The German variant, featuring automatic key pair generation for encryption (E002), authentication (X002) and for signatures (A005/A006), is currently the variant in use in Switzerland, while the German VEU system (distributed digital signature) is in the first planning stages.
This
enables the use of signature models with several personally
identifiable signatures, which can be created and submitted with or
after the order dispatch. The big Swiss banks, however, currently use
the individual and transport signatures. The role of the individual
signature is usually to establish a "corporate seal". This is where a
company is identified instead of the person who actually approved the
order. The customer's software system is used to regulate and manage the
usage of these "corporate seals". For transport signatures, the
approval is transferred over a separate channel, but not like in France,
where an accompanying document is still sent manually, but rather via
access to online banking.On the other hand, this practice is increasingly subject to criticism by the legal and security departments of the Swiss financial institutions, who require precise authentication of the person who signed off the order. In this case VEU would be a useful tool to help the banks shorten the current lengthy processing times caused by the banks' administration of signature rules.
The TS model (Transport and Signature) of France in combination with CA-based certificates for the electronic signature is seen as an attractive solution because it alleviates the problem of unrestricted validity of the encryption key and the central blocking seems to minimise the security risks. Ideally this will then be combined with a security token which can be used only by the person who created the order. "In for a penny, in for a pound!", one might be tempted to say, but this is how we Swiss are; if a standard offers these kinds of functionalities, why not use them? Also, in terms of regulation, the current trend seems to be that financial institutions will not easily be able to deny the risks of using "corporate seals" in a contract disclaimer in the future (see also the ECB's „Assessment Guide for the Security of Internet Payments“).
A consistent recipe is needed
The key issue here is the current diversity of EBICS variants and the confusion over which variant should be implemented for the market to suit the needs of those involved, i.e. the customer, software developer and bank. Are there now CA-based certificates and if there are, for what type of key? Which CAs are accepted across multiple banks? What properties should this kind of certificate have? Does the application of security tokens apply only to the signature (A005/A006) or also to the other authentication and encryption keys? Could security tokens conceivably be used without a CA, therefore requiring only external retention of the key by the signing-off contractee?
With its similar diversity in variants and recipes, the whole thing somehow brings Bircher muesli to mind. The EBICS community strives to establish the standard in Europe, but a consistent recipe for this key-muesli would certainly be an advantage from which users would also benefit. If not, it will become more and more difficult to establish this international standard. I believe that this should be one of the first items on the EBICS working group's agenda.
Carsten Miehling
