From 78b5a671b74e7de2d8f92475923c7a74881aba51 Mon Sep 17 00:00:00 2001
From: JamesMBligh <james@redcrew.com.au>
Date: Mon, 13 May 2019 16:21:45 +1000
Subject: [PATCH] Removed numbering and updated change log

---
 docs/includes/changelog                 |   6 +
 docs/index.html                         | 299 ++++++------------------
 slate/source/includes/_security.md.erb  | 217 ++++-------------
 slate/source/includes/_standards.md.erb |   2 +-
 slate/source/includes/changelog.md      |   1 +
 5 files changed, 127 insertions(+), 398 deletions(-)

diff --git a/docs/includes/changelog b/docs/includes/changelog
index 3862db14..f0abf3e1 100644
--- a/docs/includes/changelog
+++ b/docs/includes/changelog
@@ -10,6 +10,12 @@
 </tr>
 </thead><tbody>
 <tr>
+<td>13/5/2019</td>
+<td>0.8.4</td>
+<td>InfoSec Update</td>
+<td>Imported the InfoSec content without update for recent proposals</td>
+</tr>
+<tr>
 <td>12/5/2019</td>
 <td>0.8.3</td>
 <td>Optionality Update</td>
diff --git a/docs/index.html b/docs/index.html
index 661e7dd9..c8d50371 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -265,55 +265,46 @@
                     <a href="#overview" class="toc-h2 toc-link" data-title="Overview">Overview</a>
                   </li>
                   <li>
-                    <a href="#1-infosec-profile-0-2-0" class="toc-h2 toc-link" data-title="1. InfoSec Profile 0.2.0">1. InfoSec Profile 0.2.0</a>
+                    <a href="#cdr-federation" class="toc-h2 toc-link" data-title="CDR Federation">CDR Federation</a>
                   </li>
                   <li>
-                    <a href="#2-overview" class="toc-h2 toc-link" data-title="2. Overview">2. Overview</a>
+                    <a href="#authentication-flows" class="toc-h2 toc-link" data-title="Authentication Flows">Authentication Flows</a>
                   </li>
                   <li>
-                    <a href="#3-cdr-federation" class="toc-h2 toc-link" data-title="3. CDR Federation">3. CDR Federation</a>
+                    <a href="#client-authentication" class="toc-h2 toc-link" data-title="Client Authentication">Client Authentication</a>
                   </li>
                   <li>
-                    <a href="#4-authentication-flows" class="toc-h2 toc-link" data-title="4. Authentication Flows">4. Authentication Flows</a>
+                    <a href="#oidc-client-types" class="toc-h2 toc-link" data-title="OIDC Client Types">OIDC Client Types</a>
                   </li>
                   <li>
-                    <a href="#5-client-authentication" class="toc-h2 toc-link" data-title="5. Client Authentication">5. Client Authentication</a>
+                    <a href="#tokens" class="toc-h2 toc-link" data-title="Tokens">Tokens</a>
                   </li>
                   <li>
-                    <a href="#6-oidc-client-types" class="toc-h2 toc-link" data-title="6. OIDC Client Types">6. OIDC Client Types</a>
+                    <a href="#scopes-and-claims" class="toc-h2 toc-link" data-title="Scopes and Claims">Scopes and Claims</a>
                   </li>
                   <li>
-                    <a href="#7-tokens" class="toc-h2 toc-link" data-title="7. Tokens">7. Tokens</a>
+                    <a href="#identifiers-and-subject-types" class="toc-h2 toc-link" data-title="Identifiers and Subject Types">Identifiers and Subject Types</a>
                   </li>
                   <li>
-                    <a href="#8-scopes-and-claims" class="toc-h2 toc-link" data-title="8. Scopes and Claims">8. Scopes and Claims</a>
+                    <a href="#levels-of-assurance-loas" class="toc-h2 toc-link" data-title="Levels of Assurance (LoAs)">Levels of Assurance (LoAs)</a>
                   </li>
                   <li>
-                    <a href="#9-identifiers-and-subject-types" class="toc-h2 toc-link" data-title="9. Identifiers and Subject Types">9. Identifiers and Subject Types</a>
+                    <a href="#transaction-security" class="toc-h2 toc-link" data-title="Transaction Security">Transaction Security</a>
                   </li>
                   <li>
-                    <a href="#10-levels-of-assurance-loas" class="toc-h2 toc-link" data-title="10. Levels of Assurance (LoAs)">10. Levels of Assurance (LoAs)</a>
+                    <a href="#request-object" class="toc-h2 toc-link" data-title="Request Object">Request Object</a>
                   </li>
                   <li>
-                    <a href="#11-transaction-security" class="toc-h2 toc-link" data-title="11. Transaction Security">11. Transaction Security</a>
+                    <a href="#endpoints" class="toc-h2 toc-link" data-title="Endpoints">Endpoints</a>
                   </li>
                   <li>
-                    <a href="#12-request-object" class="toc-h2 toc-link" data-title="12. Request Object">12. Request Object</a>
+                    <a href="#consent" class="toc-h2 toc-link" data-title="Consent">Consent</a>
                   </li>
                   <li>
-                    <a href="#13-endpoints" class="toc-h2 toc-link" data-title="13. Endpoints">13. Endpoints</a>
+                    <a href="#normative-references" class="toc-h2 toc-link" data-title="Normative References">Normative References</a>
                   </li>
                   <li>
-                    <a href="#14-consent" class="toc-h2 toc-link" data-title="14. Consent">14. Consent</a>
-                  </li>
-                  <li>
-                    <a href="#15-normative-references" class="toc-h2 toc-link" data-title="15. Normative References">15. Normative References</a>
-                  </li>
-                  <li>
-                    <a href="#16-informative-references" class="toc-h2 toc-link" data-title="16. Informative References">16. Informative References</a>
-                  </li>
-                  <li>
-                    <a href="#17-appendix" class="toc-h2 toc-link" data-title="17. Appendix">17. Appendix</a>
+                    <a href="#informative-references" class="toc-h2 toc-link" data-title="Informative References">Informative References</a>
                   </li>
               </ul>
           </li>
@@ -632,7 +623,7 @@ <h1 id='introduction'>Introduction</h1>
 
