OBE brought together a group of experts from the PSD2 API communities with experts on signature formats from ETSI. The group carried out a survey of the current approaches to secure communications for PSD2 based on EU Qualified Certificates as required under the EU “regulatory technical standards for strong customer authentication and common and secure open standards of communication”. As a result of the survey it was found that there were two basic approaches taken. About half API communities used JSON Web Signatures to protect the payload, whilst the other half use HTTP Signatures based on a draft specification originally authored by Cavage. HTTP signatures were chosen primarily because of its ability to protect HTTP header information. As a result, it was agreed to produce a common specification of how to protect PSD2 payloads which brings together the JSON Web Signatures with the ability of HTTP Signatures to protect HTTP header information. It was also the aim to align the specification with the ETSI “JAdES” specification for advanced electronic signatures and seals in line with the EU eIDAS regulation. The present document is this common specification.
This document defines a profile of JSON Web Signature (JWS hereinafter), as defined in RFC 7515 in support of secure communications under the Payment Services Directive 2015/2366 (PSD2). In particular, it is aimed at supporting the secure communications between payment service providers using qualified certificates for electronic seals, (Article 3(30) of Regulation (EU) No 910/2014), as required under Commission Delegated Regulation (EU) 2018/389  Article 34. ETSI has developed a standard for JWS which includes the special features already in other ETSI standards for AdES digital signatures and is aligned with Regulation (EU) No 910/2014, called JAdES (ETSI TS 119 182-1). The current profile is aligned with the basic (B-B) level of JAdES and makes use of JWS header parameters formally defined in JAdES. A description is provided of these JAdES header parameters in this specification along with additional requirements for their use.