| Table of Contents | ||||
|---|---|---|---|---|
|
...
| Version | Date | Author | Comments | ||||
|---|---|---|---|---|---|---|---|
| DRAFT 1 | Open Banking Directory Team | Initial Release. This document supersedes the Open Banking Directory Specification v1.3. Technical details in the OB Directory Specification v1.3 have for the most part been moved to the Directory API Swagger Specification, and this document should be read in conjunction with this specification, which can be accessed via the GitHub link below:
| |||||
| Draft v1.1 | Open Banking Directory Team | General Links to the Directory API Swagger Specification within the document content have been replaced with the GitHub link above. Links to the Directory Sandbox Usage document within the document have been replaced with links to Open Banking Directory Usage - eIDAS release (Directory Sandbox). Added Appendix C - Certificate profiles with an embedded document that outlines the general procedure to generate Certificate Signing Requests (CSR) for Open Banking Public Key Infrastructure (PKI). This includes example DER encoded QC Statements for all combinations of PSD2 roles. Manage Certificates and Keys Replaced the P19 Support for eIDAS Certificates in the OBIE Ecosystem link with a reference to Appendix C documentation in the section eIDAS Certificate Properties. Replaced the Certificate Profiles link with a reference to Appendix C documentation in the section Open Banking ETSI Conformant Certificates. | |||||
| Draft v1.2 | Open Banking Directory Team | Update to Appendix A - SCIM resources Swagger specification, replacing the linked text with a GitHub link:
| |||||
| v1.3 | Open Banking Directory Team | Copy enhancements to the following sections: Introduction Primacy of FCA Register and registers maintained by other National Competent Authorities Use of eIDAS Certificates Open Banking Certificate Authority Open Banking Non-ETSI Certificate Properties Revocation of Account Servicing Payment Service Providers Certificates Updated the associations for QSeal and OB Seal in the table in the section Manage Certificates and Keys - Overview. Updated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.1. | |||||
| v1.4 | Open Banking Directory Team | Updated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.2. | |||||
| 1.5 | Open Banking Directory Team | Updated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.3 |
Overview
Introduction
The Open Banking Directory is the key Architectural Component that enables Third Party Providers (TPPs)to enrol onto the Open Banking Directory and initiate interactions through APIs with Account Servicing Payment Service Providers (ASPSPs). At its core the Directory is an identity and access management service providing identity information supporting natural persons, organisations and software identity classes.
...
TPPs with valid eIDAS (QWAC) certificates will be able to dynamically register in Production with the Directory by using the Directory API. Please refer to the Directory API Swagger Specification for details regarding the API, which can be accessed via the GitHub link below:
Github link macro link https://github.com/OpenBankingUK/directory-api-specs
The process for enrolling on the Sandbox, and to Production via the non-dynamic route, is documented separately in Enrolling onto the Open Banking Directory - How To Guide.
...
| Logical Field Name | Description |
|---|---|
| Version | All certificates will be X.509 v3 certificates |
| Serial Number | The serial number for the certificate |
| Signature Algorithm | The signature algorithm used for signing the certificate. Certificates will be RSA certificates. |
| Issuer | A DN representing the issuer of the certificate (Open Banking). The structure of the DN is to be confirmed. |
Validity | The date range for which the certificate will be valid |
| Subject | A distinct name identifying the subject of the certificate. DN: C=GB O=OpenBanking OU=organisation_id CN=software_statement_id |
| Public Key | The public key corresponding to the private key with which the certificate was signed. |
Key Usage | An indication of whether the key will be used for transport (MATLS), encryption or signing. |
Domain names | List of domain names that are valid for the certificate |
CRL URL | A hyperlink referring to the CRL for the CA that issued the certificate. |
OCSP URL | A url referring to the OCSP service for the CA that issued the certificate |
...
Section 8.6 states that only PS256 or ES256 should be supported for signing. As the Open Banking certificates are RSA certificates, Open Banking will only support PS256 for signing SSAs and SSO ID Tokens. Participants could upload PS256 or ES256 keys as signing or encryption materials for software statements. ASPSPs advertise support for algorithms on their well known endpoints and TPPs will need to use algorithms supported by them.
References to standards
The design decisions for these capabilities have been based on the following standards:
...
Step by step instructions have been published in the updated Open Banking Directory Usage - eIDAS release (Directory Sandbox).
Using the Directory API
Alternatively, participants can issue certificates programmatically via the Directory API. Step by step instructions have been published in the updated Open Banking Directory Usage - eIDAS release (Directory Sandbox). Also, please refer to the Directory API Swagger Specification for details regarding the API, which can be accessed via the GitHub link below:
Github link macro link https://github.com/OpenBankingUK/directory-api-specs
Revoke Open Banking Certificates
...
Step by step instructions are provided in the Open Banking Directory Usage - eIDAS release (Directory Sandbox) document.
Retrieving a Signed Software Statement (Software Statement Assertion)
...
Step by step instructions are provided in the Open Banking Directory Usage - eIDAS release (Directory Sandbox) document.
Retrieving a software statement using SCIM APIS
...