From c8db85cc9900c42a84ad0d09456f2e6e9931c672 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Wed, 13 May 2020 20:38:59 +0530 Subject: EBICS bank transport doc --- libeufin/bank-transport-ebics.rst | 48 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 libeufin/bank-transport-ebics.rst (limited to 'libeufin/bank-transport-ebics.rst') diff --git a/libeufin/bank-transport-ebics.rst b/libeufin/bank-transport-ebics.rst new file mode 100644 index 00000000..1363fa3e --- /dev/null +++ b/libeufin/bank-transport-ebics.rst @@ -0,0 +1,48 @@ +The EBICS Bank Transport +======================== + +An EBICS bank transport in LibEuFin conceptually corresponds +to the "EBICS Subscriber" in EBICS terminology. + + +Bank Transport Setup +-------------------- + +The following steps are required to set up an EBICS bank transport: + +1. The bank must set up the EBICS access for the user. + The bank will notify the user of the following parameters: + + * the URL of the EBICS server used by the bank + * the HostID of the bank within the EBICS server (sometimes one EBICS server hosts multiple banks) + * the PartnerID (typically identifies the owner of the bank account within the banking system) + * the UserID (typically identifies the person that accesses the bank account, can be different from the owner) + * the SystemID (optional and rarely used, basically a "sub-identity" of a subscriber when multiple technical + systems have access to the account via EBICS) + +2. The user enters the information from the list above in the setup dialog in the LibEuFin nexus (UI/CLI). +3. The LibEuFin nexus generates cryptographic key material (3 RSA key pairs) +5. The nexus sends the public keys electronically to the bank's EBICS server, together with the information + identifying the subscriber (PartnerID, UserID, SystemID). +6. The user print a document that contains the public key and hashes for all three key pairs. + The user then signs this document sends it to the bank (physically/scanned). +7. The bank receives the letter and verifies that the keys from the letter correspond + to the electronically sent keys. If they match, the bank sets the state of the + subscriber to "ready". +8. The user now has to wait until the bank has set the EBICS subscriber state to "ready". + There is no in-band notification for this, but the Nexus can try downloading the bank's + cryptographic parameters. This will only succeed once the EBICS subscriber is set to "ready" + by the bank. +9. The user should confirm the public keys of the bank received in the previous step. + Typically the bank gives the value of these public keys in an out-of-band channel. +10. Now the user can finally use the EBICS bank transport. The first step after finishing + the setup should be to import the bank accounts accessible for this EBICS subscriber. + + +Alternative ways of setting up the EBICS bank transport are: + +* Importing from a backup. The backup contains metadata (EBICS URL, HostID, + UserId, ...) and the three passphrase-protected subscriber keys. +* Certificate-based setup (currently not supported by LibEuFin, only used in France) + + -- cgit v1.2.3 From 4830df09a3b00355db5c91c1c9dcebf9fec41f90 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Wed, 13 May 2020 20:50:22 +0530 Subject: fix markup --- libeufin/bank-transport-ebics.rst | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'libeufin/bank-transport-ebics.rst') diff --git a/libeufin/bank-transport-ebics.rst b/libeufin/bank-transport-ebics.rst index 1363fa3e..0d06f83b 100644 --- a/libeufin/bank-transport-ebics.rst +++ b/libeufin/bank-transport-ebics.rst @@ -21,20 +21,27 @@ The following steps are required to set up an EBICS bank transport: systems have access to the account via EBICS) 2. The user enters the information from the list above in the setup dialog in the LibEuFin nexus (UI/CLI). + 3. The LibEuFin nexus generates cryptographic key material (3 RSA key pairs) + 5. The nexus sends the public keys electronically to the bank's EBICS server, together with the information identifying the subscriber (PartnerID, UserID, SystemID). + 6. The user print a document that contains the public key and hashes for all three key pairs. The user then signs this document sends it to the bank (physically/scanned). + 7. The bank receives the letter and verifies that the keys from the letter correspond to the electronically sent keys. If they match, the bank sets the state of the subscriber to "ready". + 8. The user now has to wait until the bank has set the EBICS subscriber state to "ready". There is no in-band notification for this, but the Nexus can try downloading the bank's cryptographic parameters. This will only succeed once the EBICS subscriber is set to "ready" by the bank. + 9. The user should confirm the public keys of the bank received in the previous step. Typically the bank gives the value of these public keys in an out-of-band channel. + 10. Now the user can finally use the EBICS bank transport. The first step after finishing the setup should be to import the bank accounts accessible for this EBICS subscriber. -- cgit v1.2.3