 <p>Note that security standards are only partially represented in these standards as they are under development by the Information Security Working Group.  More detail can found at the <a href="https://consumerdatastandardsaustralia.github.io/infosec">Information Security Profile</a> working draft.</p>
 <h1 id='standards'>Standards</h1>
-<p>These standards represent <strong>version 0.8.2</strong> of the high level standards which will support the creation of version 1.  See the <a href="#versioning">versioning section</a> for more information on how versions are managed in the standard.</p>
+<p>These standards represent <strong>version 0.8.4</strong> of the high level standards which will support the creation of version 1.  See the <a href="#versioning">versioning section</a> for more information on how versions are managed in the standard.</p>
 
 <p>Note that, in this proposal, the key words <strong>MUST</strong>, <strong>MUST NOT</strong>, <strong>REQUIRED</strong>, <strong>SHALL</strong>, <strong>SHALL NOT</strong>, <strong>SHOULD</strong>, <strong>SHOULD NOT</strong>, <strong>RECOMMENDED</strong>, <strong>MAY</strong>, and <strong>OPTIONAL</strong> are to be interpreted as described in <a href="http://tools.ietf.org/html/rfc2119">RFC2119</a>.</p>
 
@@ -1517,90 +1508,12 @@ <h3 id='extension-versioning'>Extension Versioning</h3>
 
 <p>An optional header <code>x-&lt;PID&gt;-v</code> will be supported for all end points that can be used by the data consumer to request a specific version of extension fields to include in the response.  See the section on <a href="#http-headers">HTTP Headers</a> for more information on the use of this header.</p>
 <h1 id='security-profile'>Security Profile</h1><h2 id='overview'>Overview</h2>
-<p>This Information Security profile has been developed as part of the introduction in Australia of the <a href="https://www.accc.gov.au/focus-areas/consumer-data-right" title="ACCC Consumer Data Right webpage">Consumer Data Right</a> legislation to give Australians greater control over their data.</p>
-
-<p>The Consumer Data Right is intended to apply sector by sector across the whole economy, beginning in the banking, energy and telecommunications sectors.  These standards have been developed to facilitate the Consumer Data Right by acting as a specific baseline for implementation.</p>
-
-<p>These standards are governed by the Consumer Data Standards team inside Data61.  Data61 has been appointed as the interim standards body. The work of the team is  overseen by Mr. Andrew Stevens as interim Chair, with industry and consumer advice provided by an Advisory Committee. Data61 works closely with the Australian Competition and Consumer Commission (ACCC) as lead regulator of the Consumer Data Right, supported by the Office of the Australian Information Commissioner (OAIC).</p>
-
-<p>Securing of the API end points defined by the standards will be accomplished through alignment with well defined industry protocols and security profiles.  Context specific constraints are then applied to these profiles to provide implementation clarity or reduce risk.</p>
-
-<p>In particular the standards are aligned to the <a href="http://openid.net/specs/openid-financial-api-part-2.html">Financial API (FAPI) Read/Wite profile</a>.</p>
-
-<p>Note that the FAPI Read/Write profile builds on the <a href="http://openid.net/specs/openid-financial-api-part-1.html">FAPI Read Only profile</a>  and implies alignment with the use of <a href="https://openid.net/specs/openid-connect-core-1_0.html">Open ID Connect</a>.</p>
-
-<p>The FAPI Read/Write profile implies specific implementation decisions that are worthy of explicit statement. There are also some additional, specific constraints are applicable for implementations conforming to these standards:</p>
-
-<ul>
-<li>Only the Hybrid Authorisation flow will be supported</li>
-<li>Public Clients will not be supported.  All payload data will be transferred via backchannel communication</li>
-<li>Use of TLS mandated for all interactions</li>
-<li>  Requirement to use TLS 1.2 or greater</li>
-<li>  The version and configuration of TLS for implementations conforming with standards will not be a lower version, or less secure, than that of other digital channels deployed by the data provider</li>
-<li>  A TLS server certificate check shall be performed, as per RFC 6125</li>
-<li>  Mutual TLS will be used to secure back-channel communication between the data consumer and data provider</li>
-<li>For all interactions (except for authorisation) the cipher suites that may be used will be limited to:
