W004

Owned by Chris Michael (Unlicensed)
Last updated: Jun 25, 2019
1 min read
Ref

W004

OrganisationOBIE (but applies to all ASPSPs and TPPs)
Date raised
 
Priority
HIGH
SummaryAll participants are exempted from supporting the ability to issue JWTs using PS256 digital signing algorithm.
Policy/standard affectedOpen Banking Security Profile - Implementer's Draft v1.1.0
Duration (end date)
Extended to
StatusEXPIRED
Approved byIE Trustee
Approved date 
CommentsRecommendation has been approved by TDA
Description

Several ASPSPs are unable to issue JWTs that are signed with the PS256 algorithm. This algorithm, PS256, is the mandated algorithm for signing of JWTs under both the OB and FAPI standard that supports the RSA certificates created by Open Banking. Many of the ASPSPs have confirmed that they will be unable to issue JWTs signed by PS256 as a result of poor library support in their vendor applications and internal approved security libraries.

A waiver should be granted for all ASPSP participants and OB itself not to be required to support the issuance of PS256 signed JWTs. This has an ecosystem impact in that collectively the ecosystem is not specification compliant in this one small area. 

Risk assessmentLow
Mitigating controlsAlternative cipher suite available.
Impact if refusedHigh
Financial cost (if any) £
Resource cost (if any) £

© Open Banking Limited 2019 | https://www.openbanking.org.uk/open-licence | https://www.openbanking.org.uk