Open CDR-API-Stream opened 2 years ago
Arguably this attribute is already deprecated as the DSB removed all references to it in the Standards in V1.11.0 documented as:
Obligations which were due more than 3 months since publication of this release of the standards have been removed. They remain accessible in the archived versions of the standards. They have been removed from the main (current) version to reduce ambiguity and keep the standards streamlined
The result is that revocation_uri
is now ambiguously defined in the current Standards. As the SSA is a cryptographic assertion from the regulator, a custom implementation for all participants and likely mapped explicitly to metadata required to be stored as part of the Record Keeping Requirements, removing the revocation_uri
from the SSA will likely require a Future Dated Obligation for Data Holders to accept and a Future Data Obligation for Data Recipients to perform an in-place DCR.
There is also no real method of advertising such compatibility with Data Holders and the error behaviour of such compatibility is undefined.
This issue is being discussed in Maintenance Iteration 10
@perlboy. Thanks for your comments and they do help shape the scope of what this issue should seek to address.
The revocation_uri
no longer has a functional purpose as the associated functionality (data recipient hosted token revocation endpoint) has been obsoleted as of February 1st, 2021.
The SSA structure remains ambiguous and removal of this field will address that. However, we have an opportunity to examine the implications of SSA changes (removal or addition of a field) and set expectations of SSA change management.
Therefore, the following questions should be considered.
When fields get added/removed in an SSA:
The goals for this work should include:
The community is invited to contribute to this discussion, to help identify what considerations should be made for SSA changes and how to reduce disruption to the ecosystem.
The DSB recommends the revocation_uri
field be deprecated.
Through this work, a default position on how SSA change management has been defined as follows:
SSA Change management will conform to the conventions already laid out in the Consumer Data Standards:
Each change will be assessed through the consultation process and any deviations to the above conventions can be raised if required.
Impacts raised from #484 to be assessed to ensure breaking changes have not been introduced by the statement:
- Data holders will return fields if supported, ignore and not return if not supported
The decision was made to not address this issue in Maintenance Iteration 10. DP 245 explores how Data Recipient information should propagate between Data Recipient Software Products, Data Holder Brands, and the CDR Register
The revocation_uri
no longer has a functional purpose as the associated functionality (data recipient
hosted token revocation endpoint) has been obsoleted as of 1 February 2021.
However, it has been identified there is a risk of interoperability issues with data holders if the
deprecation of the revocation_uri
change was to proceed.
Currently, data holders don’t have a mechanism to explicitly identify the version of an SSA presented
to them. Some data holders may be using strict validation on SSAs and therefore expect the
revocation_uri
to be present, regardless of its lack of functionality.
Whilst versioning of the CDR Register API was consulted on, this dealt with the interoperability of the ADR and CDR Register only. It did not address the version negotiation and interoperability of the ADR communicating updated registration information to data holders.
Deferring this change request addresses the following:
Given there is no functional impact to data holders and data recipients, and the reduced development impact to the ACCC, it is logical to defer this issue until conventions on how SSA version management is to occur, via the Decision Proposal process.
Please refer to Decision 237 for further details.
This issue has been raised to track CDR Register issue 188 through the standards maintenance process.
Please refer to CDR Register issue 188 for details