[Openid-specs-heart] Bi-weekly HEART call starting Nov 6th - update of profiles

Eve Maler eve.maler at forgerock.com
Sat Oct 28 02:57:39 UTC 2017 

We don't have to copy any of the SCA stuff, and in fact, I'm not even sure
the FAPI profiles themselves reference SCA. They just underpin the OB
specs. As I said, the FAPI profiles are like a *much more detailed,
thorough, and restrictive version* of the profiles we have put together,
targeted at a *much more detailed, specific, and demanding regulatory
environment*.

(Hey, you asked for description and color...)


*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

On Fri, Oct 27, 2017 at 5:51 PM, Adrian Gropper <agropper at healthurl.com>
wrote:

> The bank analogy is concerning for healthcare. Banks take direct
> responsibility for fraud, healthcare institutions pass responsibly to
> physicians or to the patient. HEART needs to be clear about how we support
> “Strong Customer Authentication”. We need to be clear that the customer is
> the patient or the physician and not the client tech that they’re using.
> Otherwise, SCA will be used as an excuse for information blocking by
> introducing certification requirements for the client.
>
> Adrian
>
>
> On Fri, Oct 27, 2017 at 1:23 PM Eve Maler <eve.maler at forgerock.com> wrote:
>
>> Open Banking (see the website of its UK government-mandated
>> Implementation Entity here <https://www.openbanking.org.uk>) is a
>> regulation requiring at least the UK's biggest nine banks (the "CMA9", CMA
>> standing for Competition Market Authority) to present a standard set of
>> APIs to foster a payment initiation and account information application
>> ecosystem, for giving customers choice. The open APIs in effect
>> disintermediate credit card issuers and enable the use of bank accounts
>> directly as payment instruments for things like paying Amazon (as a
>> third-party client app) for buying an item etc. The OB approach and specs,
>> which work with the OpenID Foundation's Financial API (FAPI
>> <http://openid.net/wg/fapi/>) WG's specs, discourage "screen scraping"
>> and encourage the by-now-familiar OAuth and OpenID Connect pattern of
>> having the client app offer for the user to identify, and authenticate at,
>> and authorize action through, a service (the bank). The regulation mandates
>> "SCA", Strong Customer Authentication. The FAPI profiles are like a much
>> more detailed, thorough, and restrictive version of the profiles we have
>> put together, targeted at a much more detailed, specific, and demanding
>> regulatory environment. OB operates in a broader EU regulatory context,
>> PSD2 (Payment Services Directive 2). There is currently a "NextGenPSD2"
>> effort being undertaken by The Berlin Group; a conference
>> <https://www.berlin-group.org/nextgenpsd2-conference-2017> was held two
>> days ago to start to collect input towards that.
>>
>>
>> *Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging
>> Technology
>> Cell +1 425.345.6756 <(425)%20345-6756> | Skype: xmlgrrl | Twitter:
>> @xmlgrrl
>>
>> On Fri, Oct 27, 2017 at 8:15 AM, Adrian Gropper <agropper at healthurl.com>
>> wrote:
>>
>>> I'm new to Open Banking. Is it related to Distributed Public Ledgers?
>>> Can someone provide a bit more description and color?
>>>
>>> On Fri, Oct 27, 2017 at 7:53 AM, Debbie Bucci <debbucci at gmail.com>
>>> wrote:
>>>
>>>> Hello Everyone,
>>>>
>>>> Now that the fall conferences are winding down and the UMA 2.0 spec is
>>>> nearing completion, we would like to start up the HEART WG for a few
>>>> session/discussion and see where it might go from there.   Given the
>>>> holiday seasons, starting Nov 6th seems to minimize holiday interruptions.
>>>>
>>>> On the short list of topics/potential actions  ...
>>>>
>>>> 1. Updating the UMA related profiles to reflect UMA 2.0
>>>> 2. Given recent action of Open Banking and better understand of the
>>>> SMART profiles,  I do think we missed the mark by not including public
>>>> clients in the specs.   SMART (assumed trusted environment ) and Open
>>>> Banking (probable us by 3rd party API) have different perspectives.
>>>> Perhaps it referencing/Leveraging/aligning with other OpenID  Profiles
>>>> -- FAPI, igov, EAP  (?)
>>>>
>>>> If you are interested and have other topics - updates to the profile we
>>>> should consider - please post to the list.
>>>>
>>>> Thanks in advance
>>>>
>>>> _______________________________________________
>>>> Openid-specs-heart mailing list
>>>> Openid-specs-heart at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Adrian Gropper MD
>>>
>>> PROTECT YOUR FUTURE - RESTORE Health Privacy!
>>> HELP us fight for the right to control personal health data.
>>> DONATE: https://patientprivacyrights.org/donate-3/
>>>
>>> _______________________________________________
>>> Openid-specs-heart mailing list
>>> Openid-specs-heart at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>
>>>
>> --
>
> Adrian Gropper MD
>
> PROTECT YOUR FUTURE - RESTORE Health Privacy!
> HELP us fight for the right to control personal health data.
> DONATE: https://patientprivacyrights.org/donate-3/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20171027/9fb1bef0/attachment.html>

More information about the Openid-specs-heart mailing list