Versions Compared

Old Version 6

changes.mady.by.user Tony Duarte

Saved on

compared with

New Version 7

changes.mady.by.user Praveen Ponnumony

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Where can I find the Open Banking root and issuing certificates?

They can be downloaded from this confluence page in the Collaboration space:   /wiki/spaces/OBT/pages/1144294132


What is the Organization for the Directory transport certificates?

The Organization for the chain are:-

  • root certificate: OpenBanking
  • issuing certificate: OpenBanking
  • transport certificate (leaf): OpenBanking


What is the organization unit (OU) for the Directory transport certificates?

The OUs for the chain are:-

  • root certificate: does not have an OU.
  • issuing certificate: does not have an OU.
  • transport certificate (leaf): Open Banking Directory.


What are the Common Name (CN) for the OBIE domains to perform the TLS MA handshake?

For MATLS for OBIE Directory services, the Directory presents a legacy OBIE transport certificate. 

The common names for the chain are:-

  • root certificate: OpenBanking Root CA
  • issuing certificate: OpenBanking Issuing CA respectively
  • transport certificate (leaf): matls  


What is the Common Name (CN) for the OBIE legacy signing certificate?

The common name = signing.

CSR validation

What CSR (certificate signing request) validation is undertaken?

This depends on the certificate type. For OB legacy transport and signing certs we check that:-

  • The incoming CSR contains an RSA public key of 2048 bits.
  • The Distinguished name contains the org id in OU and software statement id in CN.
  • If the CSR contains a Subject Alternate Name that the requesting org is an ASPSP.

For OBWAC/OBSEAL we check that:-

  • The incoming CSR contains an RSA public key of 2048 bits.
  • The Distinguished name contains the ETSI organizationIdentifier in its own field, and OB org ID is in the CN.
  • The QC Statement indicates that the type of cert (WAC/SEAL) is consistent with the requested type.
  • The QC Statement does not claim any PSD2 roles that the organisation does not have.

Both categories will also do simple checks, e.g., all expected name components are present, not duplicated, in the right order, etc. etc​.

QTSP certificates and services

...

DigiCert have posted a very helpful blog that describes the problem: Working with Delegated OCSP Responders and EKU Chaining

POST-BREXIT Certificate Outcomes FAQs

Info

On 29th July 2020, the European Banking Authority (EBA) published a statement advising that PSD2 eIDAS certificates issued in the EU to UK Third Party Providers would be revoked on 31st 

December 2020.  In response to this, the FCA  made changes to Article 34 of the draft UK RTS to enable TPPs to use an additional digital certificate for the purposes of identification. As a result of these changes, OBIE made necessary amendments to its Certificate Policy Documentation, recognising that OBIE certificates may need to be used by ASPSPs not participating in Open Banking Ecosystem. Our revised  Certificate Policy Documentation ) was published on 22 December 2020. 

OBIE has prepared the following Q&As to provide further clarity on the use of OBIE Certificates following this legislative change. Please note that these Q&As have been prepared for information purposes only and do not constitute legal advice. TPPs and ASPSPs are solely responsible for ensuring that their use of certificates meets regulatory requirements.. 


From 1 January 2021,  what type of certificates can be used by UK TPPs (including EEA TPPs operating under TPR or SRO) for the purposes of identification to ASPSPs 

UK TPPs may use the following certificate types when interacting with UK ASPSPs

  1. eIDAS certificates if they have not been revoked
  2. OBWac
  3. OBSeal
  4. Obtransport
  5. OBsigning


From 1 January 2021, are there any anticipated changes in relation to certificate use for UK and EEA ASPSPs and TPPs currently providing payment services in Gibraltar ?  

We are unaware of that the use of OBIE certificates (or alternative certificates) is permitted by the GFSC.  We anticipate that entities performing payment services in Gibraltar will continue to use eIDAS certificates.  


From 1 January 2021, are there any anticipated changes in relation to certificate use for UK ASPSPs and TPPs currently providing payment services in the EEA ?  

Provided entities have obtained the relevant permissions to provide payments services in the EEA, they can continue to use eIDAS certificates as per the SCA-RTS.


Are the certificates issued by OBIE designed to support the UK -RTS digital certificate requirements to enable TPPs to identify themselves to ASPSPs?

Yes. 

