3.1 Certificate Requirements: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
As required by the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication contained in the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R0389&from=EN DELEGATED REGULATION (EU) 2018/389 of 27 November 2017], TPP need to be equipped with qualified certificates for electronic seals / website authentication (eIDAS Certificates). | As required by the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication contained in the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R0389&from=EN DELEGATED REGULATION (EU) 2018/389 of 27 November 2017], TPP need to be equipped with qualified certificates for electronic seals / website authentication (eIDAS Certificates). | ||
TPP ''eIDAS'' Certificates can be of two types: | |||
TPP eIDAS Certificates can be of two types: | |||
<ul> | <ul> | ||
<li> | <li> | ||
QWAC (Qualified Website Authentication Certificate): used as Client Certificates – allow TPPs to communicate securely with and identify themselves towards ASPSPs ([https://eba.europa.eu/documents/10180/2137845/EBA+Opinion+on+the+use+of+eIDAS+certificates+under+the+RTS+on+SCACSC.pdf Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC]); | |||
</li> | </li> | ||
<li> | <li> | ||
QSeal (Qualified Certificate for Seals): used to sign requests using http-signature – ensure that the communication between TPPs and ASPSPs is secure and that the data submitted originates from the PSP identified in the certificate ([https://eba.europa.eu/documents/10180/2137845/EBA+Opinion+on+the+use+of+eIDAS+certificates+under+the+RTS+on+SCACSC.pdf Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC]); | |||
</li> | </li> | ||
</ul> | </ul> | ||
The Testing Facility (Sandbox) made available from the | The '''Testing Facility''' (Sandbox) made available from the '''14<sup>th</sup> of March, 2019''', is accessible to all the TPPs in possession of: | ||
<ul> | <ul> | ||
<li>a | <li>a valid QWAC production eIDAS Certificate released by a Qualified Trusted Service Provider (QTSP);</li> | ||
<li>QWAC Test Certificate released by a Qualified Trusted Service Provider (QTSP);</li> | <li>QWAC Test Certificate released by a Qualified Trusted Service Provider (QTSP);</li> | ||
</ul> | </ul> | ||
The '''Production Facility''' made available '''from the 1<sup>st</sup> of June, 2019''', is accessible to all the TPPs in possession of: | |||
<ul> | |||
<li>a valid production QWAC and QSeal (for http-signature) eIDAS Certificates released by a Qualified Trusted Service Provider (QTSP) based on a formal authorization in the NCA/EBA registers.</li> | |||
</ul> | |||
The Production Environment made available from the 1<sup>st</sup> of June, 2019, is accessible only to the TPPs in possession of both QWAC and QSeal eIDAS Certificates valid for the Production Environment. '''The TPPs that have already performed the onboarding with the test certificate''', in order to ensure the highest levels of security for the PSUs and receive the production client id/secret id, '''are required to send an explicit request to the dedicated email address [mailto:supportcbiglobe@cbi-org.eu supportcbiglobe@cbi-org.eu] with attached an eIDAS certificate valid for the production environment'''. | |||
Furthermore, starting from the 1<sup>st</sup> of June, 2019, '''self-signed certificates are not considered valid anymore''' to access the Testing Facility. | |||
---- | ---- |
Revision as of 15:48, 29 May 2019
As required by the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication contained in the DELEGATED REGULATION (EU) 2018/389 of 27 November 2017, TPP need to be equipped with qualified certificates for electronic seals / website authentication (eIDAS Certificates).
TPP eIDAS Certificates can be of two types:
- QWAC (Qualified Website Authentication Certificate): used as Client Certificates – allow TPPs to communicate securely with and identify themselves towards ASPSPs (Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC);
- QSeal (Qualified Certificate for Seals): used to sign requests using http-signature – ensure that the communication between TPPs and ASPSPs is secure and that the data submitted originates from the PSP identified in the certificate (Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC);
The Testing Facility (Sandbox) made available from the 14th of March, 2019, is accessible to all the TPPs in possession of:
- a valid QWAC production eIDAS Certificate released by a Qualified Trusted Service Provider (QTSP);
- QWAC Test Certificate released by a Qualified Trusted Service Provider (QTSP);
The Production Facility made available from the 1st of June, 2019, is accessible to all the TPPs in possession of:
- a valid production QWAC and QSeal (for http-signature) eIDAS Certificates released by a Qualified Trusted Service Provider (QTSP) based on a formal authorization in the NCA/EBA registers.
The Production Environment made available from the 1st of June, 2019, is accessible only to the TPPs in possession of both QWAC and QSeal eIDAS Certificates valid for the Production Environment. The TPPs that have already performed the onboarding with the test certificate, in order to ensure the highest levels of security for the PSUs and receive the production client id/secret id, are required to send an explicit request to the dedicated email address supportcbiglobe@cbi-org.eu with attached an eIDAS certificate valid for the production environment.
Furthermore, starting from the 1st of June, 2019, self-signed certificates are not considered valid anymore to access the Testing Facility.