TSP or Bank

• The TSP/Bank

• describes the change
• Send it to

• Andreas.Havsberg@bits.no and Torgeir.Sorvik@bits.no for approval

The respective TSP or Bank will require to have in place internal routines for move or merger of RA's.

Decide the following:

• How to deal with the OTP tokens
• End user impact
• Information to end users
• How to deal with logs and how/who to archive (admin logs for certificates)

The respective TSP or Bank have to create and send a formal order to Vipps

as an electronically signed document, signed by TSP or Bank.

This order should contain:

• The purpose of the move or merger of the mention RA
• Detailed move or merger from and to what CA

• Approval from Bits

Sign it electronically and send it to ??

The respective TSP or Bank have to fill out required order forms and send it to Vipps signed before or during the RA ceremony.

A copy must be sent before the RA ceremony.

• TSP

• /Bank fills out the required order form.
• Send a copy to ?? before the RA ceremony

RA XML request and Primary CAO token "Dongle"

The RA XML request must be created on the TSP system, for example through HAT tool. Primary CAO token is normally stored in a safe at the respective TSP (CA responsible). 

The respective Key Custodian for the TSP is responsible to carry and bring the RA XML request and the Primary CAO token "dongle" to the RA ceremony.

USB stick and Identification

Vipps recommend that Key Custodian always bring a new and unused USB stick and approved identification such as passport or driver license. If the Key Custodian is a non-Norwegian citizen, they must bring their passport. 

Make sure that the USB stick is new and unused

Vipps will ensure that everything is in place and coordinate the ceremony and switchover with all stakeholders.

Check that the

following is in place

:

•  BITS approval - If not provided by the TSP or Bank, contact BITS and verify
•  Formal

• order received
•  

• Signed order forms
  •  Signed - Naming of RA (Required)
  •  Signed - Revoke RA XML Request (Optional)
•  TSPs Primary CAO token
•  TSPs/Bank RA XML Request

If all is in place

, all stakeholders align and agree on date and time for the following:

•  1. RA ceremony
•  2. Activation of New RA XML Sign Certificate

•  3. Switchover 
•  4. Revoke RA XML (Optional)

Normally step 2, 3 and 4 happens within the same 24h.

Vipps

will send out an meeting invite for

the ceremony and the

switchover.

Create and send out the invitation to all stakeholders.

The invitation should contain, but not limited to:

• Purpose and description
• Date
• Time
• Duration
• Virtual Meeting Link or Address
• Attendees and contact points
• Information on what to bring

Vipps

• Key Custodian ID check
• USB virus scan (USB stick that contains the RA XML Sign request)
• All required documentation is in place
  • Note that RA naming order forms are to be stored in the BankID High secure room

• • . When the documentation is signed

• • electronically,

• • a copy of

• • the document are to be stored

Vipps is to perform the RA ceremony

Issue New RA XML/SSL certificate(s) on New CA

TSP/Bank need to send a request to Vipps

• Write a request for activation of New RA XML Sign certificate(s) in BankID COI.

• The request needs to contain:
  • ??
• Send it to ??

Vipps is to activate the new certificates.

This is normally done during the same day as the Switchover.

Plan and implement the switchover.

This is normally done at midnight 00:00.

TSP/Bank:

1. Send an order for switchover issuing CA in BankID COI from old to New CA

1. • Send it to ??

Vipps:

1. Do the switchover
2. Inform the TSP/Bank

TSP/Bank:

1. Run test case sets

1.  to verify
   1. If successful, move to the next step
   2. If unsuccessful, investigate and resolve then move to next step
   3. if unsuccessful, not possible to fix, do a rollback
      • When rollback is done,

1. 1. • run test case sets

1. 1. •  to verify

1. Send an order for revoke of old RA XML Sign certificate in BankID COI (optional)

1. • Send it to ??

Vipps:

1. Revoke the old certificate

1. Bank renew end user BankID certificates
2. Bank asks merchants to renew merchant BankID's using HAT
3. Possible change of OTP Service by adding new and then removing old for each Banklagret BankID