apps:<br>> <br>> “I WOULD LIKE TO ENCOURAGE INDUSTRY PLAYERS TO SHIFT THEIR ATTENTION<br>> AWAY FROM AUTHENTICATION METHODS THAT ARE REDIRECTING TPP CUSTOMERS TO<br>> THE BANKS' WEBPAGES (OR APPS). THIS CANNOT BE THE BASIS FOR<br>> INNOVATIVE AND COMPETITIVE EUROPEAN PAYMENT SERVICES. Instead, the<br>> focus should in my view be on the development of convenient and secure<br>> new authentication methods. Such new forms of authentication, which<br>> are now more and more widely used, can be linked to e-IDs, issued by<br>> public authorities or private entities as in the Nordic countries,<br>> that may be used by customers with numerous market participants…”<br>> <br>> …“I also invite industry players to work together to find<br>> practical solutions to other problems that payment initiation service<br>> and/or account information service providers are facing. One of them<br>> is the regular renewal, every 90 days, of consent for the TPPs’<br>> access to accounts. This consent renewal requires STRONG CUSTOMER<br>> AUTHENTICATION, WHICH WOULD BE A MAJOR INCONVENIENCE IF DONE FOR EACH<br>> BANK USING CONVENTIONAL AUTHENTICATION METHODS AND POSSIBLY<br>> REDIRECTION TO THE BANKS’ AUTHENTICATION PAGES.”<br>> <br>> Dave<br>> _______________________________________________<br>> Openid-specs-fapi mailing list<br>> <a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>_______________________________________________<br>Openid-specs-fapi mailing list<br><a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"MS Pゴシック",sans-serif'><o:p> </o:p></span></p></div></body></html>