Versions Compared

Old Version 8

changes.mady.by.user Annette Foster

Saved on

compared with

New Version Current

changes.mady.by.user Annette Foster

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

OBIE approach and clarifications regarding adjustment period

...

If you have any further specific questions regarding implementation of the OBIE Standard or use of the OBIE Directory post 14 March 2020, please contact us direct via the OB Service Desk.

eIDAS (ETSI) certificates

...

Yes, you still need a client to onboard.


In which authorisation domains can eIDAS certificates be used?

PSD2 only. They cannot be used in the Pay,UK or Crown dependency domains.

OB ETSI like certificates

...

Where can I find the Open Banking root and issuing certificates?

They can be downloaded from this confluence page in the Collaboration space:   /wiki/spaces/OBT/pages/1144294132


What is the Organization for the Directory transport certificates?

The Organization for the chain are:-

  • root certificate: OpenBanking
  • issuing certificate: OpenBanking
  • transport certificate (leaf): OpenBanking


What is the organization unit (OU) for the Directory transport certificates?

The OUs for the chain are:-

  • root certificate: does not have an OU.
  • issuing certificate: does not have an OU.
  • transport certificate (leaf): Open Banking Directory.


What are the Common Name (CN) for the OBIE domains to perform the TLS MA handshake?

For MATLS for OBIE Directory services, the Directory presents a legacy OBIE transport certificate. 

The common names for the chain are:-

  • root certificate: OpenBanking Root CA
  • issuing certificate: OpenBanking Issuing CA respectively
  • transport certificate (leaf): matls  


What is the Common Name (CN) for the OBIE legacy signing certificate?

The common name = signing.


In which authorisation domains can OBIE legacy certificates be used?

Pay.UK (COP) and Crown Dependencies only. They cannot be used in the PSD2 domain.

CSR validation

What CSR (certificate signing request) validation is undertaken?

This depends on the certificate type. For OB legacy transport and signing certs we check that:-

  • The incoming CSR contains an RSA public key of 2048 bits.
  • The Distinguished name contains the org id in OU and software statement id in CN.
  • If the CSR contains a Subject Alternate Name that the requesting org is an ASPSP.

For OBWAC/OBSEAL we check that:-

  • The incoming CSR contains an RSA public key of 2048 bits.
  • The Distinguished name contains the ETSI organizationIdentifier in its own field, and OB org ID is in the CN.
  • The QC Statement indicates that the type of cert (WAC/SEAL) is consistent with the requested type.
  • The QC Statement does not claim any PSD2 roles that the organisation does not have.

Both categories will also do simple checks, e.g., all expected name components are present, not duplicated, in the right order, etc. etc​.

QTSP certificates and services

...

Please have your Primary Business Contact (PBC) contact Open Banking via the Service Desk at ServiceDesk@openbanking.org.uk if you need to change records.

...

Info

On 29th July 2020, the European Banking Authority (EBA) published a statement advising that PSD2 eIDAS certificates issued in the EU to UK Third Party Providers would be revoked on 31st 

December 2020.  In response to this, the FCA  made changes to Article 34 of the draft UK RTS to enable TPPs to use an additional digital certificate for the purposes of identification. As a result of these changes, OBIE made necessary amendments to its Certificate Policy Documentation, recognising that OBIE certificates may need to be used by ASPSPs not participating in Open Banking Ecosystem. Our revised  Certificate Policy Documentation ) was published on 22 December 2020. 

OBIE has prepared the following Q&As to provide further clarity on the use of OBIE Certificates following this legislative change. Please note that these Q&As have been prepared for information purposes only and do not constitute legal advice. TPPs and ASPSPs are solely responsible for ensuring that their use of certificates meets regulatory requirements.. 

...

OBIE is an independent third party certificate issuer and its certificates are designed to meet the requirements for digital certificates (pursuant to UK-RTS, Article 34 (8)) in order to enable TPPs to identify themselves to ASPSPs. 

...

OBIE as a Certificate Authority issues OBIE Certificates in accordance with OBIE Certificate Policy and associated documentation, which can be found at http://ob.trustis.com/production/policies/). 

ASPSPs and TPPs using OBIE Certificates must ensure that they familiarise themselves with all the relevant documentation and understand relevant criteria that underpins their use.

...

b) OCSP endpoint on the certificate 

cJWKSJWKS active trust store 

d) the Certificate Validation ServiceService (availableavailable only to ASPSPs enrolled with OBIE) 

...

OBIE does not recommend this approach as way for ASPSPs to verify that the TPP has the necessary authorisation to perform the relevant payment service(s), as OBIE Certificates are statically designed to support TPP identification only.   

Ultimately it is a decision for each ASPSP to determine the most appropriate way to perform the relevant regulatory checks in line with their obligations under the UK- RTS. 

OBIE recommends that ASPSPs confirm the regulatory status of a TPP through additional means – e.g. by consulting the register of the relevant national competent authority, through the Open Banking Directory or via another suitable alternative directory. 

...