Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6604

Support for PSD2 Qualified Certificate Statement

    Details

    • Type: Epic
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Epic Name:
      Support for PSD2 Qualified Certificate Statement
    • Issue discovered during:
      Customer

      Description

      Note: This issue covers ETSI TS 119 495.

      5.1 PSD2 QCStatement

      The PSD2 specific attributes shall be included in a QCStatement within the qcStatements extension as specified inclause 3.2.6 of IETF RFC 3739 [6].
      This QCstatement shall contain the following PSD2 specific certificate attributes as required by RTS [i.3] article 34:

      1. the role of the payment service provider, which maybe one or more of the following:
        1. account servicing (PSP_AS);
        2. payment initiation (PSP_PI);
        3. account information (PSP_AI);
        4. issuing of card-based payment instruments (PSP_IC);
      2. the name of the competent authority where the payment service provider is registered. This is provided in twoforms: the full name string (NCAName) in English and an abbreviated unique identifier (NCAId). See clause 5.2.3 for further details.

      The syntax of the defined statement shall comply with ASN.1 [5]. The complete ASN.1 module for all defined statements shall be as provided in Annex A; it takes precedence over the ASN.1 definitions provided in the body of the present document, in case of discrepancy.

      NOTE: This extension is not processed as part of IETF RFC 5280 [i.7] path validation and there are no security implications with accepting a certificate in a system that cannot parse this extension.

      Syntax:

      etsi-psd2-qcStatement QC-STATEMENT ::= {SYNTAX PSD2QcType IDENTIFIED BY id-etsi-psd2-qcStatement }
      id-etsi-psd2-qcStatement OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) etsi(0) psd2(19495) qcstatement(2) }
      
      PSD2QcType ::= SEQUENCE{
        rolesOfPSP RolesOfPSP,
        nCAName NCAName,
        nCAId NCAId } 
      

      5.2 Encoding PSD2 specific attributes

      5.2.1 Authorization number

      The authorization number shall be placed in organizationIdentifier attribute of the Subject Distinguished Name field in the certificate:

      1. for QWACs: as defined in clause 5.3;
      2. for QSealCs as defined in clause 5.4.

      The authorization number shall be encoded using the syntax identified by the legal person semantics identifier as defined in ETSI EN 319 412-1 [1], clause 5.1.4 extended for PSD2 authorization identifier as follows.

      The organizationIdentifier attribute shall contain information using the following structure in the presented order:

      • "PSD" as 3 character legal person identity type reference;
      • 2 character ISO 3166 country code representing the NCA country;
      • hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and
      • 2-8 character NCA identifier (A-Z uppercase only, no separator)
      • hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and
      • PSP identifier (authorization number as specified by NCA).

      EXAMPLE: The organizationIdentifier "PSDES-BDE-3DFD21" means a certificate issued to a PSP where the authorization number is 3DFD21, authorization was granted by the Spanish NCA Banco de España (identifier after second hyphen-minus is decided by Spanish numbering system)

      Any separator in NCA identifier shall be removed.

      5.2.2 Roles of payment service provider

      RolesOfPSP shall contain one or more roles. The roles shall be as declared by an NCA via their public register for the subject PSP. Each role is represented by role object identifier and role name.

      For the role of account servicing payment service provider, payment initiation service provider, account information service provider or payment service provider issuing card-based payment instruments as defined in the RTS [i.3]:

      • the role object identifier shall be the appropriate one of the four OIDs defined in the ASN.1 snippet below; and
      • the role name shall be the appropriate one of the abbreviated names defined in clause 5.1: PSP_AS, PSP_PI, PSP_AI or PSP_IC.

      For any other role the role object identifier and the role name shall be defined and registered by an organization recognized by the NCA or recognized at the European level.

      NOTE: Using nationally recognized roles can have an adverse effect on interoperability at the European level. At the time of publication of the present document only the four roles mentioned in clause 4.2 are defined by the RTS [i.3].

      The TSP shall ensure that the name in roleOfPspName is the one associated with the role object identifier held in roleOfPspOid.

      Syntax:

      RolesOfPSP ::= SEQUENCE OF RoleOfPSP
      RoleOfPSP ::= SEQUENCE {
        roleOfPspOid RoleOfPspOid,
        roleOfPsdName RoleOfPsdName }
      
      
      RoleOfPspOid ::= OBJECT IDENTIFIER 
      -- Object Identifier arc for roles of payment service providers 
      -- defined in the present document 
      etsi-psd2-roles OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) etsi(0) psd2(19495) id-roles(1) } 
      -- Account Servicing Payment Service Provider (PSP_AS) 
      role id-psd2-role-psp-as OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) etsi(0) psd2(19495) id-roles(1) 1 } 
      -- Payment Initiation Service Provider (PSP_PI) 
      role id-psd2-role-psp-pi OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) etsi(0) psd2(19495) id-roles(1) 2 } 
      -- Account Information Service Provider (PSP_AI) 
      role id-psd2-role-psp-ai OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) etsi(0) psd2(19495) id-roles(1) 3 } 
      -- Payment Service Provider issuing card-based payment instruments (PSP_IC) 
      role id-psd2-role-psp-ic OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) etsi(0) psd2(19495) id-roles(1) 4 } 
      
      RoleOfPspName ::= utf8String (SIZE(256))
      -- Payment Service Provider role name corresponding with OID (i.e. PSP_AS, -- PSP_PI, PSP_AI, PSP_IC) 
      

      5.2.3 Name and identifier of the competent authority

      The NCAName shall be plain text name in English provided by the NCA itself for purpose of identification in certificates.

      NCAName ::= utf8String (SIZE (256))
      

      The NCAId shall contain information using the following structure in the presented order:

      • 2 character ISO 3166 country code representing the NCA country;
      • hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and
      • 2-8 character NCA identifier (A-Z uppercase only, no separator).

      The NCAId shall be unique and provided by NCA itself for purpose of identification in certificates.

      NCAId identifier shall be composed of the same values as in the equivalent fields of the authorization number defined in clause 5.2.1.

      NCAId ::= utf8String (SIZE (256))
      

      5.3 Requirements for QWAC Profile

      If the qualified certificate issued is for website authentication (QWAC) then the requirements of ETSI EN 319 412-4 [3] shall apply including requirements for qualified certificates.

      In addition:

      1. The PSD2 QCStatement as identified in clause 5.1 shall be included in the certificate.
      2. The organizationIdentifier shall be present in the Subject's Distinguished Name and encoded with legal person syntax as specified in clause 5.2.1.

      NOTE: As stated in section 7.1.2.3 item f of the CA/Browser Forum Baseline Requirements [i.8] (as referenced in ETSI EN 319 412-4) "id‐kp‐serverAuth [RFC5280] or id‐kp‐clientAuth [RFC5280] or both values MUST be present". If the certificate is intended to be used as the client certificate in mutual authentication then both values will need to be present. It is not intended that certificates issued under this profile are used just as client certificates.

      h1 5.4 Requirements for QSealC Profile
      If the qualified certificate issued is for electronic seal (QSealC) then the requirements of ETSI EN 319 412-3 [2] shall apply including requirements for qualified certificates.

      In addition:

      1. The PSD2 QCStatement as identified in clause 5.1 shall be included in the certificate.
      2. The organizationIdentifier shall be present in the Subject's Distinguished Name and encoded with legal person syntax as specified in clause 5.2.1.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tomas Tomas Gustavsson
                Reporter:
                mikek Mike Agrenius Kushner
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 week
                  1w
                  Remaining:
                  Remaining Estimate - 1 week
                  1w
                  Logged:
                  Time Spent - Not Specified
                  Not Specified