PSD2/EIDAS DEMONSTRATIONSChris Kong, AzadianKornél Réti, MicrosecLuigi Rizzo, InfoCert © All rights reserved
eIDAS meets PSD2
Overview for this Presentation
2
Revocations & Access
Interfaces & SCA
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorization & Passporting
As previously reported and reviewed at ERPB, with ECB and EC, there are five general stages of activity for actors within the new PSD2 services.
Today, we will be looking at these five stages and explaining the principles, rational and providing a demonstration of those activities in practice.
eIDAS meets PSD2
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorization & Passporting
1. AUTHORISATION & PASSPORTING
eIDAS meets PSD2
Authorization & Passporting
4
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorization & Passporting
Authorization & Passporting is the process for any PSP getting an Financial Authorization from their Home National Competent Authority (NCA) regulator.
A successful application by a PSP results in an entry on the Public Register of an NCA.
NOTE: For the purposes of the demonstration today, we have created an NCA, with “Example Tpp” and “Example Bank” as our entities to use as our demonstration.
eIDAS meets PSD25
DEMO
eIDAS meets PSD2
Authorization & Passporting
6
Revocations & Access
Interfaces & SCA
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorization & Passporting
SUMMARY
• It is expected that all NCAs will make available their Public Registers with PSD2 Upgrades in 2018.
• There is a market dependency on the availability and accuracy of the NCA Public Registers, as will be shown through this demonstration.
eIDAS meets PSD2
2. EIDAS CERTIFICATE ISSUING
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorization & Passporting
eIDAS meets PSD2
eIDAS Certificate Issuing
8
• Any PSP can acquire eIDAS certificates, including:
• Qualified certificate for website authentication (QWAC)• Qualified certificate for electronic seal (QSealC)
• This phase assumes that the PSP is already registered and authorized by the NCA
• NOTE: for the purposes of this demo we are using “Example TPP” as an example for the certificate subject
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorization & Passporting
eIDAS meets PSD2
1. Generate a key pair e.g. in the PSP secure systems
2. Visit the QTSP website, fill out certificate request form, include public key to be certified
3. The QTSP will prepare the papers and contact PSP
4. Validation of all data to be included in the certificate
5. QTSP issues certificate to PSP
6. Install certificate into PSP secure systems
Example Certificate Request Process
9
eIDAS meets PSD2
Screenshot
10
eIDAS meets PSD211
DEMO
eIDAS meets PSD2
• Identity validation, using one of:• qualified signature of authorized representative of PSP,• face-to-face identification of representative using photo ID,• other method providing equivalent assurance
• Validation of possession of the Private Key• Validation of company data against company register
• Validation of authorization of representative• PSD2 attribute validation against NCA register
Verification performed by the QTSP
10
eIDAS meets PSD2
NCA Public Register - TPP
13
eIDAS meets PSD2
1. Generate a key pair e.g. in the PSP secure systems
2. Visit the QTSP website, fill out certificate request form, include public key to be certified
3. The QTSP will prepare the papers and contact PSP
4. Validation of all data to be included in the certificate
5. QTSP issues certificate to PSP
6. Install certificate into PSP secure systems
Example Certificate Request Process
14
eIDAS meets PSD215
DEMO
eIDAS meets PSD2
Screenshot
16
eIDAS meets PSD2
eIDAS Certificate Issuing
17
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorization & Passporting
SUMMARY
• QTSP identifies PSP and relies on NCA register to validate PSD2 specific attributes
• QTSP takes responsibility that all information in the certificate is correct at the time of issuance
• QTSP issues qualified certificates according to ETSI TS 119 495, which specifies a standard format and management of PSD2 specific data
eIDAS meets PSD2
3. IDENTIFICATION & SETUP
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
eIDAS meets PSD2
TPP to ASPSP - Identification & Setup
19
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
The TPP & ASPSP Setup is an identification process within API Access enablement. Although not mandated in the RTS SCA CSC, it is generally API industry best practice.
• As the TPP has a QSEALC, they can now digitally identify themselves towards ASPSPs online for PSD2 API Access.
• Successful identification & Setup between the TPP and ASPSP, results in a TPP getting API Access from an ASPSP.
• eIDAS and ETSI TS 119 495 enables a common framework and pan-European interoperability between all TPPs and ASPSPs for this process.
eIDAS meets PSD220
Discovery1
Sign‐Up2 Access
Request3 eIDAS
Check4 PSD2
Check5 API
Access 6
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
eIDAS meets PSD221
DEMO
eIDAS meets PSD222
SUMMARY
• QSEALC Certificates provide a common and eiDAS secured method for an unknown TPP to become identified to the ASPSP.
• PKI can be used verify the TPP is who they claim to be in the QSEALC.
• QSEALC Certificates do not contain all information and may not be up to date, so ASPSPs need to check NCA Public Registers (or equivalent).
• Successful application of this Identification process allows TPPs a quick and universal way of secure access to APIs, with ASPSPs.
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
TPP to ASPSP - Identification & Setup
eIDAS meets PSD2
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
4. INTERFACES – USING CERTIFICATES
eIDAS meets PSD2
Interfaces and SCA/CSC
24
Interfaces and SCA requirements are laid out in the RTS SCA and CSC.