-
-<ul>
-<li>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</li>
-<li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</li>
-<li>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</li>
-<li>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</li>
-</ul></li>
-</ul>
-<h2 id='1-infosec-profile-0-2-0'>1. InfoSec Profile 0.2.0</h2>
-<aside class="warning">
-This is an early draft of the CDR Information Security Profile and thus subject to change.
-</aside>
-<h3 id='1-1-history'>1.1. History</h3>
-<table><thead>
-<tr>
-<th>Author</th>
-<th>Date</th>
-<th>Version</th>
-<th>Description</th>
-</tr>
-</thead><tbody>
-<tr>
-<td>LP</td>
-<td>22/11/2018</td>
-<td>0.0.1</td>
-<td>Created</td>
-</tr>
-<tr>
-<td>LP</td>
-<td>30/11/2018</td>
-<td>0.0.2</td>
-<td>Created</td>
-</tr>
-<tr>
-<td>LP</td>
-<td>10/12/2018</td>
-<td>0.0.3</td>
-<td>Created</td>
-</tr>
-<tr>
-<td>LP</td>
-<td>20/12/2018</td>
-<td>0.1.0</td>
-<td>Created</td>
-</tr>
-<tr>
-<td>LP</td>
-<td>07/01/2019</td>
-<td>0.1.1</td>
-<td>Created</td>
-</tr>
-<tr>
-<td>BK</td>
-<td>06/05/2019</td>
-<td>0.2.0</td>
-<td>Created</td>
-</tr>
-</tbody></table>
+<p>This information security profile will be built upon the foundations of the
+<a href="https://openid.net/specs/openid-financial-api-part-2.html">Financial-grade API Read Write Profile</a> <strong>[FAPI-RW]</strong>, the <a href="https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md?fileviewer=file-view-default">Financial-grade API Client Initiated Backchannel Authentication Profile</a> <strong>[FAPI-CIBA]</strong>, and other standards relating to
+<a href="http://openid.net/specs/openid-connect-core-1_0.html">Open ID Connect 1.0</a> <strong>[OIDC]</strong>.</p>
 
-<p>The detailed change log for this artifact is available <a href="https://github.com/ConsumerDataStandardsAustralia/standards/includes/security/infosec_changelog.md">here</a>.</p>
-<h3 id='1-2-symbols-and-abbreviated-terms'>1.2. Symbols and Abbreviated terms</h3>
+<p>For information on the specific normative references that underpin this profile refer to the <a href="#normative-references">Normative References section</a>.</p>
+<h3 id='symbols-and-abbreviated-terms'>Symbols and Abbreviated terms</h3>
 <ul>
 <li>  <strong>API</strong>: Application Programming Interface</li>
 <li>  <strong>CA</strong>: Certificate Authority</li>
@@ -1633,24 +1546,7 @@ <h3 id='1-2-symbols-and-abbreviated-terms'>1.2. Symbols and Abbreviated terms</h
 <li>  <strong>TLS:</strong> Transport Layer Security</li>
 <li>  <strong>VoT:</strong> Vector of Trust</li>
 </ul>
-<h3 id='1-3-requirements-notation-and-conventions'>1.3. Requirements Notation and Conventions</h3>
-<p>The key words &quot;MUST&quot;, &quot;MUST NOT&quot;, &quot;REQUIRED&quot;, &quot;SHALL&quot;, &quot;SHALL NOT&quot;, &quot;SHOULD&quot;, &quot;SHOULD NOT&quot;, &quot;RECOMMENDED&quot;, &quot;NOT RECOMMENDED&quot;, &quot;MAY&quot;, and &quot;OPTIONAL&quot; in this document are to be interpreted as described in <a href="https://tools.ietf.org/html/rfc2119">RFC 2119</a> <strong>[RFC2119]</strong>.</p>
-<h2 id='2-overview'>2. Overview</h2>
-<p>This artifact details the <a href="https://www.accc.gov.au/focus-areas/consumer-data-right">Consumer Data Right</a> <strong>[CDR]</strong> Information Security
-Profile (CDR-SP). This profile will be built upon the foundations of the
-<a href="https://openid.net/specs/openid-financial-api-part-2.html">Financial-grade API Read Write Profile</a> <strong>[FAPI-RW]</strong>, the <a href="https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md?fileviewer=file-view-default">Financial-grade API Client Initiated Backchannel Authentication Profile</a> <strong>[FAPI-CIBA]</strong>, and other standards relating to
-<a href="http://openid.net/specs/openid-connect-core-1_0.html">Open ID Connect 1.0</a> <strong>[OIDC]</strong>.</p>
-
-<p>Whilst this is a technical artifact, it is guided by the core principles that
-have to led to the creation of the Consumer Data Right. These are:</p>
-
-<ul>
-<li>  The CDR should be <em>consumer focussed</em>.</li>
-<li>  The CDR should encourage <em>competition</em>.</li>
-<li>  The CDR should create <em>opportunities</em>.</li>
-<li>  The CDR should be <em>efficient and fair</em>.</li>
-</ul>
-<h2 id='3-cdr-federation'>3. CDR Federation</h2>
+<h2 id='cdr-federation'>CDR Federation</h2>
 <p>The CDR Federation will facilitate the secure exchange of consumer data and federation metadata between
 multiple system entities which will assume one or more of the following roles:</p>
 
@@ -1672,20 +1568,20 @@ <h2 id='3-cdr-federation'>3. CDR Federation</h2>
 maintained by the Australian Competition and Consumer Commission (ACCC).</li>
 </ul></li>
 </ul>
-<h3 id='3-1-data-holder'>3.1. Data Holder</h3>
+<h3 id='data-holder'>Data Holder</h3>
 <p>The Data Holder (DH) is a system entity that authenticates a consumer
 (resource owner or user), as part of an authorisation process initiated by a Data
 Recipient, and issues an authorisation for that Data Recipient to access the consumer&#39;s data via published APIs.</p>
 
 <p>A Data Holder assumes the role of an <strong>[OIDC]</strong> <a href="https://openid.net/specs/openid-connect-core-1_0.html#Overview">OpenID Provider</a>.</p>
-<h3 id='3-2-data-recipient'>3.2. Data Recipient</h3>
+<h3 id='data-recipient'>Data Recipient</h3>
 <p>A Data Recipient (DR) is system entity that is authorised by a
 Data Holder to access consumer resources (APIs). A Data Recipient MUST capture consumer consent prior to commencing an authorisation process with a Data Holder.</p>
 
 <p>A Data Recipient MUST be accredited in order to participate in the CDR Federation.  Accreditation rules for Data Recipients are beyond the scope of this artifact.</p>
 
 <p>A Data Recipient assumes the role of an <strong>[OIDC]</strong> <a href="https://openid.net/specs/openid-connect-core-1_0.html#Overview">Relying Party (Client)</a>.</p>
-<h3 id='3-3-registry'>3.3. Registry</h3>
+<h3 id='registry'>Registry</h3>
 <aside class="warning">
 The role and the functionality of the Registry is subject to change.
 </aside>
@@ -1700,7 +1596,7 @@ <h3 id='3-3-registry'>3.3. Registry</h3>
 </ul>
 
 <p>A full description of the Registry is beyond the scope of this document.</p>
-<h2 id='4-authentication-flows'>4. Authentication Flows</h2>
+<h2 id='authentication-flows'>Authentication Flows</h2>
 <p>This profile supports the authentication flows specified by <a href="https://openid.net/wg/fapi/">FAPI</a> <strong>[FAPI]</strong>.  These are:</p>
 
 <ul>
@@ -1717,7 +1613,7 @@ <h2 id='4-authentication-flows'>4. Authentication Flows</h2>
 </ul>
 
 <p><a id="hybrid-flow"></a></p>
-<h3 id='4-1-oidc-hybrid-flow'>4.1. OIDC Hybrid Flow</h3>
+<h3 id='oidc-hybrid-flow'>OIDC Hybrid Flow</h3>
 <p>The <strong>[OIDC]</strong> Hybrid Flow is a type of redirection flow where the consumers user
 agent is redirected from a Data Recipient’s (Relying Party) web site to a Data
 Holder’s Authorisation endpoint in the context of an <strong>[OIDC]</strong> authentication
@@ -1729,7 +1625,7 @@ <h3 id='4-1-oidc-hybrid-flow'>4.1. OIDC Hybrid Flow</h3>
 <p>The <code>request_uri</code> parameter SHALL NOT be supported.</p>
 
 <p><a id="ciba-flow"></a></p>
-<h3 id='4-2-client-initiated-backchannel-authentication-ciba'>4.2. Client-Initiated Backchannel Authentication (CIBA)</h3>
+<h3 id='client-initiated-backchannel-authentication-ciba'>Client-Initiated Backchannel Authentication (CIBA)</h3>
 <p>Client Initiated Backchannel Authentication (CIBA) enables a Data Recipient (Client) to
 initiate the authentication of an end-user at a Data Holder (OpenID Provider) by means of decoupled or out-band
 mechanisms <strong>[FAPI-CIBA]</strong>.</p>
@@ -1741,11 +1637,11 @@ <h3 id='4-2-client-initiated-backchannel-authentication-ciba'>4.2. Client-Initia
 <p>Client rules for <strong>[FAPI-CIBA]</strong> are outlined under <a href="https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md?fileviewer=file-view-default#markdown-header-523-confidential-client">section 5.2.3 of the FAPI CIBA profile</a>.</p>
 
 <p><a id="client-authentication"></a></p>
-<h2 id='5-client-authentication'>5. Client Authentication</h2>
+<h2 id='client-authentication'>Client Authentication</h2>
 <p>Data Holder&#39;s MUST support the <code>private_key_jwt</code> Client Authentication method specified at <a href="https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication">section 9</a> of <strong>[OIDC]</strong>.</p>
 
 <p>The PKI Mutual TLS OAuth Client Authentication Method SHALL not be supported.  However as specified under <a href="#mutual-tls">section 11.2</a>, all back-channel communication between Data Recipient and Data Holder systems MUST incorporate, unless stated otherwise, MTLS as part of the TLS handshake.</p>
-<h3 id='5-1-private_key_jwt'>5.1. private_key_jwt</h3>
+<h3 id='private_key_jwt'>private_key_jwt</h3>
 <blockquote>
 <p>Non-Normative Example</p>
 </blockquote>
@@ -1799,9 +1695,9 @@ <h3 id='5-1-private_key_jwt'>5.1. private_key_jwt</h3>
 <li> <code>client_assertion_type</code>: This MUST be set to <code>urn:ietf:params:oauth:client-assertion-type:jwt-bearer</code>.</li>
 <li> <code>client_assertion</code>: The encoded assertion JWT.</li>
 </ul>
-<h2 id='6-oidc-client-types'>6. OIDC Client Types</h2>
+<h2 id='oidc-client-types'>OIDC Client Types</h2>
 <p>Only Confidential Clients SHALL be supported under this profile. Therefore, Public clients SHALL NOT be supported.</p>
-<h2 id='7-tokens'>7. Tokens</h2><h3 id='7-1-id-token'>7.1. ID Token</h3>
+<h2 id='tokens'>Tokens</h2><h3 id='id-token'>ID Token</h3>
 <blockquote>
 <p>Non-Normative Example - acr</p>
 </blockquote>
@@ -1855,22 +1751,22 @@ <h2 id='7-tokens'>7. Tokens</h2><h3 id='7-1-id-token'>7.1. ID Token</h3>
 <ul>
 <li><code>vtm</code>: The trustmark URI as specified in <a href="https://tools.ietf.org/html/draft-richer-vectors-of-trust-15#section-5">section 5</a> of <strong>[VOT]</strong> .</li>
 </ul>
-<h4 id='7-1-1-hashing-value-for-state-and-authorisation-code'>7.1.1. Hashing value for state and authorisation code</h4>
+<h4 id='hashing-value-for-state-and-authorisation-code'>Hashing value for state and authorisation code</h4>
 <p>The <code>c_hash</code> value MUST be generated according to <a href="https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken">section 3.3.2.11</a> of <strong>[OIDC]</strong>.</p>
 
 <p>The <code>s_hash</code> value MUST be generated according to <a href="https://openid.net/specs/openid-financial-api-part-2.html#introduction">section 5.1</a> of <strong>[FAPI-RW]</strong>.</p>
-<h3 id='7-2-access-token'>7.2. Access Token</h3>
+<h3 id='access-token'>Access Token</h3>
 <p>Access Tokens MUST be used as specified in <a href="https://tools.ietf.org/html/rfc6749#section-10.3">section 10.3</a> of <strong>[OAUTH2]</strong>. An
 Access Token MUST expire <code>n</code> minutes after it is issued by the Data Holder where <code>n</code> is determined by <strong>[CDR]</strong> rules.</p>
 
 <p>The process for refreshing an Access Token is described in <a href="https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken">section 12.1</a> of <strong>[OIDC]</strong>.</p>
-<h3 id='7-3-refresh-token'>7.3. Refresh Token</h3>
+<h3 id='refresh-token'>Refresh Token</h3>
 <p>Refresh Tokens MUST be supported by Data Holders.  The usage of Refresh Tokens is specified in <a href="https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens">section 12</a> of <strong>[OIDC]</strong>.
 A Refresh Token MUST expire <code>n</code> days after it is issued where <code>n</code> is determined by <strong>[CDR]</strong> rules.</p>
-<h2 id='8-scopes-and-claims'>8. Scopes and Claims</h2>
+<h2 id='scopes-and-claims'>Scopes and Claims</h2>
 <p>Industry-specific scopes (for example, <code>bank_account</code>) will not be referenced in
 this profile.</p>
-<h3 id='8-1-oidc-scopes'>8.1. OIDC Scopes</h3>
+<h3 id='oidc-scopes'>OIDC Scopes</h3>
 <p>The following scopes MUST be supported:</p>
 
 <ul>
@@ -1883,7 +1779,7 @@ <h3 id='8-1-oidc-scopes'>8.1. OIDC Scopes</h3>
 <li>given_name claim</li>
 </ul></li>
 </ul>
-<h3 id='8-2-claims'>8.2. Claims</h3>
+<h3 id='claims'>Claims</h3>
 <p>The following <a href="https://openid.net/specs/openid-connect-core-1_0.html#NormalClaims">normal</a> <strong>[OIDC]</strong> claims MUST be supported. This list includes, but is not limited to, <strong>[OIDC]</strong> <a href="https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims">standard claims</a> :</p>
 
