W003

Ref

W003

OrganisationOBIE (but applies to all ASPSPs)
Date raised
 
Priority
HIGH
SummaryASPSPs are exempted from supporting the ability to process signatures using PS256 digital signing algorithm.
Policy/standard affectedOpen Banking Security Profile - Implementer's Draft v1.1.0
Duration (end date)
Extended to
StatusEXPIRED
Approved byIE Trustee
Approved date 
CommentsRecommendation has been approved by TDA
Description

Several ASPSPs are unable to process JWTs that are signed with the PS256 algorithm. This algorithm, PS256, is the mandated algorithm for signing of JWTs under both the OB and FAPI standard that supports the RSA certificates created by Open Banking. Many of the ASPSPs have confirmed that they will be unable to process JWTs signed by PS256 as a result of poor library support in their vendor applications and internal approved security libraries.

A waiver should be granted for all ASPSP participants and OB itself not to be required to support the processing of PS256 signed JWTs. This has an ecosystem impact in that collectively the ecosystem is not specification compliant in this one small area. 

Risk assessmentLow
Mitigating controlsAn alternative cipher will be utilised whilst the ecosystems ASPSP participants upgrade their services to support the PS256 algorithms.
Impact if refusedHigh
Financial cost (if any) £
Resource cost (if any) £