Generally, the key communication requirements are listed as:- Identification- Confidentiality- Integrity
NOTE: Whilst there are many technical methods for Communications, APIs and SCA, we have selected appropriate mechanisms for this demonstrations and should be considered as “one way to do it”, but not the “only way to do it”.
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
eIDAS meets PSD225
eIDAS Certificates and Internet CSC It’s important to know that QWAC and QSEALC Certificates are used for different purposes and effects.
QSEALs provide:- Identification- Integrity
QWACs provide:- Identification - Confidentiality
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
Interfaces and SCA/CSC
eIDAS meets PSD2
TLS protocol
26
From a high-level, TLS has three main capabilities that may be used independently or in combination to secure content transport (or the network pipe).
These capabilities are:1. Authenticating a server to a client2. Encrypting client/server communications3. Authenticating a client to a server
Most public web sites use TLS only to authenticate the web server to the client. Web server authentication is easily implemented and sufficient for establishing a TLS connection. However, web servers can be configured to request or require that the client authenticate using a certificate. This is known as mutual authentication.
eIDAS meets PSD2
Mutual TLS Authentication
27
• Two parties authenticating each other through verifying the provided digital certificate issued by QTSPs both parties are assured of the other’s identity
• Very popular in server-to-server communications
• A client (web browser or client application) authenticating itself to a server (website or server application) and that server also authenticating itself to the client
• QTSPs listed in EU member states TSLs are an important part of the mutual authentication process
eIDAS meets PSD228
DEMO
eIDAS meets PSD2
Interfaces and SCA/CSC
29
eIDAS Certificates and Internet CSC
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
It’s important to know that QWAC and QSEALC Certificates are used for different purposes and effects.
QSEALs provide:- Identification- Integrity
QWACs provide:- Identification - Confidentiality
eIDAS meets PSD230
Customer ASPSP services
customer payment request
omissis … customer is authenticated in some way by ASPSP … omissis
sealed payment request is validated, PISP QSEALC is validated by means of QTSP validation services, payment request is processed, ASPSP response is generated and sealed by means of ASPSP QSEALC
sealed payment response
PISP – ASPSP payment transaction
PISP services
payment request is generated and sealed by means of PISP QSEALC
sealed payment request
customer payment request processing outcomes
eIDAS meets PSD231
DEMO
eIDAS meets PSD2
Interfaces and SCA/CSC
32
SUMMARY
1. QWAC and QSEALC are used at different communication layers and provide different effects:
• QWAC for Transport Layer• QSEALC for Application Layer.
2. QWAC provides Identification and Confidentiality.
3. QSEALC provides Identification and Integrity.
4. When used in combination and with Qualified Certificates, this will fulfil the requirements from RTS SCA CSC and also have legal effect from eIDAS.
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
eIDAS meets PSD2
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
5. REVOCATION OF CERTIFICATES
eIDAS meets PSD2
eIDAS Certificate Revocation
34
• All certificates have a validity period (expiry date)• However, certificate data may become invalid earlier, e.g.:
• Private key is compromised• PSP authorization revoked or authorization number changed• PSP role(s) revoked
• In these cases the certificate needs to be revoked• Revocation is published by the issuer QTSP
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
eIDAS meets PSD2
• Certificate validation includes• Is it expired? dates in the certificate• Is it revoked? CRL or OCSP
• CRL: Certificate Revocation List• OCSP: Online Certificate Status Protocol
• Is the issuer QTSP trusted? certificate path building
• Typically done automatically by application software• NOTE: in this demo we use e-Szigno SCVA by Microsec
Certificate Validation
35
eIDAS meets PSD2
• Visit the QTSP website, specify certificate serial number and password (to authenticate owner)
• The QTSP will process revocation request• If properly authenticated, this can be automatic
• QTSP publishes that certificate is revoked• Certificate cannot be used any more to create
seals / authenticate website
The Certificate Revocation Process
36
eIDAS meets PSD237
DEMO
eIDAS meets PSD2
Screenshot
38
eIDAS meets PSD2
Certificate Revocation
39
SUMMARY
1. Revocation may be requested bya. PSP (who owns the certificate), orb. NCA (who authorized the PSP)
2. Certificate loses its validity whena. Revocation is published by the QTSP, orb. The certificate expires
3. Invalid certificate shall not be accepted by the receiving party
Revocations & Access
Interfaces & SCA/CSC
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
eIDAS meets PSD2
PSD2 DEMONSTRATIONOVERALL SUMMARY
eIDAS meets PSD2
SUMMARY
41
Revocations & Access
Interfaces & SCA
TPP & ASPSP XS2A Setup
eIDASCertificatesIssuing
Authorisation & Passporting
Today we have briefly explained and demonstrated a few live processes for the E2E journey of a TPP.
We have also discussed where NCAs, QTSPs, ASPSP and the TPPs themselves need to perform Regulatory or Technological actions for this to fit together.
eIDAS meets PSD2
PSD2 DEMONSTRATION
Kornél Ré[email protected]
https://www.microsec.com/
PKI: https://e-szigno.hu/en/
https://infocert.digital/about-us/
https://infocert.digital/solutions/
Luigi [email protected]
Chris [email protected]
https://www.azadian.io
https://openbankingeurope.eu