This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
In the Security Profile -> Transaction Security -> Use of MTLS section:
- End points for transferring CDR Data that are classified as not requiring authentication do not require the use of [MTLS].
+ Endpoints for transferring CDR Data that are classified as not requiring authentication (i.e. public endpoints) or those specified as TLS, MUST NOT use [MTLS].
In the Security Profile -> Certificate Management -> Issued by the Register for Data Holders section:
- Server Certificate(s) | Certificate is issued to a FQDN Secures the following endpoints: - Resource endpoints - InfoSec endpoints - Admin endpoints
+ Server Certificate(s) | Certificate is issued to a FQDN. Secures the endpoints as detailed in [Participant endpoints]
In the Security Profile -> Certificate Management -> Issued by the Register CA for Data Recipients section:
- Server Certificate(s) | Certificate is issued to a FQDN. Secures the following: - CDR Arrangement Revocation endpoint - JWKS endpoint
- ADRs may choose to secure their [endpoints] with the Register CA issued certificate or a certificate issued by a public CA
+ Server Certificate(s) | Certificate is issued to a FQDN. Not currently required by Data Recipients.
In the Security Profile -> Security Endpoints -> Dynamic Client Registration Endpoints section:
In the table heading row:
- TLS-MA
+ MTLS
In the Security Profile -> Security Endpoints -> Participant Endpoints section:
Participants will be required to register base URIs against each of their brands to facilitate the implementation of the Consumer Data Standards.
+ Endpoints specified as MTLS MUST be configured according to the [Certificate Trust Model] in the [Certificate Management] section.
+ Endpoints specified as TLS MUST be configured with a certificate issued by a public CA accepted by major web browsers.
and the following changes to the table (highlighted in the image below):
Add a Transaction Security column to specify the high-level requirement for each Base URI
PublicBaseUri: TLS
ResourceBaseUri: MTLS
InfoSecBaseUri: TLS
AdminBaseUri: MTLS
ExtensionBaseUri: TLS/MTLS (depending on extension requirements)
RevocationUri: TLS
RecipientBaseUri: TLS
JwksUri: TLS (for both DH and ADR)
For ResourceBaseUri and RecipientBaseUri, change 'This should' to 'This MUST'
Clarify that the InfoSecBaseUri only provides reference to the OIDC Discovery endpoint over TLS
Provide references to usage of the different JwksUri values for Data Holders and Data Recipients
Description
Sections of the documentation regarding transaction security and CDR certificate requirements appear to be unclear.
Intention and Value of Change
To improve the documentation to ensure the requirements are clear and that endpoints can be accessed correctly.
Area Affected
Sections of the Security Profile related to Transaction security, Certificate management and Partcipant endpoints.
Change Proposed
The following changes -
In the Security Profile -> Transaction Security -> Use of MTLS section:
In the Security Profile -> Certificate Management -> Issued by the Register for Data Holders section:
In the Security Profile -> Certificate Management -> Issued by the Register CA for Data Recipients section:
In the Security Profile -> Security Endpoints -> Dynamic Client Registration Endpoints section: In the table heading row:
In the Security Profile -> Security Endpoints -> Participant Endpoints section:
and the following changes to the table (highlighted in the image below):