Versions Compared

Old Version 7

changes.mady.by.user Praveen Ponnumony

Saved on

compared with

New Version 8

changes.mady.by.user Annette Foster

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

OBIE approach and clarifications regarding adjustment period

...

Yes, you still need a client to onboard.


In which authorisation domains can eIDAS certificates be used?

PSD2 only. They cannot be used in the Pay,UK or Crown dependency domains.

OB ETSI like certificates

...

Where can I find the Open Banking root and issuing certificates?

They can be downloaded from this confluence page in the Collaboration space:   /wiki/spaces/OBT/pages/1144294132


What is the Organization for the Directory transport certificates?

The Organization for the chain are:-

  • root certificate: OpenBanking
  • issuing certificate: OpenBanking
  • transport certificate (leaf): OpenBanking


What is the organization unit (OU) for the Directory transport certificates?

The OUs for the chain are:-

  • root certificate: does not have an OU.
  • issuing certificate: does not have an OU.
  • transport certificate (leaf): Open Banking Directory.


What are the Common Name (CN) for the OBIE domains to perform the TLS MA handshake?

For MATLS for OBIE Directory services, the Directory presents a legacy OBIE transport certificate. 

The common names for the chain are:-

  • root certificate: OpenBanking Root CA
  • issuing certificate: OpenBanking Issuing CA respectively
  • transport certificate (leaf): matls  


What is the Common Name (CN) for the OBIE legacy signing certificate?

The common name = signing.


In which authorisation domains can OBIE legacy certificates be used?

Pay.UK (COP) and Crown Dependencies only. They cannot be used in the PSD2 domain.

CSR validation

What CSR (certificate signing request) validation is undertaken?

This depends on the certificate type. For OB legacy transport and signing certs we check that:-

  • The incoming CSR contains an RSA public key of 2048 bits.
  • The Distinguished name contains the org id in OU and software statement id in CN.
  • If the CSR contains a Subject Alternate Name that the requesting org is an ASPSP.

For OBWAC/OBSEAL we check that:-

  • The incoming CSR contains an RSA public key of 2048 bits.
  • The Distinguished name contains the ETSI organizationIdentifier in its own field, and OB org ID is in the CN.
  • The QC Statement indicates that the type of cert (WAC/SEAL) is consistent with the requested type.
  • The QC Statement does not claim any PSD2 roles that the organisation does not have.

Both categories will also do simple checks, e.g., all expected name components are present, not duplicated, in the right order, etc. etc​.

QTSP certificates and services

...

OBIE as a Certificate Authority issues OBIE Certificates in accordance with OBIE Certificate Policy and associated documentation, which can be found at http://ob.trustis.com/production/policies/). 

ASPSPs and TPPs using OBIE Certificates must ensure that they familiarise themselves with all the relevant documentation and understand relevant criteria that underpins their use.

...