[GNC-dev] German online banking users would need a 3.7 release before mid-September...

Sun Aug 11 14:43:58 EDT 2019

Am Samstag, 10. August 2019, 20:32:00 CEST schrieb John Ralls:
> > the German online banking users have received notice from their banks that
> > due to EU regulations, from mid-September onwards (Sept 14th) the banking
> > client software has to use a registered product key, otherwise the bank
> > server connection will be refused.
> > 
> > (In German: https://www.hbci-zka.de/register/prod_register.htm )
> > 
> > For gnucash, I have registered and received such a product key, and in the
> > communication to me there haven't been any restrictions that would pose
> > problems for open source software. Hence, as long as gnucash will stick to
> > this procedure and send the product key, the users (and we) should be
> > fine.
> 
> Apparently the bank servers were supposed to have switched over last week,
> see https://www.hbci-zka.de/register/register_faq.htm. The 14 September
> deadline seems to have something to do with using FinTS bank interfaces via
> third party services, see https://subsembly.com/apidoc/fints/index.html
> under "PSD2 Client Registration". I suppose some users may have configured
> GnuCash to do that and now will have to reconfigure to talk to their banks
> instead. There's nothing we can do about that.

The information on the zka.de  website about the dates is (no pun intended) 
outdated and the information is also unchanged for many months there. The date 
of Sept. 14th is what various users received as notification from their banks 
quite recently, that's where this date is from. 

> Regardless, we can do a snap release as soon as we can get the registration
> number issue sorted and I can make time to do the release.

The windows nightly has built last night. On gnucash-de I asked windows-users 
to start testing it. Let's see whether this is indeed sufficiently 
implemented. Once some positive feedback has arrived, a 3.7 release sometime 
in August would indeed be great - as it fits best for you.

> I am a bit concerned about the registration number being published. What's
> to prevent a bad actor from taking it and using it in a different,
> malicious, application? What might be the consequences? Would DK revoke
> GnuCash's registration? I think it more likely that the folks at DK didn't
> even consider the possibility that there might be an open source financial
> application than that it doesn't matter to them.

I totally understand these concerns, and it holds for any open source project 
here, not only ours. Such as: KMyMoney, Hibiscus, aqbanking, but there are 
surely more. As it turns out, we've discussed those very same points on 
gnucash-de several months ago (in German) because the various people there 
came up with the same questions. Some people have asked at the ZKA for a 
statement regarding their view on open source software. Eventually we got a 
reply which is in our favor: This registration number has no legal obligations 
behind it. It is merely a tool for guiding the user support into better suited 
answers.  There's no security level introduced by this here, and it is known 
to the ZKA that open source software will have this number observable in the 
public source code. Yes, this in turn questions the whole point of this 
fuzz... on the other hand, if the bank server will otherwise refuse the whole 
online connection in the first place, we also have to do something about it.

Regards,

Christian