PSD2/EIDAS DEMONSTRATIONS · 2018-03-20 · eIDAS meets PSD2 1. Generate a key pair e.g. in the PSP...

PSD2/EIDAS DEMONSTRATIONSChris Kong, AzadianKornél Réti, MicrosecLuigi Rizzo, InfoCert © All rights reserved

eIDAS meets PSD2

Overview for this Presentation

2

Revocations & Access

Interfaces & SCA

TPP & ASPSP XS2A Setup

eIDASCertificatesIssuing

Authorization & Passporting

As previously reported and reviewed at ERPB, with ECB and EC, there are five general stages of activity for actors within the new PSD2 services.

Today, we will be looking at these five stages and explaining the principles, rational and providing a demonstration of those activities in practice.

eIDAS meets PSD2


Interfaces & SCA/CSC




1. AUTHORISATION & PASSPORTING

eIDAS meets PSD2


4






Authorization & Passporting is the process for any PSP getting an Financial Authorization from their Home National Competent Authority (NCA) regulator.

A successful application by a PSP results in an entry on the Public Register of an NCA.

NOTE: For the purposes of the demonstration today, we have created an NCA, with “Example Tpp” and “Example Bank” as our entities to use as our demonstration.

eIDAS meets PSD25

DEMO

eIDAS meets PSD2


6


Interfaces & SCA




SUMMARY

• It is expected that all NCAs will make available their Public Registers with PSD2 Upgrades in 2018.

• There is a market dependency on the availability and accuracy of the NCA Public Registers, as will be shown through this demonstration.

eIDAS meets PSD2

2. EIDAS CERTIFICATE ISSUING






eIDAS meets PSD2

eIDAS Certificate Issuing

8

• Any PSP can acquire eIDAS certificates, including:

• Qualified certificate for website authentication (QWAC)• Qualified certificate for electronic seal (QSealC)

• This phase assumes that the PSP is already registered and authorized by the NCA

• NOTE: for the purposes of this demo we are using “Example TPP” as an example for the certificate subject






eIDAS meets PSD2

1. Generate a key pair e.g. in the PSP secure systems

2. Visit the QTSP website, fill out certificate request form, include public key to be certified

3. The QTSP will prepare the papers and contact PSP

4. Validation of all data to be included in the certificate

5. QTSP issues certificate to PSP

6. Install certificate into PSP secure systems

Example Certificate Request Process

9

eIDAS meets PSD2

Screenshot

10

eIDAS meets PSD211

DEMO

eIDAS meets PSD2

• Identity validation, using one of:• qualified signature of authorized representative of PSP,• face-to-face identification of representative using photo ID,• other method providing equivalent assurance

• Validation of possession of the Private Key• Validation of company data against company register

• Validation of authorization of representative• PSD2 attribute validation against NCA register

Verification performed by the QTSP

10

eIDAS meets PSD2

NCA Public Register - TPP

13

eIDAS meets PSD2

1. Generate a key pair e.g. in the PSP secure systems

2. Visit the QTSP website, fill out certificate request form, include public key to be certified

3. The QTSP will prepare the papers and contact PSP

4. Validation of all data to be included in the certificate

5. QTSP issues certificate to PSP

6. Install certificate into PSP secure systems

Example Certificate Request Process

14

eIDAS meets PSD215

DEMO

eIDAS meets PSD2

Screenshot

16

eIDAS meets PSD2

eIDAS Certificate Issuing

17






SUMMARY

• QTSP identifies PSP and relies on NCA register to validate PSD2 specific attributes

• QTSP takes responsibility that all information in the certificate is correct at the time of issuance

• QTSP issues qualified certificates according to ETSI TS 119 495, which specifies a standard format and management of PSD2 specific data

eIDAS meets PSD2

3. IDENTIFICATION & SETUP





Authorisation & Passporting

eIDAS meets PSD2

TPP to ASPSP - Identification & Setup

19






The TPP & ASPSP Setup is an identification process within API Access enablement. Although not mandated in the RTS SCA CSC, it is generally API industry best practice.

• As the TPP has a QSEALC, they can now digitally identify themselves towards ASPSPs online for PSD2 API Access.

• Successful identification & Setup between the TPP and ASPSP, results in a TPP getting API Access from an ASPSP.

• eIDAS and ETSI TS 119 495 enables a common framework and pan-European interoperability between all TPPs and ASPSPs for this process.

eIDAS meets PSD220

Discovery1

Sign‐Up2 Access

Request3 eIDAS

Check4 PSD2

Check5 API

Access 6






eIDAS meets PSD221

DEMO

eIDAS meets PSD222

SUMMARY

• QSEALC Certificates provide a common and eiDAS secured method for an unknown TPP to become identified to the ASPSP.

• PKI can be used verify the TPP is who they claim to be in the QSEALC.

• QSEALC Certificates do not contain all information and may not be up to date, so ASPSPs need to check NCA Public Registers (or equivalent).

• Successful application of this Identification process allows TPPs a quick and universal way of secure access to APIs, with ASPSPs.






TPP to ASPSP - Identification & Setup

eIDAS meets PSD2






4. INTERFACES – USING CERTIFICATES

eIDAS meets PSD2

Interfaces and SCA/CSC

24

Interfaces and SCA requirements are laid out in the RTS SCA and CSC.

