The Bircher muesli of keys

As was already mentioned on a blog post on 25/07/14, "EBICS has arrived in Switzerland", the Swiss financial centres are moving in on the EBICS community of the country's two biggest neighbours, France and Germany. The perception of EBICS in France has proved to be somewhat different than in Germany, while Swiss stakeholders are unsure about which variant would be the best for them. In terms of order types, the trend is currently leaning towards France, i.e. FUL/FDL in conjunction with the use of format parameters, instead of the multitude of order types in Germany. But when it comes to the application of electronic signatures, things get a little more complicated. Precisely how should these be implemented for customers? 

The German variant, featuring automatic key pair generation for encryption (E002), authentication (X002) and for signatures (A005/A006), is currently the variant in use in Switzerland, while the German VEU system (distributed digital signature) is in the first planning stages. This enables the use of signature models with several personally identifiable signatures, which can be created and submitted with or after the order dispatch. The big Swiss banks, however, currently use the individual and transport signatures. The role of the individual signature is usually to establish a "corporate seal". This is where a company is identified instead of the person who actually approved the order. The customer's software system is used to regulate and manage the usage of these "corporate seals". For transport signatures, the approval is transferred over a separate channel, but not like in France, where an accompanying document is still sent manually, but rather via access to online banking.

On the other hand, this practice is increasingly subject to criticism by the legal and security departments of the Swiss financial institutions, who require precise authentication of the person who signed off the order. In this case VEU would be a useful tool to help the banks shorten the current lengthy processing times caused by the banks' administration of signature rules.

The TS model (Transport and Signature) of France in combination with CA-based certificates for the electronic signature is seen as an attractive solution because it alleviates the problem of unrestricted validity of the encryption key and the central blocking seems to minimise the security risks. Ideally this will then be combined with a security token which can be used only by the person who created the order. "In for a penny, in for a pound!", one might be tempted to say, but this is how we Swiss are; if a standard offers these kinds of functionalities, why not use them? Also, in terms of regulation, the current trend seems to be that financial institutions will not easily be able to deny the risks of using "corporate seals" in a contract disclaimer in the future (see also the ECB's „Assessment Guide for the Security of Internet Payments“).

A consistent recipe is needed 

The key issue here is the current diversity of EBICS variants and the confusion over which variant should be implemented for the market to suit the needs of those involved, i.e. the customer, software developer and bank. Are there now CA-based certificates and if there are, for what type of key? Which CAs are accepted across multiple banks? What properties should this kind of certificate have? Does the application of security tokens apply only to the signature (A005/A006) or also to the other authentication and encryption keys? Could security tokens conceivably be used without a CA, therefore requiring only external retention of the key by the signing-off contractee?

With its similar diversity in variants and recipes, the whole thing somehow brings Bircher muesli to mind. The EBICS community strives to establish the standard in Europe, but a consistent recipe for this key-muesli would certainly be an advantage from which users would also benefit. If not, it will become more and more difficult to establish this international standard. I believe that this should be one of the first items on the EBICS working group's agenda.

Carsten Miehling

0 comments:

Post a Comment