 <ul>
@@ -1904,7 +1800,7 @@ <h3 id='8-2-claims'>8.2. Claims</h3>
 </ul>
 
 <p><a id="identifiers"></a></p>
-<h2 id='9-identifiers-and-subject-types'>9. Identifiers and Subject Types</h2>
+<h2 id='identifiers-and-subject-types'>Identifiers and Subject Types</h2>
 <p>The identifier for an authenticated end-user (subject) MUST be passed in the <code>sub</code> claim of an <a href="https://openid.net/specs/openid-cocnnect-core-1_0.html#IDToken">ID Token</a> and <a href="https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse">UserInfo response</a> as defined by <strong>[OIDC]</strong>. The
 Data Holder MUST generate the <code>sub</code> value as a Pairwise Pseudonymous Identifier (PPID)
 as described in <a href="https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes">section 8</a> of <strong>[OIDC]</strong>. Furthermore, the identifier SHOULD also be unique relative to the scenario in which the end-user has authenticated. For example, the identifier generated for the same person when they are using a business account SHOULD be different to the identifier that is generated when that same individual is authorising as an individual.</p>
@@ -1913,7 +1809,7 @@ <h2 id='9-identifiers-and-subject-types'>9. Identifiers and Subject Types</h2>
 Identifier (UUID) <strong>[RFC4122]</strong>.</p>
 
 <p><a id="levels-of-assurance-loas"></a></p>
-<h2 id='10-levels-of-assurance-loas'>10. Levels of Assurance (LoAs)</h2>
+<h2 id='levels-of-assurance-loas'>Levels of Assurance (LoAs)</h2>
 <p>Levels Of Assurance (LoAs), returned after a successful authentication, MAY be represented in 2 different forms:</p>
 
 <ul>
@@ -1930,7 +1826,7 @@ <h2 id='10-levels-of-assurance-loas'>10. Levels of Assurance (LoAs)</h2>
 </ul>
 
 <p><a id="ordinal-loa"></a></p>
-<h3 id='10-1-single-ordinal'>10.1. Single Ordinal</h3>
+<h3 id='single-ordinal'>Single Ordinal</h3>
 <p>A Single LoA value is carried in the <code>acr</code> claim which is described in <a href="https://openid.net/specs/openid-connect-core-1_0.html#IDToken">section 2</a> of <strong>[OIDC]</strong>.</p>
 
 <ul>
@@ -1951,7 +1847,7 @@ <h3 id='10-1-single-ordinal'>10.1. Single Ordinal</h3>
 <p><em>WRITE</em> operations SHALL only be allowed where <strong>at least</strong> an LoA of 3 has been achieved.</p>
 
 <p><a id="vector-loas"></a></p>
-<h3 id='10-2-vector'>10.2. Vector</h3><h3 id='10-2-1-overview'>10.2.1. Overview</h3>
+<h3 id='vector'>Vector</h3><h3 id='overview-2'>Overview</h3>
 <p>This profile incorporates support for <a href="https://tools.ietf.org/html/draft-richer-vectors-of-trust-15">Vectors of Trust</a> <strong>[VOT]</strong>. A Vector, in this context, allows for the representation of multiple orthogonal components dimensions that may, but are not limited to, carry information relating to:</p>
 
 <ul>
@@ -1964,7 +1860,7 @@ <h3 id='10-2-vector'>10.2. Vector</h3><h3 id='10-2-1-overview'>10.2.1. Overview<
 <p>It is anticipated that due to their characteristics, which include composability, extensibility, and expressiveness, VoTs will be become the relevant standard for assurance representation at Identity Providers. Furthermore, as the <strong>[CDR]</strong> matures and incorporates requirements for Identity Proofing, Credential Management, and Assertion Presentation, these independent LoAs will be progressively added to the VoT <strong>[CDR]</strong> ecosystem. However, the dynamic capabilities of <strong>[VOT]</strong> will ensure that their addition does not break existing <strong>[CDR]</strong> implementations.</p>
 
 <p><a id="vot-values"></a></p>
-<h3 id='10-2-2-vot-values'>10.2.2. VoT Values</h3>
+<h3 id='vot-values'>VoT Values</h3>
 <p>The following VoT values SHALL be supported to represent authentication assurance levels when employing <strong>[VOT]</strong>.  These are carried in the <code>vot</code> claim of an ID Token:</p>
 
