[GNC] UK specific: MTD - Making Tax Digital

Edward Bainton bainton.ete at gmail.com
Fri Jan 29 12:16:08 EST 2021 

Well done! :-)

Maybe HMRC can be persuaded that open source devs aren't responsible for
misuse and be more lenient than with proprietary apps.

On Fri, 29 Jan 2021, 16:13 Mark, <alien.technology at gmail.com> wrote:

> My application for HMRC VAT production credentials was approved, so
> this project can (in theory) be used to submit VAT returns from
> GnuCash:
>
>   https://github.com/cybermaggedon/gnucash-uk-vat
>
> I say "in theory", my company is not VAT registered yet, so other than
> testing with an emulator, and the sandbox, I haven't used this in
> anger.
>
> I enquired about including the credentials in open-source projects - I
> was informed this is OK, this has happened before but I don't know
> which projects.
>
> Reading the documentation, if there's any fraud/inappropriate use, the
> credentials are going to get pulled by HMRC.  There's not much an
> open-source project can do to prevent inappropriate use if a malicious
> person chooses to use the credentials inappropriately.  Having said
> that, (my day job is security engineer) it's not difficult to get
> credentials such as these out of a proprietary desktop or mobile
> application in which they're embedded if someone malicious wants to do
> that.  A primary defence against abusing somebody else's VAT account
> is that VAT users have to elect to trust an application, and can
> choose not to.  A secondary defence is the rotation of client secrets
> if compromised.
>
> > >* Lots of subquestions in that regard:
> *> >* 1. How does HMRC "approve" a bridge for "production" ? And can the
> code of
> *> >* the bridge still
> *> >* change after approval without re-approval ?
> *>
> >
> > There is an approval process. Anyone can get credentials on the sandbox
> > API, but the approval process applies to getting production credentials.
> >  I'm part-way through the process so I haven't seen it to the end yet.
> > There are some questionnaires to fill in, and HMRC verify that the API
> > usage is correct by looking at logs in the sandbox environment.
> >
> > There are two types of application: "In-house" is used for an enterprise
> > which wants production access to submit their own VAT records. "Retail"
> is
> > used for a developer which creates a VAT product for other people to use.
> > I'm part-way through a retail  application.
> >
> > The API reference is public online, but you get access to more detailed
> > documentation by submitting an application for production credentials.
> >
> >
> > >* Is there a check on the resulting binary or do they
> *> >* use some other kind of validation ?
> *> >>
> > No, there is no validation of the binary / code itself.  The HTTP request
> > must meet what HMRC call the 'Fraud API' which is a bunch of headers
> > describing various things like the hardware, device ID, local IP/MAC
> > address, software version, etc. The internal use of these headers is not
> > defined, but I guess there's some anomaly detection for fraud/abuse
> > purposes.
> >
> >
> > >* 2. Do you intend to keep your bridge as a separate project, to which
> *> >* gnucash can interface ?
> *> >* Or would you like the functionality to become part of the gnucash
> code ?
> *> >> 3. Will you provide your integration (in whatever form) in a way
> that it's
> > >* compatible with the
> *> >* GPL code (under which gnucash is released) ?
> *> >>
> > The code I published at github.com/cybermaggedon/gnucash-uk-vat is a
> > separate bridge which uses the Python API, and licenced under GPL.  I
> would
> > be up for getting involved in an development to integrate a capability
> with
> > Gnucash if there's enough interest.
> >
> > Mark.
> _______________________________________________
> gnucash-user mailing list
> gnucash-user at gnucash.org
> To update your subscription preferences or to unsubscribe:
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> If you are using Nabble or Gmane, please see
> https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
> -----
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.
>

More information about the gnucash-user mailing list