Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Table of Contents
maxLevel2
outlinetrue

...

VersionDateAuthorComments
DRAFT 1 Open Banking Directory Team

Initial Release.

This document supersedes the Open Banking Directory Specification v1.3Technical details in the OB Directory Specification v1.3 have for the most part been moved to the Directory API Swagger Specification, and this document should be read in conjunction with this specification, which can be accessed via the GitHub link below:

Github link macro
linkhttps://github.com/OpenBankingUK/directory-api-specs

Draft v1.1 Open Banking Directory Team

General

Links to the Directory API Swagger Specification within the document content have been replaced with  the GitHub link above.

Links to the Directory Sandbox Usage document within the document have been replaced with links to Open Banking Directory Usage - eIDAS release (Directory Sandbox).

Added Appendix C - Certificate profiles with an embedded document that outlines the general procedure to generate Certificate Signing Requests (CSR) for Open Banking Public Key Infrastructure (PKI). This includes example DER encoded QC Statements for all combinations of PSD2 roles.

Manage Certificates and Keys

Replaced the P19 Support for eIDAS Certificates in the OBIE Ecosystem link with a reference to Appendix C documentation in the section eIDAS Certificate Properties.

Replaced the Certificate Profiles link with a reference to Appendix C documentation in the section Open Banking ETSI Conformant Certificates.

Draft v1.2 Open Banking Directory Team

Update to Appendix A - SCIM resources Swagger specification, replacing the linked text with a GitHub link:

Github link macro
linkhttps://github.com/OpenBankingUK/directory-api-specs

v1.3 Open Banking Directory Team

Copy enhancements to the following sections:

Introduction

Primacy of FCA Register and registers maintained by other National Competent Authorities

Use of eIDAS Certificates

Open Banking Certificate Authority

Open Banking Non-ETSI Certificate Properties

Revocation of Account Servicing Payment Service Providers Certificates

Updated the associations for QSeal and OB Seal in the table in the section Manage Certificates and Keys - Overview.

Updated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.1.

v1.4 Open Banking Directory TeamUpdated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.2.
1.5 Open Banking Directory TeamUpdated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.3
1.6 Open Banking Directory TeamUpdated links to version 2.3 of usage guidelines.
1.7 Open Banking Directory TeamUpdated links to version 2.4 of usage guidelines.

Overview

...

TPPs with valid eIDAS (QWAC) certificates will be able to dynamically register in Production with the Directory by using the Directory API. Please refer to the Directory API Swagger Specification for details regarding the API, which can be accessed via the GitHub link below:

Github link macro
linkhttps://github.com/OpenBankingUK/directory-api-specs

  The process for enrolling on the Sandbox, and to Production via the non-dynamic route, is documented separately in Enrolling onto the Open Banking Directory - How To Guide.

...

Logical Field NameDescription
VersionAll certificates will be X.509 v3 certificates
Serial NumberThe serial number for the certificate
Signature Algorithm

The signature algorithm used for signing the certificate.

Certificates will be RSA certificates.

Issuer

A DN representing the issuer of the certificate (Open Banking).

The structure of the DN is to be confirmed.

Validity

The date range for which the certificate will be valid
Subject

A distinct name identifying the subject of the certificate.

DN: C=GB O=OpenBanking OU=organisation_id CN=software_statement_id

Public KeyThe public key corresponding to the private key with which the certificate was signed.

Key Usage

An indication of whether the key will be used for transport (MATLS), encryption or signing.

Domain names

List of domain names that are valid for the certificate

CRL URL

A hyperlink referring to the CRL for the CA that issued the certificate.

OCSP URL

A url referring to the OCSP service for the CA that issued the certificate

...

Section 8.6 states that only PS256 or ES256 should be supported for signing. As the Open Banking certificates are RSA certificates, Open Banking will only support PS256 for signing SSAs and SSO ID Tokens. Participants could upload PS256 or ES256 keys as signing or encryption materials for software statements. ASPSPs advertise support for algorithms on their well known endpoints and TPPs will need to use algorithms supported by them.

References to standards

The design decisions for these capabilities have been based on the following standards:

...

Step by step instructions have been published in the updated Open Banking Directory Usage - eIDAS release (Directory Sandbox).

Using the Directory API

Alternatively, participants can issue certificates programmatically via the Directory API. Step by step instructions have been published in the updated Open Banking Directory Usage - eIDAS release (Directory Sandbox). Also, please refer to the Directory API Swagger Specification for details regarding the API, which can be accessed via the GitHub link below:

Github link macro
linkhttps://github.com/OpenBankingUK/directory-api-specs

Revoke Open Banking Certificates

...

Step by step instructions are provided in the Open Banking Directory Usage - eIDAS release (Directory Sandbox) document.

Retrieving a Signed Software Statement (Software Statement Assertion)

...

Step by step instructions are provided in the Open Banking Directory Usage - eIDAS release (Directory Sandbox) document.

Retrieving a software statement using SCIM APIS

...