What's the motivation for this? Is it coming from inside the industry/is it a suggestion/fun project?
I'm don't understand the purpose - it's all about transmission, not data. Banks could sure do sure do with a standardised API, but is interbank message encryption a problem needing solved? I've haven't heard anything like that.
The author is very sure of it's production-readiness. If this transpires to be true, then I could easily see this spec as a good way to encrypt message-based data of all kinds. But where does this bank angle come from?
Helpful. Are you using this in production with European banks?
I saw that on one of the interactive maps on your site there's no line to/from the UK, which is hardly surprising if you are - I would be staggered if they got on board with anything outside their little circle. Are banks in mainland Europe open to this kind of innovation?
Yes, it's in production by some banks and financial institutions in Europe. Most banks are still using SWIFT though.
I think the main reason why BankAPI has been accepted, is actually the lack of innovation. Banks are in general very skeptic to new "unproven" technology, but as BankAPI relies on old standards like TCP/IP, OpenPGP, RSA, SHA512 and HTTPS, there is nothing "unproven" in it to be afraid of.
In my few years in finance, i never came across anyone using SWIFT. It was all SFTP and the occasional HTTPS POST, with all the key distribution done manually.
But then, i didn't work in anything in the area of settlement or trade execution - it was in the general area of equities advice, so we moved research, trade ideas, restricted lists, prices, performance calculations, etc.
Given that SFTP and HTTPS are doing the job mostly adequately, i'm not sure why i'd adopt BankAPI (or rather, layer BankAPI on top of the HTTPS i already have). What value does it add?
BankAPI is actually using HTTPS, but doesn't depend on SSL alone, as the files/messages are also encrypted/signed using OpenPGP.
This means banks would not have to trust all the CAs who issue SSL-certificates, as the OpenPGP public keys are imported once for each bank you wish to communicate with, and won't change unless you explicitly update them.
The value it adds is the two layers of security (HTTPS+OpenPGP) and the "DeliveryReceipt" which makes it possible for both parties (the sending and the receiving bank) to prove they did send and did receive all files/messages sent over BankAPI.
I find that quite amazing. There are a few services around that talk to UK banks, and every single one screen-scrapes to get it done (yes, including MITMing your auth creds) because the banks here would never implement a public API.
I've heard of a proper API once - it was only available to corporate account holders with turnover of £3m+ and the bank had to QA your code.
And yet when I took them to task for validating user passwords with `/^[\d\w]{8,16}$/` they refused to see a problem.
> The decentralized design of BankAPI protocol ensures noone controls it, noone owns it, noone can shut it down, just like the Internet. The un-innovative design of BankAPI protocol ensures noone can critizise it, as there is nothing new invented, it's just a combination of existing well proven technologies.
I don't think I'm comfortable with the 1960s singer-songwriter Peter Noone having this much control of your system.
</snark>
This is a grammatical pet peeve of mine[1], principally because I used to use it exclusively and was horrified when a girl I liked at the time corrected me.
this type of encrypted messaging is super common between banks and third parties. it's usually done in a similar manner to what is implemented here but in SFTP and every bank has it quirks/a different system for ACKing transmissions. a standard would be nice :)
I'm don't understand the purpose - it's all about transmission, not data. Banks could sure do sure do with a standardised API, but is interbank message encryption a problem needing solved? I've haven't heard anything like that.
The author is very sure of it's production-readiness. If this transpires to be true, then I could easily see this spec as a good way to encrypt message-based data of all kinds. But where does this bank angle come from?