| OFB-CERT-1-ID1 | February 2023 | |
| Segurança | Standards Track | [Page] |
Este documento também está disponível em português.¶
The Open Finance Brasil Initial Structure is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Brasil Open Finance Legislation as originally outlined by the Brasil Central Bank. There is a possibility that some of the elements of this document may be the subject to patent rights. OFBIS shall not be held responsible for identifying any or all such patent rights.¶
Specify the set of necessary certificates required by participating organizations in Open Finance Brasil to ensure interoperability for authentication, confidentiality, integrity and non-repudiation among participants, as well as for users and consumers of these entities. The audience of this specification are the entities participating in Open Finance Brasil that will issue certificates to authenticate themselves with other entities, as well as offering their customers a secure authentication channel.¶
The key words "shall", "shall not", "should", "should not", "may", and "can" in this document are to be interpreted as described in [ISO Directive Part 2][ISODIR2]. These key words are not to be used as lexicon terms such that any occurrence of them shall be interpreted as key words and are not to be interpreted with their natural language meanings.¶
This document specifies the types of certificates required for:¶
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applied. For undated references, the latest edition of the referenced document (including any amendments) applies.¶
For the purpose of this document, the terms defined in [RFC5280], [BCP195], [RFC8705], e ISO29100 apply.¶
The Open Finance Brazil ecosystem makes use of chains of certificates and TLS protocol to guarantee the confidentiality, authentication and integrity of the communication channel used by the APIs of the participating organizations, as well as the customers of each of the participants.¶
The certificates used by Open Finance Brasil are also required to authenticate applications through oAuth 2.0 mTLS or private_key_jwt, in addition to being used to perform the payload signature using JWS. Another important attribution of certificates is to authenticate and present a secure channel to the end user in the act of authentication and use of services provided by the participating organizations.¶
Certificates issued by Certifying Authorities authorized by ICP-Brasil are only used for communication between entities participating in the Open Finance Brasil ecosystem.¶
The certificate issuing and revocation processes are responsibility of the Certifate Authorities themselves, being regulated by Certification Practice Statements, and supervised by the Management Committee of the Brazilian Public Key Infrastructure (Comitê Gestor da Infraestrutura de Chaves Públicas Brasileira).¶
The practices, processes, availability and values practiced by the Certification Authorities are not responsibility of the Initial Structure of Open Finance Brasil.¶
Algorithms¶
All certificates issued by ICP-Brasil must have the following characteristics:¶
Participating Certificate Authorities¶
The following certifying authorities carried out the onboard process for Open Finance Brasil and are authorized to issue Open Finance Brasil certificates using the level 1 certificates listed here:¶
Only the certificates indicated with "Situação: válido" (which mean "status: valid") in these ITI repositories referenced above, which are Chain v5 and v10, should be accepted by the servers of the Open Finance Brasil ecosystem.¶
The Server Certificate must be issued to protect and authenticate the TLS channel used by the APIs that will be consumed by client applications of organizations participating in Open Finance.¶
The certificate standard used must follow the existing certificate issuing practices of "CERTIFICATE FOR WEB SERVER - ICP-Brasil".¶
The server certificate shall be sent with the intermediate chain, according to RFC5246.¶
Client Application Certificates (Transport) are used to authenticate the mTLS channel and to authenticate the client application through oAuth2.0 mTLS or private_key_jwt, according to the application registration performed by the Dynamic Client Registration process with the transmitting organization. Regarding mTLS, the client certificate shall be sent with the intermediate chain, according to RFC5246.¶
To issue a Client Certificate, the participating organization in Open Finance Brasil must register the application in the Directory Service through the Software Statement Assertion issue process, and thus have already obtained the Software Statement ID value.¶
The Client Certificate must be issued through the V10 chain, and must contain the following attributes:¶
Distinguished Name¶
Certificate Extensions¶
Subject Alternative Name¶
Signature Certificates are used to perform payload signature through the use of JWS (JSON Web Signature).¶
The Signature Certificate must be issued through the V5 chain, and must contain the following attributes:¶
Distinguished Name¶
Certificate Extensions¶
Subject Alternative Name¶
