Message signatures should use orgId/softwareStatementId in the issuer field
Closed this issue · 0 comments
The open banking specification states;
This must be a string that identifies the PSP.
If the issuer is using a certificate this value must match the subject of the signing certificate.
If the issuer is using a signing key lodged with a Trust Anchor, the value is defined by the Trust Anchor and should uniquely identify the PSP.
For example, when using the Open Banking Directory, the value must be:
When issued by a TPP, of the form {{org-id}}/{{software-statement-id}},
When issued by an ASPSP of the form {{org-id}}Where:
org-id is the open-banking issued organization id
software-statement-id is the open-banking issued software-statement-id
There is a bug in that TPPs have found that they must set the ClientID in the issuer field, even when they onboarded and obtained certs from the Open Banking Directory.
It would make sense we alligned such that OrgId and SoftwareStatementId had to be used when signing with a ForgeRock issued signing certificate too.
This was first reported in the open-banking, forgerock_support slack channel.