Under Article 34 of the UK RTS, in addition to eIDAS certificates, UK ASPSPs should accept “at least one other form of identification issued by an independent third party that is not unduly burdensome for payment service providers to obtain” We refer to this as an “Alternative Certificate”.

OBIE is an independent third party certificate issuer and its certificates are designed to meet the requirements for digital certificates (pursuant to UK-RTS, Article 34 (8)) in order to enable TPPs to identify themselves to ASPSPs. 

 It is up to each ASPSP to satisfy themselves that OBIE certificates meet the required attributes of the UK-RTS when choosing to accept them for TPP identification. 


Are certificates issued by OBIE subject to any terms of use?  

Yes. 

OBIE as a Certificate Authority issues OBIE Certificates in accordance with OBIE Certificate Policy and associated documentation, which can be found at http://ob.trustis.com/production/policies/). 

ASPSPs and TPPs using OBIE Certificates must ensure that they familiarise themselves with all the relevant documentation and understand relevant criteria that underpins their use.


am a UK TPP or EEA TPP (TPPs operating under TPR or SRO). How can I obtain an OBIE certificate? 

If you have enrolled with the OBIE Directory you can generate one via the self-service user interface (Directory Frontend Interface, DFI) or programmatically via DIR-API.


am an ASPSP operating in the UK. How can I check the validity of an OBIE certificate when identifying a TPP? 

Any OBIE issued certificates can be validated at any time by one of 4 methods 

a) CRL endpoint on the certificate 

b) OCSP endpoint on the certificate 

cJWKSactive trust store 

d) the Certificate Validation Service(availableonly to ASPSPs enrolled with OBIE) 


What can ASPSPs use OBIE certificates for?

In addition to eIDAS certificates, ASPSPs can, if they choose to, use an OBIE certificate as an Alternative Certificate  for the purpose of confirming the identity of a TPP (i.e. to confirm that the entity presenting them with the OBIE certificate is the TPP to which OBIE has issued the certificate). 


What are the obligations on ASPSPs when they accept an Alternative Certificate for TPP identification purposes under UK RTS Art 34?

ASPSPs must also:

  1. verify that any certificate-holding TPP is authorised or registered to perform the applicable payment services (in a way that does not present an obstacle to the provision of those services) 
  2. satisfy itself that the issuer of the Alternative Certificate is suitable and has sufficient systems and controls to verify the information contained in the Alternative Certificate and 
  3. make public the forms of TPP identification they accept. 


Are OBIE certificates revoked when a TPP loses their relevant regulatory authorisation?

OBIE performs regular checks on competent authority registers to ensure that TPPs participating in the Open Banking Ecosystem have the necessary regulatory permissions to do so. OBIE will revoke an OBIE certificate when a TPP has had their regulatory permissions revoked by their competent authority and this has been reflected in the competent authority register 


Can ASPSPs rely on OBIE certificates to provide confirmation of the regulatory permissions of a TPP for their relevant payment service (s)?

OBIE does not recommend this approach as way for ASPSPs to verify that the TPP has the necessary authorisation to perform the relevant payment service(s), as OBIE Certificates are statically designed to support TPP identification only.   

Ultimately it is a decision for each ASPSP to determine the most appropriate way to perform the relevant regulatory checks in line with their obligations under the UK- RTS. 

OBIE recommends that ASPSPs confirm the regulatory status of a TPP through additional means – e.g. by consulting the register of the relevant national competent authority, through the Open Banking Directory or via another suitable alternative directory. 


Does OBIE provide any services that enable ASPSPs to verify the regulatory status of a TPP? 

Yes, OBIE provides three distinct services:

  1. The OBIE Directory TPP SCIM endpoint - This API can be used by ASPSPs to check the authorisations of any UK TPP (including TPR and SRO) as well as certain EU TPPs (including passporting rights from one EU member state into any other EU member states), provided these TPPS are also enrolled on the OBIE Directory. The use of this API is subject to the OBIE Directory SLA, which is agreed between OBIE and ASPSPs enrolled onto the OBIE Directory.
  2. the Certificate Validation Service - This service allows the ASPSP to submit the TPP’s certificate and returns confirmation of the validity of the certificate and the TPP’s authorisations regardless of whether that TPP is enrolled on the OBIE Directory or not. 
  3. NCA API - This API can be queried to get authorisation data for any TPP in the UK or EEA regardless of whether that TPP is enrolled on the OBIE Directory or not.