Front-End certificates are utilized to make services available, generally web pages, using TLS, that are acessible by the end users. Due to their function, and in order to guarantee better interoperability, those certificates must be of the type EV (Extended Validation) and must be generated by a valid certificate authority, following definitions of RFC 5280 e RFC 2818, in conformance with WebTrust principles and criteria.¶
Thanks to all who have set the foundations for secure and safe data sharing through the formation of the OpenID Foundation FAPI Working Group, the Open Finance Brasil GT Security and to the pioneers who will stand on their shoulders.¶
The following people contributed to this document:¶
Copyright (c) 2023 Open Finance Brasil Initial Structure.¶
The Open Finance Brasil Initial Structure (OFBIS) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty-free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OFBIS as the source of the material, but that such attribution does not indicate an endorsement by the OFBIS.¶
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation, the Open Finance Brasil GT Security Working Group and others. Although the Open Finance Brasil Initial Structure has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The Open Finance Brasil Initial Structure and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The Open Finance Brasil Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The Open Finance Brasil Initial Structure invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.¶
[req] default_bits = 2048 default_md = sha256 encrypt_key = yes prompt = no string_mask = nombstr distinguished_name = client_distinguished_name req_extensions = req_cert_extensions [ client_distinguished_name ] businessCategory = <type of organization> jurisdictionCountryName = BR serialNumber = <CNPJ> countryName = BR organizationName = <Company Name> stateOrProvinceName = <UF> localityName = <City> organizationalUnitName = <Participant Code> UID = <Software Statement ID issued by the Directory> commonName = <FQDN|Wildcard> [ req_cert_extensions ] basicConstraints = CA:FALSE subjectAltName = @alt_name keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = clientAuth [ alt_name ] DNS = <FQDN|Wildcard>¶
oid_section = OIDs [req] default_bits = 2048 default_md = sha256 encrypt_key = yes prompt = no string_mask = nombstr distinguished_name = client_distinguished_name req_extensions = req_cert_extensions [ OIDs ] organizationIdentifier = 2.5.4.97 [ client_distinguished_name ] businessCategory = <type of organization> jurisdictionCountryName = BR serialNumber = <CNPJ> countryName = BR organizationName = <Company Name> stateOrProvinceName = <UF> localityName = <City> organizationIdentifier = OFBBR-<Participant Code> UID = <Software Statement ID issued by the Directory> commonName = <FQDN|Wildcard> [ req_cert_extensions ] basicConstraints = CA:FALSE subjectAltName = @alt_name keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = clientAuth [ alt_name ] DNS = <FQDN|Wildcard>¶
[req] default_bits = 2048 default_md = sha256 encrypt_key = yes prompt = no string_mask = nombstr distinguished_name = client_distinguished_name req_extensions = req_cert_extensions [ client_distinguished_name ] UID = <Participant Code> countryName = BR organizationName = ICP-Brasil 0.organizationalUnitName = <Certificate Authority> 1.organizationalUnitName = <CNPJ of the Registration Authority> 2.organizationalUnitName = <Validation type> commonName = <Company Name> [ req_cert_extensions ] basicConstraints = CA:FALSE subjectAltName = @alt_name keyUsage = critical,digitalSignature,nonRepudiation [ alt_name ] otherName.0 = 2.16.76.1.3.2;PRINTABLESTRING:<Name of the person responsible for the organization> otherName.1 = 2.16.76.1.3.3;PRINTABLESTRING:<CNPJ> otherName.2 = 2.16.76.1.3.4;PRINTABLESTRING:<CPF/PIS/RF of the responsible person> otherName.3 = 2.16.76.1.3.7;PRINTABLESTRING:<INSS Number>¶
Below we present which endpoints can be published utilizing the EV certificate as consent authentication and the endpoints of private/bussiness API authentication using the ICP certificate. You will also be able to check which endpoints must protect its connections using mTLS.¶
ASPSP may choose the certificate that should be adopted for Phase 1 endpoints, which, by nature, are publicly accessible.¶
| OFB Phase | group | endpoint | certificate type | mTLS |
|---|---|---|---|---|
| NA | OIDC | .well-known/openid-configuration | EV or ICP WEB SSL | |
| NA | OIDC | jwks_uri | EV or ICP WEB SSL | |
| NA | OIDC | authorization_endpoint | EV | |
| NA | OIDC | token_endpoint | ICP WEB SSL | Required |
| NA | OIDC | userinfo_endpoint | ICP WEB SSL | Required |
| NA | OIDC | pushed_authorization_request_endpoint | ICP WEB SSL | Required |
| NA | DCR | registration_endpoint | ICP WEB SSL | Required |
| NA | OIDC | revocation_endpoint | ICP WEB SSL | Required |
| 2 | Consentimentos | /consents/* | ICP WEB SSL | Required |
| 2 | Resources | /resources/* | ICP WEB SSL | Required |
| 2 | Dados | /customers/* | ICP WEB SSL | Required |
| 2 | Cartão | /credit-cards-accounts/* | ICP WEB SSL | Required |
| 2 | Contas | /accounts/* | ICP WEB SSL | Required |
| 2 | Empréstimos | /loans/* | ICP WEB SSL | Required |
| 2 | Financiamentos | /financings/* | ICP WEB SSL | Required |
| 2 | Adiantamento | /unarranged-accounts-overdraft/* | ICP WEB SSL | Required |
| 2 | Direitos Creditórios | /invoice-financings/* | ICP WEB SSL | Required |
| 3 | Pagamentos | /payments/* | ICP WEB SSL | Required |