1

I have a question regarding open banking and PSD2 eIDAS certificates that is needed by the TPPs to identify themselves to an APSPSs. Basically an eIDAS certificate is issued by a QTSP to the TPPs. the question I have is what is the best way to establish a trust chain to validate the eIDAS certificate. EBA has provided a trust list browser https://webgate.ec.europa.eu/tl-browser/#/ however the trust list is only providing the intermediate CAs with a view that we don't need root CAs to validate an eIDAS certificate as long as the QTSP which sings the eIDAS certificate is present in the EU trust list. In my view there is a fundamental gap in the understanding of EBA because most of the current firewalls need the entire certificate chain to establish the trust.

Is there any way to configure a TrustAnachor in spring-boot embedded tomcat? will it work without having top level root CAs? basically my use case involve TLS MA connection so can it work with purely on the certificate present in the TrustAnchor?

Any help on above will be highly appreciated.

user3916750
  • 23
  • 5
  • in my understanding and hackish simple terms, a certificate is termed trusted when a trusted certificate is found in its chain, ascending up to the root CA - I mean - if the eIDAS certificate itself is in the APSPS' trust store, it is not necessary for the certificate chain to be provided at all - the way I think about it is that the eIDAS certificate OR its issuer certificate are enough to be added to the trust store for things to work for the TLS at least. The checking of the trust list browser to get QTSP status, as I understand it, is another story and has to be done on application level. – hello_earth Sep 10 '19 at 09:10
  • 1
    @hello_earth Your point is valid however unfortunately many of the commercial grade firewalls (e.g. Citrix NetScaler) does not work like that and for security reasons they need the entire chain to be present in the trust store forcing organizations to obtain Root CAs and manually uploading them. In fact this could be one of the reason why OB (https://www.openbanking.org.uk/) is providing a service which will provide QTSPs certificate chain to Banks and TPPs – user3916750 Sep 23 '19 at 13:03
  • Hey! I wrote a simple script extracting CA certificates from the eIDAS Trust List, maybe you'll find it useful: https://github.com/fed239/eidas-tsp-certificates-extractor – Fedor Jul 04 '23 at 15:55

0 Answers0