Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01

Neil Madden <> Wed, 08 July 2020 18:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C6FF03A0798 for <>; Wed, 8 Jul 2020 11:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Hrajn5A-ILPF for <>; Wed, 8 Jul 2020 11:46:53 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8B3EE3A0795 for <>; Wed, 8 Jul 2020 11:46:53 -0700 (PDT)
Received: by with SMTP id f7so47016881wrw.1 for <>; Wed, 08 Jul 2020 11:46:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=WTbrESfbK0/sejwnVfufgt8OAZA49m9Ibi+jQ8LgOKs=; b=guvmcowttL/YFHFWLGR1VAVzDvOLWn7t8YPtfTfFvcOJ8WnvgCGCDk/KaS71pXhR7K nKpgaNNIiqzm5J/K02VRlYorhshMbPQcQrGrlpncc4IW4s23hiB8x/2fK+NR3IJnlKog 5lRPfcUw2k25a1bdVrNU53xki6nR4Sc7fGVn4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=WTbrESfbK0/sejwnVfufgt8OAZA49m9Ibi+jQ8LgOKs=; b=M5myLSG76X1Xc6ylj0+TWAgTGY1p3vDTPII8mePuaMpMn0O9TITMdH8rQE/ULLfK9b D+ok3gPcVOvkWjptrzGkcYt5JCGCOUfwUx6BTczRfZwk7HiYDR9rKT7RjfTAmURDJwoo z/4LOJNgg5E69YtYzBlrXAfGrZWBv2sTs6TkaoqLtrHoYGW4W13InPC7kNdN8OnsR53G lrk/h/dqsmevmwZ+m0P/+AMNM72RTd3M7PYFUm4m/jX05CMUfPHyZaX3hSS7QM4U0E2G cWQm7hGWolm0CRzqtHl+0Iuw0KZolXq7sFKVj+/WlDbKD6ikgFADLQe6k9t2tSU7xYNn +B+Q==
X-Gm-Message-State: AOAM533yKL4AEvXrR/EybElz6L5iKkJlQzHGKDtSJtrARXsoMVGordzc +HaIkCeK6rqRfRFQuyCIK90YAA==
X-Google-Smtp-Source: ABdhPJwvyYN+HTZwOTSg5imo/NCl+XK3epbtqtgMLjeP89jGUQjH+fHCi4Lv6TG3NgK8QtIwS90IVg==
X-Received: by 2002:adf:ed87:: with SMTP id c7mr57802038wro.422.1594234011750; Wed, 08 Jul 2020 11:46:51 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id 92sm1262885wrr.96.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 11:46:51 -0700 (PDT)
From: Neil Madden <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_98138A86-AA65-4EB7-839A-BA3E500DB2EA"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Wed, 08 Jul 2020 19:46:50 +0100
In-Reply-To: <>
Cc: Justin Richer <>, oauth <>
To: Torsten Lodderstedt <>
References: <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jul 2020 18:46:56 -0000

On 8 Jul 2020, at 19:03, Torsten Lodderstedt <> wrote:
>>> What in particular should the use consent with in this step?
>> “FooPay would like to:
>> - initiate payments from your account (you will be asked to approve each one)”
>> The point is that a client that I don’t have any kind of relationship with can’t just send me a request to transfer $500 to some account. 
> Are we talking about legal consent or a security measures here?

Normal OAuth consent. My phone is my resource, and I am its resource owner. If a client wants to send payment requests to my phone (e.g. via CIBA backchannel) then it should have to get my permission first. Even without backchannel requests, I’d much rather that only the three clients I’ve explicitly consented to can ask me to initiate payments rather than the hundreds/thousands clients my bank happens to have a relationship with.

> In case of open banking the user legally consents to this process at the client (TPP) even before the OAuth/Payment Initiation dance starts. 

How does the bank (ASPSP) confirm that this actually happened?

— Neil