<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 2020-07-24 08:37, Ralph Bragg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:LNXP265MB0809FDF99C26121A73039FB2F6770@LNXP265MB0809.GBRP265.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Hi Anders,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Further to Nats questions, there is nothing stopping a
confidential client being run on a mobile device. Indeed this is
how a lot of Banks Mobile applications are written. With a
confidential client on a mobile device there is nothing stopping
the app from interacting with a providers APIs using the FAPI
Security profiles.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Joseph calls this out explicitly in implementation guidance
section however there are significant challenges for
implementation of this model under PSD2. The use of qualified
certificates for 'identification' makes this almost impossible
for a TPP to do safely or at least in a way that would be
appropriate from a risk point of view however, if a TPP wanted
to do this they could.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Be interested to know where the specs technically don't work for
confidential clients on a mobile.</div>
</blockquote>
Hi Ralph,<br>
<br>
Is this what you mean with confidential client?<br>
<a
href="https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_001.md#markdown-header-524-confidential-client">https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_001.md#markdown-header-524-confidential-client</a><br>
IMO, none of the things mentioned here apply because mobile apps are
not "clients" in OAuth terminology. Mobile apps must (of course)
use strong authentication but they would for session-oriented
applications preferably use FIDO and cookies. Mobile wallets (my
line of work), OTOH, typically provide complete assertions like
Apple Pay/EMV. The latter is now targeted for inclusion in the
Berlin Group API. There is no scope, redirect, explicit PSU ID,
only a single request/response pair. The Berlin Group intends using
Embedded SCA for this purpose but that doesn't solve the mobile app
issue.<br>
<br>
The "problem" is that Open Banking APIs based on FAPI support the
core (payments and account information access), but there is
[currently] no standardized way reusing the core for mobile apps.
This is obviously outside of the CMA / EBA "order" but that doesn't
make it irrelevant, particularly not for those who actually pay for
the party, the Banks. <br>
<br>
Anders<br>
<br>
<blockquote type="cite"
cite="mid:LNXP265MB0809FDF99C26121A73039FB2F6770@LNXP265MB0809.GBRP265.PROD.OUTLOOK.COM">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
RB</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Openid-specs-fapi
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-fapi-bounces@lists.openid.net"><openid-specs-fapi-bounces@lists.openid.net></a> on behalf
of Nat Sakimura via Openid-specs-fapi
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-fapi@lists.openid.net"><openid-specs-fapi@lists.openid.net></a><br>
<b>Sent:</b> Friday, July 24, 2020 6:20 AM<br>
<b>To:</b> Financial API Working Group List
<a class="moz-txt-link-rfc2396E" href="mailto:Openid-specs-fapi@lists.openid.net"><Openid-specs-fapi@lists.openid.net></a>; Anders Rundgren
<a class="moz-txt-link-rfc2396E" href="mailto:anders.rundgren.net@gmail.com"><anders.rundgren.net@gmail.com></a><br>
<b>Cc:</b> Nat Sakimura <a class="moz-txt-link-rfc2396E" href="mailto:nat@sakimura.org"><nat@sakimura.org></a><br>
<b>Subject:</b> Re: [Openid-specs-fapi] FAPI meeting request -
Mobile app access</font>
<div> </div>
</div>
<div>
<div name="x_messageBodySection">
<div dir="auto">Hi.<br>
<br>
Certainly we can take it up as an agenda item but I would
like to understand what you mean by FAPI methods. Could you
please elaborate on it?</div>
</div>
<div name="x_messageSignatureSection"><br>
<div dir="auto">Nat Sakimura
<div dir="auto">Chairman, OpenID Foundation </div>
<div dir="auto"><a class="moz-txt-link-freetext" href="https://nat.sakimura.org">https://nat.sakimura.org</a></div>
</div>
</div>
<div name="x_messageReplySection">2020年7月24日 15:04 +0900、Anders
Rundgren <a class="moz-txt-link-rfc2396E" href="mailto:anders.rundgren.net@gmail.com"><anders.rundgren.net@gmail.com></a>のメール:<br>
<blockquote type="cite">Hi FAPIers,<br>
<br>
Currently FAPI methods are only accessible by TPPs.<br>
<br>
This may be "by design" but it also makes the API less
universal and force banks to create competing APIs.<br>
<br>
As an example some mobile wallets provide real-time account
balances. This obviously requires a direct call to the
associated bank.<br>
<br>
Could we have a meeting on this topic?<br>
<br>
Sincerely,<br>
Anders Rundgren<br>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>