The security model of the EPC VOP API is built on mutual authentication using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking on client side (VoP Requesting PSP) and EV TLS certificates on server side (VOP Responding PSP or RVM). Please refer to the EPC API Security Framework (ASF) for details here.
The EPC does not intend to define its own specifications to validate client certificates but for the authentication of the VOP Requester (API-client) using QWAC PSD2 certificates, encourages the usage of the authentication principles put in place for Open Banking under PSD2.
The EPC recommends to integrate the full list of qualified root Certification Authorities (CAs) and their intermediate CAs in the trust list of the VOP API-Server, as the VOP API Servers need to accept valid QWAC PSD2 certificates from any valid QTSP (Qualified Trust Service Provider).
The API-client is not expected to provide the entire certificate trust chain (i.e. including intermediate certificates) when they present the QWAC PSD2 certificate during the TLS handshake to the API-server - this is the recommended approach.
The API-server needs to consider the intermediate CA that issued the QWAC certificate that is in the trusted list as a “trust anchor” (which therefore does not need to be validated further). If the CA that issued the QWAC, is not in the API-server’s trusted list, the validation will follow the certificate chain until it finds the intermediate CA that is in the trusted list. The QWAC certificate must include by default the AIA extension which enables this.
Resources:
- The EIDAS dashboard provides access to the lists of QTSP and other documentation: https://eidas.ec.europa.eu/efda/trust-services/browse/eidas/tls
- The EIDAS API documentation can be found here: https://eidas.ec.europa.eu/efda/swagger-ui/index.html
- https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/tl-info: trusted list summary including all country trusted lists and a meta-list pointing to the various lists (ec.europa.eu/tools/lotl/eu-lotl.xml)