Appendix A Key Concepts
Merchant BankID Activation process
Merchant BankID activation is not part of the merchant implementation, but an activated Merchant BankID is required to have a functioning BankID server implementation. What follows is information about the necessary steps needed to peform the activation.
The activation process starts with a bank placing an order for a Merchant BankID on behalf of the merchant. After the order is successfully processed, the bank sends a shared secret and a unique activation URL to the merchant. The merchant will use the shared secret and activation URL to activate the BankID.
The merchant uses the 'HAT' application (available as part of the BankID distribution) to process the activation for the existing order, After starting the application and selecting the activation menu item, the merchant enters the activation URL and will be prompted for the shared secret and BID file passphrase.
Depending on the type of Merchant BankID ordered, key storage will either be file based or HAT will use a Hardware Security Module (HSM) to store the BankID key pairs. In the latter case, the merchant must provide details for connection to the HSM, in addition to the shared secret and pass-phrase. HAT will store the activated BankID as a local bid-file containing references to the key pairs in the HSM. If file based storage was selected when the order was placed, the file will contain the keys themselves.
Please refer to the HAT user guide [HAT] on the release CD for a detailed description of HAT and detailed instructions for use.
After activation, the BID-file(s) must be placed in the appropriate directory on the merchant server that is going to use them, and the BankID server configuration must be updated accordingly.
In preproduction environment, certificates and their activation may be done interactivevely with or without the HAT tool. See Certificate tools.
Certificate Policies
The following definition of a certificate policy is found in RFC 3647:
RFC 3647
3.1. Certificate Policy
When a certification authority issues a certificate, it is providing a statement to a certificate user (i.e., a relying party) that a particular public key is bound to the identity and/or other attributes of a particular entity (the certificate subject, which is usually also the subscriber). The extent to which the relying party should rely on that statement by the CA, however, needs to be assessed by the relying party or entity controlling or coordinating the way relying parties or relying party applications use certificates. Different certificates are issued following different practices and procedures, and may be suitable for different applications and/or purposes.
An issued certificate contains a reference to the applicable policy used when issuing the certificate. The reference is in the form of an OID located in the certificate policies extension. BankID has defined different policies for different types of subscribers (Banklagret end-user, Merchant) as well as for different types of certificates (Person, Employee).
The table below contains a non-exhaustive list of Policy OIDs in BankID:
OID | Description |
---|---|
2.16.578.1.16.1.9.1 | Banklagret end-user PERSONAL certificate |
2.16.578.1.16.1.11.2.1 | Banklagret end-user EMPLOYEE certificate |
2.16.578.1.16.1.12.1.1 | Banklagret end-user Qualified PERSONAL certificate |
2.16.578.1.16.1.13.1.1 | Banklagret end-user Qualified EMPLOYEE certificate |
2.16.578.1.16.1.12.2.1 | BankID on Mobile end-user PERSONAL certificate |
For further details:
- RFC 3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework