Merge branch 'maintenance/654' into release/1.33.0

ConsumerDataStandardsAustralia · Dec 16, 2024 · 9561158 · 9561158
2 parents aad0f1c + 022cb33
commit 9561158
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 15 deletions.
diff --git a/slate/source/includes/releasenotes/releasenotes.1.33.0.html.md b/slate/source/includes/releasenotes/releasenotes.1.33.0.html.md
@@ -24,6 +24,7 @@ This release addresses the following minor defects raised on [Standards Staging]
 
 This release addresses the following change requests raised on [Standards Maintenance](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues):
 
+- [Standards Maintenance #654 - Clarify Transaction Security requirements](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/654)
 - [Standards Maintenance #661 - Obligation milestones for 2026 and 2027](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/661)
 - [Standards Maintenance #675 - PAR/RFC9126 in Normative references appears twice](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/675)
 
@@ -63,6 +64,7 @@ This release addresses the following Decision Proposals published on [Standards]
 |Change|Description|Link|
 |------|-----------|----|
 | Key word styling | [**Standards Staging #443**](https://github.com/ConsumerDataStandardsAustralia/standards-staging/issues/443): Applied consistent styling to key words | [Transaction Security](../../#transaction-security)
+| Clarified transaction security requirements | [**Standards Maintenance #654**](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/654): Clarified sections referring to TLS and MTLS requirements. | [Transaction Security](../../#transaction-security)<br>[Certificate Management](../../#certificate-management)<br>[Dynamic Client Registration Endpoints](../../#dynamic-client-registration-endpoints)<br>[Participant Endpoints](../../#participant-endpoints)
 
 
 ## Register Standards

diff --git a/slate/source/includes/security/_certificate_management.md b/slate/source/includes/security/_certificate_management.md
@@ -1,19 +1,23 @@
 
 ## Certificate Management
 
+```diff
+Clarified Server Certificate statements for Data Holders and Data Recipients and referred to Participant endpoints detail
+```
+
 ### Issued by the Register for Data Holders
 Certificate | Function | Notes
 -----------|------------------------------------------|------------------------------
-|**Server Certificate(s)**|	Certificate is issued to a FQDN</br></br>Secures the following endpoints:</br>- Resource endpoints</br>- InfoSec endpoints</br>- Admin endpoints | It will be up to the DH on how these endpoints are segregated. They may all be on the one domain (so only one certificate required) or could be separated.
+| <span style="white-space: nowrap;">**Server Certificate(s)**</span> | Certificate is issued to a FQDN.<br><br>Secures the endpoints as detailed in [Participant endpoints](#participant-endpoints). | It will be up to the DH on how these endpoints are segregated. They may all be on the one domain (so only one certificate required) or could be separated.
 
 ### Issued by the Register CA for Data Recipients
 
 
 
 Certificate | Function | Notes
 -----------|------------------------------------------|------------------------------
-|**Client Certificate**| Secures the following:</br>- Consuming Register APIs</br>- Consuming Data Holder APIs
-|**Server Certificate(s)**|	Certificate is issued to a FQDN.<br/>Secures the following:</br>- CDR Arrangement Revocation endpoint </br>- JWKS endpoint | ADRs may choose to secure their [endpoints](#security-endpoints) with the Register CA issued certificate or a certificate issued by a public CA.
+| **Client Certificate** | Secures the following:<ul><li>Consuming Register APIs.</li><li>Consuming Data Holder APIs.</li></ul>
+| <span style="white-space: nowrap;">**Server Certificate(s)**</span> | Certificate is issued to a FQDN. | Not currently required by Data Recipients.
 
 ### CDR Certificate Authority
 [DigiCert](https://www.digicert.com) acts as the certificate authority that issues and manages certificates to CDR participants as directed by the ACCC Register in its capacity as the CDR Registrar.

diff --git a/slate/source/includes/security/_transport_security.md b/slate/source/includes/security/_transport_security.md
@@ -15,7 +15,12 @@ All back-channel communication between Data Recipient Software Product and Data
 - The presented Client transport certificate **MUST** be issued by the CDR Certificate Authority (CA). The Server **MUST NOT** trust Client transport certificates issued by other authorities.
 - The presented Server transport certificate **MUST** be issued by the CDR Certificate Authority (CA). The Client **MUST NOT** trust Server transport certificates issued by other authorities.
 
-End points for transferring CDR Data that are classified as not requiring authentication do not require the use of **[[MTLS]](#nref-MTLS)**.
+
+```diff
+Clarified that public endpoints MUST NOT use MTLS
+```
+
+Endpoints for transferring CDR Data that are classified as not requiring authentication (i.e. public endpoints) or those specified as TLS, **MUST NOT** use **[[MTLS]](#nref-MTLS)**.
 
