Participants and absents

Chair

Hans Berg as eDelivery Community Leader

Participants

Risto Collanus (Visma / Maventa) eDelivery / TICC CMB

Bård Langöy (Pagero) eDelivery / TICC CMB

Philip Helger (BRZ) eDelivery / TICC CMB

Jesper Larsen (Unlicensed) (OpenPEPPOL Operating Office)

Mikael Aksamit (OpenPEPPOL Operating Office)

Background to PEPPOL PKI v.3 migration

Improved security. The v.2 PKI infrastructure is based on SHA-1 cryptography, which is strongly discouraged for use due to its security risks. The v.3 PKI infrastructure is based on certificates supporting SHA-256 cryptography which currently is the recommended web standard.

PKI v.3 migration
1. Decide on which actions to take if a service provider does not comply with the timeline set out in PKI Certificate Migration 2018.
  1. T1 (Sep 3, 2018): APs must be able to receive transactions signed with either v.2 or v.3.
  2. T2 (Dec 1, 2018): APs must send with v.3.

Self signed certificates are not allowed (as mentioned in the PEPPOL AS2 specs)
The SSL certificate has to be recognised by both Java and Microsoft since at least 6 months.
Grade "A" TLS configuration according to SSL Labs (https://www.ssllabs.com/ssltest)
Access points are not allowed to tamper with provided trust lists.
A PEPPOL Access Point not graded "A" is considered to be unavailable with regards to the Transport Infrastructure Agreement.

The present TICC CMB members (Risto Collanus, Bård Langöy, Hans Berg) unanimously decided to adopt the above policy.

	File	Modified

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.

No files shared here yet.

Drag and drop to upload or browse for files