W003
Ref | W003 |
|---|---|
Organisation | OBIE (but applies to all ASPSPs) |
Date raised | Jan 4, 2018 |
Priority | HIGH |
Summary | ASPSPs are exempted from supporting the ability to process signatures using PS256 digital signing algorithm. |
Policy/standard affected | |
Duration (end date) | Extended to Mar 13, 2019 |
Status | EXPIRED |
Approved by | IE Trustee |
Approved date | Jan 12, 2018 |
Comments | Recommendation has been approved by TDA |
Description | Several ASPSPs are unable to process JWTs that are signed with the PS256 algorithm. This algorithm, PS256, is the mandated algorithm for signing of JWTs under both the OB and FAPI standard that supports the RSA certificates created by Open Banking. Many of the ASPSPs have confirmed that they will be unable to process JWTs signed by PS256 as a result of poor library support in their vendor applications and internal approved security libraries. A waiver should be granted for all ASPSP participants and OB itself not to be required to support the processing of PS256 signed JWTs. This has an ecosystem impact in that collectively the ecosystem is not specification compliant in this one small area. |
|---|---|
Risk assessment | Low |
Mitigating controls | An alternative cipher will be utilised whilst the ecosystems ASPSP participants upgrade their services to support the PS256 algorithms. |
Impact if refused | High |
Financial cost (if any) £ |
|
Resource cost (if any) £ |
|