diff --git a/slate/source/includes/releasenotes/releasenotes.1.33.0.html.md b/slate/source/includes/releasenotes/releasenotes.1.33.0.html.md index 1afd7e72..6db35dda 100644 --- a/slate/source/includes/releasenotes/releasenotes.1.33.0.html.md +++ b/slate/source/includes/releasenotes/releasenotes.1.33.0.html.md @@ -21,7 +21,7 @@ This release addresses the following minor defects raised on [Standards Staging] This release addresses the following change requests raised on [Standards Maintenance](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues): -- [Standards Maintenance #XXX - Title](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/XXX) +- [Standards Maintenance #654 - Clarify Transaction Security requirements](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/654) ### Decision Proposals @@ -34,7 +34,6 @@ This release addresses the following Decision Proposals published on [Standards] |Change|Description|Link| |------|-----------|----| | Change summary | [**Standards Staging #XXX**](https://github.com/ConsumerDataStandardsAustralia/standards-staging/issues/XXX): Change detail | [Standards section](../../#section) -| Change summary | [**Standards Maintenance #XXX**](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/XXX): Change detail | [Standards section](../../#section) | Change summary | [**Decision Proposal #XXX**](https://github.com/ConsumerDataStandardsAustralia/standards/issues/XXX): Change detail | [Standards section](../../#section) @@ -56,6 +55,7 @@ This release addresses the following Decision Proposals published on [Standards] ## Information Security Profile |Change|Description|Link| |------|-----------|----| +| Clarified transaction security requirements | [**Standards Maintenance #654**](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/654): Clarified sections referring to TLS and MTLS requirements. | [Transaction Security](../../#transaction-security)
[Certificate Management](../../#certificate-management)
[Dynamic Client Registration Endpoints](../../#dynamic-client-registration-endpoints)
[Participant Endpoints](../../#participant-endpoints) ## Register Standards diff --git a/slate/source/includes/security/_certificate_management.md b/slate/source/includes/security/_certificate_management.md index 80020327..1aaef35e 100644 --- a/slate/source/includes/security/_certificate_management.md +++ b/slate/source/includes/security/_certificate_management.md @@ -1,10 +1,14 @@ ## Certificate Management +```diff +Clarified Server Certificate statements for Data Holders and Data Recipients and referred to Participant endpoints detail +``` + ### Issued by the Register for Data Holders Certificate | Function | Notes -----------|------------------------------------------|------------------------------ -|**Server Certificate(s)**| Certificate is issued to a FQDN

Secures the following endpoints:
- Resource endpoints
- InfoSec endpoints
- Admin endpoints | It will be up to the DH on how these endpoints are segregated. They may all be on the one domain (so only one certificate required) or could be separated. +| **Server Certificate(s)** | Certificate is issued to a FQDN.

Secures the endpoints as detailed in [Participant endpoints](#participant-endpoints). | It will be up to the DH on how these endpoints are segregated. They may all be on the one domain (so only one certificate required) or could be separated. ### Issued by the Register CA for Data Recipients @@ -12,8 +16,8 @@ Certificate | Function | Notes Certificate | Function | Notes -----------|------------------------------------------|------------------------------ -|**Client Certificate**| Secures the following:
- Consuming Register APIs
- Consuming Data Holder APIs -|**Server Certificate(s)**| Certificate is issued to a FQDN.
