diff --git a/slate/source/includes/endpoint-version-schedule/index.html.md b/slate/source/includes/endpoint-version-schedule/index.html.md index 17f4d7ed..4dcb4565 100644 --- a/slate/source/includes/endpoint-version-schedule/index.html.md +++ b/slate/source/includes/endpoint-version-schedule/index.html.md @@ -32,7 +32,7 @@ These dates may be subject to change depending upon new or changed legislative a | **Y24 #3** | 2024-07-01 | 1 | | **Y24 #4** | 2024-09-09 | 3 | | **Y24 #5** | 2024-11-11 | 2 | -| **Y25 #1** | 2025-03-17 | 0 | +| **Y25 #1** | 2025-03-17 | 1 | | **Y25 #2** | 2025-05-12 | 0 | | **Y25 #3** | 2025-07-14 | 0 | | **Y25 #4** | 2025-09-08 | 0 | diff --git a/slate/source/includes/introduction/_fdo.md b/slate/source/includes/introduction/_fdo.md index d57cd978..4d75c471 100644 --- a/slate/source/includes/introduction/_fdo.md +++ b/slate/source/includes/introduction/_fdo.md @@ -28,3 +28,4 @@ The table below highlights these areas of the standards. |[Get Billing For Specific Accounts](#cdr-energy-api_get-billing-for-specific-accounts)|Data Holders **MAY** retire v2 of this endpoint by **September 9th 2024** if they implement v3| September 9th 2024 | |[Get Generic Plan Detail](#cdr-energy-api_get-generic-plan-detail)|| November 11th 2024 | |[Get Energy Account Detail](#cdr-energy-api_get-energy-account-detail)|| November 11th 2024 | +|[Transaction Security Ciphers](#transaction-security)|Data Holders and Data Recipients **MUST** only support BCP195 recommended ciphers by **March 17th 2025**| March 17th 2025 | diff --git a/slate/source/includes/introduction/_references.md b/slate/source/includes/introduction/_references.md index f317a4c5..99f3937d 100644 --- a/slate/source/includes/introduction/_references.md +++ b/slate/source/includes/introduction/_references.md @@ -1,9 +1,13 @@ ## Normative References - +```diff ++ Added BCP195 to the list of normative references +- Removed BCP195 from the list of informative references +``` | **Reference** | **Description** | **Version** | |-|-|-| +| **[BCP195]** | Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS): | | | **[DCR]** | OAuth 2.0 Dynamic Client Registration Protocol: |July 2015 | **[FAPI-1.0-Baseline]** | Financial-grade API Security Profile 1.0 - Part 1: Baseline: | March 2021 | **[FAPI-1.0-Advanced]** | Financial-grade API Security Profile 1.0 - Part 2: Advanced: | March 2021 @@ -47,7 +51,6 @@ Improved styling of 'Code samples' displayed in the Non-Normative Examples tab | **[ACCC]** | The Australian Competition and Consumer Commission is responsible for accrediting data recipients to participate in CDR, building and maintaining the Register of data recipients and data holders, providing support and guidance to participants and promoting compliance with the CDR rules and standards, including taking enforcement action where necessary.
| | **[ANZSCO]** | ANZSCO - Australian and New Zealand Standard Classification of Occupations : | | **[ANZSIC-2006]** | 1292.0 - Australian and New Zealand Standard Industrial Classification (ANZSIC), 2006 (Revision 2.0) : | -| **[BCP195]** | Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS): | | **[CDR]** | Consumer Data Right: | | **[E.164]** | The international public telecommunication numbering plan: | | **[FAPI]** | Financial-Grade API - Home Page | diff --git a/slate/source/includes/releasenotes/releasenotes.1.32.0.html.md b/slate/source/includes/releasenotes/releasenotes.1.32.0.html.md index c199bc2b..db088fb2 100644 --- a/slate/source/includes/releasenotes/releasenotes.1.32.0.html.md +++ b/slate/source/includes/releasenotes/releasenotes.1.32.0.html.md @@ -29,6 +29,7 @@ This release addresses the following minor defects raised on [Standards Staging] This release addresses the following change requests raised on [Standards Maintenance](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues): - [Standards Maintenance #641 - Update CDS documentation to clarify expected rate value 'sign' (+/-) for each RateType](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/641) +- [Standards Maintenance #648 - Adopt BCP 195 for TLS ciphers](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/648) - [Standards Maintenance #652 - Specify units of currency to be used for the AmountString field type](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/652) - [Standards Maintenance #653 - EnergyPlanTariffPeriod - cater for plans with no dailySupplyCharge](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/653) @@ -73,7 +74,7 @@ This release addresses the following Decision Proposals published on [Standards] ## Information Security Profile |Change|Description|Link| |------|-----------|----| - +| Adopt BCP195 for supported ciphers | Update TLS Cipher requirements to align to FAPI 2.0 and adoption of BCP195. Addresses [issue 648](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/648#issue-2383325264). | [Security Profile -> Transaction Security -> Ciphers](../../#transaction-security)| ## Register Standards |Change|Description|Link| diff --git a/slate/source/includes/security/_transport_security.md b/slate/source/includes/security/_transport_security.md index 7643a7ed..cd10f29a 100644 --- a/slate/source/includes/security/_transport_security.md +++ b/slate/source/includes/security/_transport_security.md @@ -26,12 +26,26 @@ OAUTB SHALL NOT be supported due to a lack industry support. ### Ciphers + +```diff +Obligation change from March 17th 2025: +- Removed specific named ciphers ++ Adopted BCP195 +``` + +**Until March 17th 2025, the following SHALL requirements apply:** + Only the following cipher suites SHALL be permitted in accordance with [section 8.5](https://openid.net/specs/openid-financial-api-part-2-1_0.html#tls-considerations) of **[[FAPI-1.0-Advanced]](#nref-FAPI-1-0-Advanced)**: -- TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 -- TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 +- `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` +- `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` The following cipher suites **SHOULD NOT** be supported: -- TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 -- TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 \ No newline at end of file +- `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256` +- `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` + +**From March 17th 2025, the following requirements SHALL apply:** + +In addition to [section 8.5](https://openid.net/specs/openid-financial-api-part-2-1_0.html#tls-considerations) of **[[FAPI-1.0-Advanced]](#nref-FAPI-1-0-Advanced)** only cipher suites recommended in **[[BCP195]](#nref-BCP195)** **SHALL** be permitted. +