Konsentus Powering Trust in Open Ecosystems

JSON Web Signature Profile for Open Banking

This document defines a profile of JSON Web Signature, as defined in RFC 7515 in support of secure communications under PSD2.

Share This Post

Background

OBE brought together a group of experts from the PSD2 API communities with experts on signature formats from ETSI. The group carried out a survey of the current approaches to secure communications for PSD2 based on EU Qualified Certificates as required under the EU “regulatory technical standards for strong customer authentication and common and secure open standards of communication”. As a result of the survey it was found that there were two basic approaches taken. About half API communities used JSON Web Signatures to protect the payload, whilst the other half use HTTP Signatures based on a draft specification originally authored by Cavage. HTTP signatures were chosen primarily because of its ability to protect HTTP header information. As a result, it was agreed to produce a common specification of how to protect PSD2 payloads which brings together the JSON Web Signatures with the ability of HTTP Signatures to protect HTTP header information. It was also the aim to align the specification with the ETSI “JAdES” specification for advanced electronic signatures and seals in line with the EU eIDAS regulation. The present document is this common specification.

Scope

This document defines a profile of JSON Web Signature (JWS hereinafter), as defined in RFC 7515 in support of secure communications under the Payment Services Directive 2015/2366 (PSD2). In particular, it is aimed at supporting the secure communications between payment service providers using qualified certificates for electronic seals, (Article 3(30) of Regulation (EU) No 910/2014), as required under Commission Delegated Regulation (EU) 2018/389 [15] Article 34. ETSI has developed a standard for JWS which includes the special features already in other ETSI standards for AdES digital signatures and is aligned with Regulation (EU) No 910/2014, called JAdES (ETSI TS 119 182-1). The current profile is aligned with the basic (B-B) level of JAdES and makes use of JWS header parameters formally defined in JAdES. A description is provided of these JAdES header parameters in this specification along with additional requirements for their use.

This content was originally published in May 2021 for participants of the Open Banking Exchange Membership Programme. It consisted of the Open Banking Exchange’ sole opinion as of its date of publication and was intended for general information of its members. It is now available for visitors to the Konsentus website.

Subscribe To Our Newsletter

Keep up to date with all our news and publications.

More To Explore

Singapore Fintech Festival 2024

Konsentus’ Brendan Jones joined a global gathering of policymakers, fintechs, financial services organisations, and technology providers at Singapore Fintech Festival

Read More

Talk with Our Team Today

Join us on the Journey

Protect your customers transacting in open ecosystems.

Konsentus Rebrand Button - Konsentus Dot-23-23

Find out how our technology can protect your customers within open ecosystems.

Name(Required)

Opt-in

On completion of this form you will be sharing your personal data with Konsentus Ltd (company number 1115059) (“Konsentus”/”we”/”us”). We will process such information for the purposes of sending you the requested information. We may also send you marketing communications and information which we consider may be of interest to you from time to time. This may include sending information by email, or us contacting you by telephone, where relevant details are provided. We rely on our legitimate interests as the lawful basis for processing your data in this way. Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to receive a copy of the data we hold about you. You also have the right to opt out of marketing communications at any time using the details in an email sent to you or by contacting us at insights@konsentus.com.

This field is for validation purposes and should be left unchanged.

Login to your account