Secures the following:
- CDR Arrangement Revocation endpoint
- JWKS endpoint | ADRs may choose to secure their [endpoints](#security-endpoints) with the Register CA issued certificate or a certificate issued by a public CA. +| **Client Certificate** | Secures the following: +| **Server Certificate(s)** | Certificate is issued to a FQDN. | Not currently required by Data Recipients. ### CDR Certificate Authority [DigiCert](https://www.digicert.com) acts as the certificate authority that issues and manages certificates to CDR participants as directed by the ACCC Register in its capacity as the CDR Registrar. diff --git a/slate/source/includes/security/_transport_security.md b/slate/source/includes/security/_transport_security.md index ea286c9f..761c7eda 100644 --- a/slate/source/includes/security/_transport_security.md +++ b/slate/source/includes/security/_transport_security.md @@ -10,7 +10,12 @@ All back-channel communication between Data Recipient Software Product and Data - The presented Client transport certificate MUST be issued by the CDR Certificate Authority (CA). The Server MUST NOT trust Client transport certificates issued by other authorities. - The presented Server transport certificate MUST be issued by the CDR Certificate Authority (CA). The Client MUST NOT trust Server transport certificates issued by other authorities. -End points for transferring CDR Data that are classified as not requiring authentication do not require the use of **[[MTLS]](#nref-MTLS)**. + +```diff +Clarified that public endpoints MUST NOT use MTLS +``` + +Endpoints for transferring CDR Data that are classified as not requiring authentication (i.e. public endpoints) or those specified as TLS, **MUST NOT** use **[[MTLS]](#nref-MTLS)**. ### Holder of Key Mechanism diff --git a/slate/source/includes/security/endpoints/_register.md b/slate/source/includes/security/endpoints/_register.md index f23c2ecc..1659cfd2 100644 --- a/slate/source/includes/security/endpoints/_register.md +++ b/slate/source/includes/security/endpoints/_register.md @@ -32,18 +32,26 @@ Host: cdr.register ``` /.well-known/openid-configuration +``` + +```diff +Added clarifying statements for endpoints specified as MTLS and TLS +Added Transaction Security column and clarified descriptions ``` Participants will be required to register base URIs against each of their brands to facilitate the implementation of the Consumer Data Standards -| Base URI | DH Brand | ADR Brand | Description -|-----------|------|------|-----------------------------------------------------------------------------------------------| -|**PublicBaseUri**| | | Base URI for the Consumer Data Standard public endpoints. This should encompass all endpoints not requiring authentication.
Data Holders designated for the Energy sector are not required to expose energy product reference endpoints via their public base URI and are not required, but **MAY**, provide a redirect to the product reference endpoints hosted by the designated data holder. | -|**ResourceBaseUri**| | | Base URI for the Consumer Data Standard resource endpoints. This should encompass all CDS resource endpoints requiring authentication | -|**InfoSecBaseUri**| | | Base URI for the Consumer Data Standard InfoSec endpoints. This provides ADRs reference to the [OIDC Discovery Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html) | -|**AdminBaseUri**| | | Base URI for the Consumer Data Standard admin endpoints called by the CDR Register | -|**ExtensionBaseUri**| | | Base URI for the Data Holder extension endpoints to the Consumer Data Standard **(optional)** | -|**RevocationUri**| | | Used for consent withdrawal notification from a Data Holder and is populated in the [SSA](#dynamic-client-registration) | -|**RecipientBaseUri**| | | Base URI for the Consumer Data Standard Data Recipient Software Product endpoints.
This should be the base to provide reference to [Data Recipient Endpoints](#cdr-participant-discovery-api_get-data-recipients) | -|**JwksUri**| | | **DH:** Used for client authentication for DH -> DRSP communication and is populated in the [GetDataHolderBrands API](#cdr-participant-discovery-api_get-data-holder-brands)
**DR:** Used for client authentication for DRSP -> DH & Register communication and is populated in the [SSA](#dynamic-client-registration) | +Endpoints specified as MTLS **MUST** be configured according to the [Certificate Trust Model](#certificate-trust-model) in the [Certificate Management](#certificate-management) section. +Endpoints specified as TLS **MUST** be configured with a certificate issued by a public CA accepted by major web browsers. + +| Base URI | DH Brand | ADR Brand | Transaction Security | Description +|----------|---------|------------|----------------------|-----------------| +|**PublicBaseUri**| | | TLS | Base URI for the Consumer Data Standard public endpoints. This should encompass all endpoints not requiring authentication.
Data Holders designated for the Energy sector are not required to expose energy product reference endpoints via their public base URI and are not required, but **MAY**, provide a redirect to the product reference endpoints hosted by the designated data holder. | +|**ResourceBaseUri**| | | MTLS | Base URI for the Consumer Data Standard resource endpoints. This **MUST** encompass all CDS resource endpoints requiring authentication. | +|**InfoSecBaseUri**| | | TLS | Base URI for the [OIDC Discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html) only.
Endpoints specified in the Discovery endpoint have the requirements detailed in the [Security Endpoints](#security-endpoints) section. | +|**AdminBaseUri**| | | MTLS | Base URI for the Consumer Data Standard admin endpoints called by the CDR Register. | +|**ExtensionBaseUri**| | | TLS/MTLS | Base URI for the Data Holder extension endpoints to the Consumer Data Standard (optional).