Operational information

​All coming customer affected changes for E-Ident.

Service window for Finnish Trust Network

Time: 2021-09-21 23:00 - 2021-09-22 00:30 EEST

Information

The Finnish bank S-Bank has annonunced a service window for their identification service. During the service window, identifications with S-Bank through the FTN service will be unavailable.

Service window E-Ident - removing the JWK certificate

Summary

The certificate returned by the E-Ident JWKS endpoint is expiring on September 24. This certificate was issued by the now retired Eurida Connect CA and will not be renewed. Signed tokens should be validated using the key parameters already published on the JWKS endpoint.

This change will be performed in the customer test environment on September 1 and in the production environment on September 22. This change affects customers using the OIDC protocol.

Please send any feedback to Nets support.

Background

The "x5c" parameter is an optional part of the JWK spec. It contains a certificate which can be used to validate signatures. The public key parameters in the certificate are required to also be present directly in the JWKS response (the "n" and "e" fields for RSA keys). So the certificate is not strictly required for validating ID token signatures from E-Ident.

As the E-Ident JWK certificate is not frequently used, Nets plans to retire it and remove the x5c field from the JWKS endpoint. Other JWK fields like the public key parameters will be unchanged. So if your system use these parameters to validate the signed tokens today, it should continue to work fine after this change. 

ID tokens from E-Ident refer to the public key using the "kid" (key ID) field. This does not require the use of certificates and will continue to work as today. 

What you need to do

If you use OpenID Connect (OIDC) in E-Ident, check that your system does not rely on the x5c certificate for validating signed ID tokens. You can test this in the E-Ident customer test environment after September 1, when the change has been performed there.

Timeline

​Time​Environment​Description
​2021-09-01​Customer test​The x5c certificate is removed from the customer test environment.
​2021-09-22​Production​The x5c certificate is removed from the production environment.

References

Service window for Finnish Trust Network

Time: 2021-09-26 00:00 - 11:00 EEST

Information

The Finnish bank OP has annonunced a service window for their identification service. During the service window, identifications with OP through the FTN service will be unavailable.

Service window E-Ident - cipher changes

Time: 2021-11-10 22:00 - 23:59 CET

Information

The ciphers used in the TLS communication for E-Ident is planned to be updated during this service window. The ciphers are updated to ensure the security of the communication and be alligned with external requirements. After the update, these ciphers will be supported:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS

The ciphers have already been updated in our customer test environment and we encourage all customers to test their applications prior to the production date. If you encounter any issues, please contact support

The service will run as normal during the service window.