 
 ### Holder of Key Mechanism

diff --git a/slate/source/includes/security/endpoints/_register.md b/slate/source/includes/security/endpoints/_register.md
@@ -32,18 +32,26 @@ Host: cdr.register
 
 ```
 <InfoSecBaseUri>/.well-known/openid-configuration
+```
+
+```diff
+Added clarifying statements for endpoints specified as MTLS and TLS
 
+Added Transaction Security column and clarified descriptions
 ```
 
 Participants will be required to register base URIs against each of their brands to facilitate the implementation of the Consumer Data Standards
 
-| Base URI | DH Brand | ADR Brand | Description
-|-----------|------|------|-----------------------------------------------------------------------------------------------|
-|**PublicBaseUri**|	<i class="icon-check"></i> | | Base URI for the Consumer Data Standard public endpoints. This should encompass all endpoints not requiring authentication.<br>Data Holders designated for the Energy sector are not required to expose energy product reference endpoints via their public base URI and are not required, but **MAY**, provide a redirect to the product reference endpoints hosted by the designated data holder. |
-|**ResourceBaseUri**|	<i class="icon-check"></i> | | Base URI for the Consumer Data Standard resource endpoints. This should encompass all CDS resource endpoints requiring authentication |
-|**InfoSecBaseUri**|	<i class="icon-check"></i> | | Base URI for the Consumer Data Standard InfoSec endpoints. This provides ADRs reference to the [OIDC Discovery Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html) |
-|**AdminBaseUri**|	<i class="icon-check"></i> | | Base URI for the Consumer Data Standard admin endpoints called by the CDR Register |
-|**ExtensionBaseUri**|	<i class="icon-check"></i> | | Base URI for the Data Holder extension endpoints to the Consumer Data Standard **(optional)** |
-|**RevocationUri**|	| <i class="icon-check"></i> | Used for consent withdrawal notification from a Data Holder and is populated in the [SSA](#dynamic-client-registration) |
-|**RecipientBaseUri**|	| <i class="icon-check"></i> | Base URI for the Consumer Data Standard Data Recipient Software Product endpoints. </br>This should be the base to provide reference to [Data Recipient Endpoints](#cdr-participant-discovery-api_get-data-recipients) |
-|**JwksUri**|	<i class="icon-check"></i> | <i class="icon-check"></i> | **DH:** Used for client authentication for DH -> DRSP communication and is populated in the [GetDataHolderBrands API](#cdr-participant-discovery-api_get-data-holder-brands)</br> **DR:** Used for client authentication for DRSP -> DH & Register communication and is populated in the [SSA](#dynamic-client-registration) |
+Endpoints specified as MTLS **MUST** be configured according to the [Certificate Trust Model](#certificate-trust-model) in the [Certificate Management](#certificate-management) section.  
+Endpoints specified as TLS **MUST** be configured with a certificate issued by a public CA accepted by major web browsers.
+
+| Base URI | DH Brand | ADR Brand | Transaction Security | Description
+|----------|---------|------------|----------------------|-----------------|
+|**PublicBaseUri**|	<i class="icon-check"></i> | | TLS | Base URI for the Consumer Data Standard public endpoints. This should encompass all endpoints not requiring authentication.<br>Data Holders designated for the Energy sector are not required to expose energy product reference endpoints via their public base URI and are not required, but **MAY**, provide a redirect to the product reference endpoints hosted by the designated data holder. |
+|**ResourceBaseUri**|	<i class="icon-check"></i> | | MTLS | Base URI for the Consumer Data Standard resource endpoints. This **MUST** encompass all CDS resource endpoints requiring authentication. |
+|**InfoSecBaseUri**|	<i class="icon-check"></i> | | TLS | Base URI for the [OIDC Discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html) only.<br>Endpoints specified in the Discovery endpoint have the requirements detailed in the [Security Endpoints](#security-endpoints) section. |
+|**AdminBaseUri**|	<i class="icon-check"></i> | | MTLS | Base URI for the Consumer Data Standard admin endpoints called by the CDR Register. |
+|**ExtensionBaseUri**|	<i class="icon-check"></i> | | TLS/MTLS | Base URI for the Data Holder extension endpoints to the Consumer Data Standard (optional).<ul><li>TLS: for public endpoints.<li>MTLS: for authenticated endpoints. |
+|**RevocationUri**|	| <i class="icon-check"></i> | TLS | Used for consent withdrawal notification from a Data Holder and is populated in the [SSA](#dynamic-client-registration). |
+|**RecipientBaseUri**|	| <i class="icon-check"></i> | TLS | Base URI for the Consumer Data Standard Data Recipient Software Product endpoints. </br>This **MUST** be the base to provide reference to [Data Recipient Endpoints](#cdr-participant-discovery-api_get-data-recipients). |
+|**JwksUri**|	<i class="icon-check"></i> | <i class="icon-check"></i> | TLS | DH Brand: Used for client authentication for DH -> DRSP communication and is populated in the [Get Data Holder Brands](#cdr-participant-discovery-api_get-data-holder-brands) endpoint. (See: _jwksEndpoint_).</br>ADR Brand: Used for client authentication for DRSP -> DH & Register communication and is populated in the [SSA](#dynamic-client-registration). (See: _jwks_uri_). |
diff --git a/slate/source/includes/security/endpoints/_registration.md b/slate/source/includes/security/endpoints/_registration.md
@@ -6,7 +6,13 @@ For more details of these endpoints see the [DCR APIs](#dcr-apis) section.
 
 For additional statements on the operation of these endpoint during client registration see the [Client Registration](#client-registration) section.
 
-| HTTP Verb | Auth Server Support | TLS-MA | HoK | Grant Type | Access Token Scope
+```diff
+Changed the third column name in the table to align to the Normative References title
+- TLS-MA
++ MTLS
+```
+
+| HTTP Verb | Auth Server Support | MTLS | HoK | Grant Type | Access Token Scope
 |--------------|-------|-------|-------|------|-----------------------------------------------------------------------------
 |**POST /register**|	Required | <i class="icon-check"></i> |  | N/A | None
 |**GET /register/{clientID}**|	Required | <i class="icon-check"></i> | <i class="icon-check"></i> | Client Credentials | cdr:registration