Generally, the key communication requirements are listed as:- Identification- Confidentiality- Integrity

NOTE: Whilst there are many technical methods for Communications, APIs and SCA, we have selected appropriate mechanisms for this demonstrations and should be considered as “one way to do it”, but not the “only way to do it”.






eIDAS meets PSD225

eIDAS Certificates and Internet CSC It’s important to know that QWAC and QSEALC Certificates are used for different purposes and effects.

QSEALs provide:- Identification- Integrity

QWACs provide:- Identification - Confidentiality







eIDAS meets PSD2

TLS protocol

26

From a high-level, TLS has three main capabilities that may be used independently or in combination to secure content transport (or the network pipe).

These capabilities are:1. Authenticating a server to a client2. Encrypting client/server communications3. Authenticating a client to a server

Most public web sites use TLS only to authenticate the web server to the client. Web server authentication is easily implemented and sufficient for establishing a TLS connection. However, web servers can be configured to request or require that the client authenticate using a certificate. This is known as mutual authentication.

eIDAS meets PSD2

Mutual TLS Authentication

27

• Two parties authenticating each other through verifying the provided digital certificate issued by QTSPs both parties are assured of the other’s identity

• Very popular in server-to-server communications

• A client (web browser or client application) authenticating itself to a server (website or server application) and that server also authenticating itself to the client

• QTSPs listed in EU member states TSLs are an important part of the mutual authentication process

eIDAS meets PSD228

DEMO

eIDAS meets PSD2


29

eIDAS Certificates and Internet CSC






It’s important to know that QWAC and QSEALC Certificates are used for different purposes and effects.

QSEALs provide:- Identification- Integrity

QWACs provide:- Identification - Confidentiality

eIDAS meets PSD230

Customer ASPSP services

customer payment request

omissis … customer is authenticated in some way by ASPSP … omissis

sealed payment request is validated, PISP QSEALC is validated by means of QTSP validation services, payment request is processed, ASPSP response is generated and sealed by means of ASPSP QSEALC

sealed payment response

PISP – ASPSP payment transaction

PISP services

payment request is generated and sealed by means of PISP QSEALC

sealed payment request

customer payment request processing outcomes

eIDAS meets PSD231

DEMO

eIDAS meets PSD2


32

SUMMARY

1. QWAC and QSEALC are used at different communication layers and provide different effects:

• QWAC for Transport Layer• QSEALC for Application Layer.

2. QWAC provides Identification and Confidentiality.

3. QSEALC provides Identification and Integrity.

4. When used in combination and with Qualified Certificates, this will fulfil the requirements from RTS SCA CSC and also have legal effect from eIDAS.






eIDAS meets PSD2






5. REVOCATION OF CERTIFICATES

eIDAS meets PSD2

eIDAS Certificate Revocation

34

• All certificates have a validity period (expiry date)• However, certificate data may become invalid earlier, e.g.:

• Private key is compromised• PSP authorization revoked or authorization number changed• PSP role(s) revoked

• In these cases the certificate needs to be revoked• Revocation is published by the issuer QTSP






eIDAS meets PSD2

• Certificate validation includes• Is it expired? dates in the certificate• Is it revoked? CRL or OCSP

• CRL: Certificate Revocation List• OCSP: Online Certificate Status Protocol

• Is the issuer QTSP trusted? certificate path building

• Typically done automatically by application software• NOTE: in this demo we use e-Szigno SCVA by Microsec

Certificate Validation

35

eIDAS meets PSD2

• Visit the QTSP website, specify certificate serial number and password (to authenticate owner)

• The QTSP will process revocation request• If properly authenticated, this can be automatic

• QTSP publishes that certificate is revoked• Certificate cannot be used any more to create

seals / authenticate website

The Certificate Revocation Process

36

eIDAS meets PSD237

DEMO

eIDAS meets PSD2

Screenshot

38

eIDAS meets PSD2

Certificate Revocation

39

SUMMARY

1. Revocation may be requested bya. PSP (who owns the certificate), orb. NCA (who authorized the PSP)

2. Certificate loses its validity whena. Revocation is published by the QTSP, orb. The certificate expires

3. Invalid certificate shall not be accepted by the receiving party






eIDAS meets PSD2

PSD2 DEMONSTRATIONOVERALL SUMMARY

eIDAS meets PSD2

SUMMARY

41


Interfaces & SCA




Today we have briefly explained and demonstrated a few live processes for the E2E journey of a TPP.

We have also discussed where NCAs, QTSPs, ASPSP and the TPPs themselves need to perform Regulatory or Technological actions for this to fit together.

eIDAS meets PSD2

PSD2 DEMONSTRATION

Kornél Ré[email protected]

https://www.microsec.com/

PKI: https://e-szigno.hu/en/

https://infocert.digital/about-us/

https://infocert.digital/solutions/

Luigi [email protected]

Chris [email protected]

https://www.azadian.io

https://openbankingeurope.eu

Date post:	05-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

PSD2/EIDAS DEMONSTRATIONS · 2018-03-20 · eIDAS meets PSD2 1. Generate a key pair e.g. in the PSP...

Documents