The following FAQ presents information and explanatory notes as provided by the BSI both on the legal provisions from the German Metering Point Operation Act (MbsG), and on the provisions in the BSI's TR-03109-4 and the Certificate Policy (CP) for the Smart Metering PKI.
The statutory provisions as well as the supplementary provisions from TR-03109-4 and the Certificate Policy remain valid.
An EMT is an external market participant in accordance with Section 49 (2) MsbG.
Yes, it is possible for a market participant authorised to handle data (EMT) to commission a service provider in accordance with Section 49 (3) MsbG. The SM-PKI CP, Section 3.2.2.2, defines how registration must generally be completed in the SM-PKI with a service provider. The specific processes and the corresponding registration documentation are specified by the relevant Sub-Certificate Authority (Sub-CA).
According to Section 52 (4) of the Metering Point Operation Act, communication of personal data, master data and grid status data is only permitted between the participants in an SM PKI. Therefore, the various participants (e.g. meter operators) must each have their own certificate to be able to communicate this data with the SMGW and each other. This means a market participant authorised to handle data according to Section 49 (2) of the Metering Point Operation Act (EMT, e.g. a meter operator) must apply to its selected sub-CA for a PKI certificate in its own name.
The commissioned service provider according to Section 49 (3) of the Metering Point Operation Act must use the PKI certificate on behalf of the market participant authorised to handle data (EMT). The service provider is not permitted to use any other certificate for the commissioned tasks. This rule applies to every market participant authorised to handle data (EMT).
The service provider may apply for the relevant PKI-certificates on behalf of the external market participant (EMT). The certificates must be issued to the external market participant (EMT). The specific processes to be completed and the associated registration documents are stipulated by the relevant sub-CA and must comply with Section 3.2.2.2 of the SM-PKI CP.
The service provider acts on behalf of the market participant authorised to handle data (EMT) and uses its PKI certificate. There is an internal relationship between the EMT and service provider. The two parties communicate via protected internal infrastructure (e.g. VPN). The secure communication between EMT and service provider must be defined in the security concept (SiKo) of the EMT.
With regard to the security technology, the further processing of data must have equivalent protection to authentication and encryption with the PKI certificates from the SM-PKI. In particular, this means using comparable cryptography (see Section 1.3.3.4 of the SM-PKI CP).
If the cryptographic keys for several mandates are stored in a single cryptography module (see Chapter 6.2.6 SM-PKI CP), the keys must naturally be separated. The keys can be separated by a mechanism within the cryptography module (a partition/slot) or within the server at the application level (authorisation management). In this case, it must be ensured that a mandate can only access its own key.