 <ul>
@@ -1979,7 +1875,7 @@ <h3 id='10-2-2-vot-values'>10.2.2. VoT Values</h3>
 <aside class="information">
 The Trustmark URI is yet to be defined.
 </aside>
-<h2 id='11-transaction-security'>11. Transaction Security</h2><h3 id='11-1-ciphers'>11.1. Ciphers</h3>
+<h2 id='transaction-security'>Transaction Security</h2><h3 id='ciphers'>Ciphers</h3>
 <p>All HTTP calls MUST be made using HTTPS incorporating TLS &gt;= 1.2. Only the following cipher suites SHALL be permitted in accordance with <a href="https://openid.net/specs/openid-financial-api-part-2.html#tls-considerations">section 8.5</a> of <strong>[FAPI-RW]</strong>:</p>
 
 <ul>
@@ -1990,7 +1886,7 @@ <h2 id='11-transaction-security'>11. Transaction Security</h2><h3 id='11-1-ciphe
 </ul>
 
 <p><a id="mutual-tls"></a></p>
-<h3 id='11-2-mutual-tls'>11.2. Mutual TLS</h3>
+<h3 id='mutual-tls'>Mutual TLS</h3>
 <aside class="information">
 Additional content will be added to this section when the Registry requirements are established. For example, verification/revocation of transport certificates.
 </aside>
@@ -2001,7 +1897,7 @@ <h3 id='11-2-mutual-tls'>11.2. Mutual TLS</h3>
 <li>The presented Client transport certificate MUST be issued by the CDR Certificate Authority (CA).  The Server MUST NOT trust Client transport certificates issued by other authorities.</li>
 <li>The presented Server transport certificate MUST be issued by the CDR Certificate Authority (CA).  The Client MUST NOT trust Server transport certificates issued by other authorities.</li>
 </ul>
-<h3 id='11-3-holder-of-key-mechanism'>11.3. Holder of Key Mechanism</h3>
+<h3 id='holder-of-key-mechanism'>Holder of Key Mechanism</h3>
 <p>MTLS MUST be supported as a Holder of Key (HoK) Mechanism.</p>
 
 <p>OAUTB SHALL NOT be supported due to a lack industry support.</p>
@@ -2009,7 +1905,7 @@ <h3 id='11-3-holder-of-key-mechanism'>11.3. Holder of Key Mechanism</h3>
 <p>MTLS HoK allows issued tokens to be bound to a client certificate as specified in <a href="https://tools.ietf.org/id/draft-ietf-oauth-mtls-07.html#SenderConstrainedAccess">section 3</a> of <strong>[MTLS]</strong>.</p>
 
 <p><a id="request-object"></a></p>
-<h2 id='12-request-object'>12. Request Object</h2>
+<h2 id='request-object'>Request Object</h2>
 <blockquote>
 <p>Non-Normative Example - acr as an Essential Claim</p>
 </blockquote>
@@ -2061,7 +1957,7 @@ <h2 id='12-request-object'>12. Request Object</h2>
 <p>Request Object references SHALL NOT be supported.</p>
 
 <p>The <code>iss</code> claim SHALL NOT be supported as it duplicates the role of the <code>client_id</code> claim.</p>
-<h3 id='12-1-data-holder-authorisation-server-vot'>12.1. Data Holder Authorisation Server VoT</h3>
+<h3 id='data-holder-authorisation-server-vot'>Data Holder Authorisation Server VoT</h3>
 <blockquote>
 <p>Non-Normative Example - vtr</p>
 </blockquote>
@@ -2116,7 +2012,7 @@ <h3 id='12-1-data-holder-authorisation-server-vot'>12.1. Data Holder Authorisati
 <li>If the <code>vot</code> Claim is requested as an Essential Claim for the ID Token with a values parameter requesting specific VoT values, the Data Holder Authorization Server MUST return a <code>vot</code> Claim Value that matches one of the requested values. The Data Holder Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this requirement cannot be met, then the Data Holder Authorization Server MUST treat that outcome as a failed authentication.</li>
 </ul></li>
 </ul>
-<h3 id='12-2-data-recipient-client-using-vot'>12.2. Data Recipient Client using VoT</h3>
+<h3 id='data-recipient-client-using-vot'>Data Recipient Client using VoT</h3>
 <blockquote>
 <p>Non-Normative Example - vot as an Essential Claim</p>
 </blockquote>
@@ -2153,7 +2049,7 @@ <h3 id='12-2-data-recipient-client-using-vot'>12.2. Data Recipient Client using
 <ul>
 <li>SHALL, where a Data Holder supports <strong>[VOT]</strong>, request user authentication with a Credential Level of 2 (<code>CL2</code>) or greater by requesting the <code>vot</code> claim as an essential claim.</li>
 </ul>
-<h2 id='13-endpoints'>13. Endpoints</h2><h3 id='13-1-openid-provider-configuration-endpoint'>13.1. OpenID Provider Configuration Endpoint</h3>
+<h2 id='endpoints'>Endpoints</h2><h3 id='openid-provider-configuration-endpoint'>OpenID Provider Configuration Endpoint</h3>
 <blockquote>
 <p>Non-Normative Example</p>
 </blockquote>
@@ -2253,7 +2149,7 @@ <h2 id='13-endpoints'>13. Endpoints</h2><h3 id='13-1-openid-provider-configurati
 </ul>
 
 <p><a id="authorisation-endpoint"></a></p>
-<h3 id='13-2-authorisation-endpoint'>13.2. Authorisation Endpoint</h3>
+<h3 id='authorisation-endpoint'>Authorisation Endpoint</h3>
 <blockquote>
 <p>Non-Normative Example</p>
 </blockquote>
@@ -2337,7 +2233,7 @@ <h3 id='13-2-authorisation-endpoint'>13.2. Authorisation Endpoint</h3>
 <p>The <code>request_uri</code> parameter SHALL NOT be supported.</p>
 
 <p>A description of requirements relating to the <code>request</code> parameter can be found in the <a href="#request-object">section 12</a>.</p>
-<h3 id='13-3-backchannel-authorisation-endpoint'>13.3. Backchannel Authorisation Endpoint</h3>
+<h3 id='backchannel-authorisation-endpoint'>Backchannel Authorisation Endpoint</h3>
 <table><thead>
 <tr>
 <th>Description</th>
@@ -2367,7 +2263,7 @@ <h3 id='13-3-backchannel-authorisation-endpoint'>13.3. Backchannel Authorisation
 <p>Data Holder&#39;s that feature <strong>[FAPI-CIBA]</strong> MUST support the <code>poll</code> mode and MAY support the <code>ping</code> mode.  The <code>push</code> mode SHALL not be supported.</p>
 
 <p>A description of requirements relating to the <code>request</code> parameter can be found in the <a href="#request-object">section 12</a>.</p>
-<h3 id='13-4-token-endpoint'>13.4. Token Endpoint</h3>
+<h3 id='token-endpoint'>Token Endpoint</h3>
 <table><thead>
 <tr>
 <th>Description</th>
@@ -2397,7 +2293,7 @@ <h3 id='13-4-token-endpoint'>13.4. Token Endpoint</h3>
 <p>To obtain an Access Token, an ID Token, and a Refresh Token, the Data Recipient sends a Token Request to the Token Endpoint.</p>
 
 <p>Data Holders MUST support a Token Endpoint.</p>
-<h3 id='13-5-userinfo-endpoint'>13.5. UserInfo Endpoint</h3>
+<h3 id='userinfo-endpoint'>UserInfo Endpoint</h3>
 <table><thead>
 <tr>
 <th>Description</th>
@@ -2425,7 +2321,7 @@ <h3 id='13-5-userinfo-endpoint'>13.5. UserInfo Endpoint</h3>
 <p>The requirements for the UserInfo Endpoint are specified in <a href="https://openid.net/specs/openid-connect-core-1_0.html#HybridTokenEndpoint">section 3.3.3</a> of <strong>[OIDC]</strong>.</p>
 
 <p>Data Holders MUST support a UserInfo Endpoint.</p>
-<h3 id='13-6-jwks-endpoint'>13.6. JWKS Endpoint</h3>
+<h3 id='jwks-endpoint'>JWKS Endpoint</h3>
 <blockquote>
 <p>Non-Normative Example</p>
 </blockquote>
@@ -2480,7 +2376,7 @@ <h3 id='13-6-jwks-endpoint'>13.6. JWKS Endpoint</h3>
 <li><code>kid</code>: This is used to match a specific key within a JWKS and thus must be unique within the set.</li>
 <li><code>use</code>: This is used to identify the intended use of the public key.  Supported values are <code>sig</code> and <code>enc</code>.</li>
 </ul>
-<h3 id='13-7-introspection-endpoint'>13.7. Introspection Endpoint</h3>
+<h3 id='introspection-endpoint'>Introspection Endpoint</h3>
 <table><thead>
 <tr>
 <th>Description</th>
@@ -2518,7 +2414,7 @@ <h3 id='13-7-introspection-endpoint'>13.7. Introspection Endpoint</h3>
   is currently active.</li>
 <li><code>exp</code>:  A JSON number representing the number of seconds from 1970-01-01T00:00:00Z to the UTC expiry time.</li>
 </ul>
-<h3 id='13-8-revocation-endpoint'>13.8. Revocation Endpoint</h3>
+<h3 id='revocation-endpoint'>Revocation Endpoint</h3>
 <table><thead>
 <tr>
 <th>Description</th>
@@ -2546,7 +2442,7 @@ <h3 id='13-8-revocation-endpoint'>13.8. Revocation Endpoint</h3>
 <p>Data Holders MUST implement a Token Revocation Endpoint as described in <a href="https://tools.ietf.org/html/rfc7009#section-2">section 2</a> of <strong>[RFC7009]</strong>. The Revocation Endpoint serves as a revocation mechanism that allows a Data Recipient to invalidate its tokens as required. Notifying the Data Holder authorisation server that the token is no longer needed allows the server to clean up data associated with that token and the underlying authorization grant.</p>
 
 <p>Revocation of Refresh Tokens and Access Tokens MUST be supported.</p>
-<h3 id='13-9-client-registration-endpoint'>13.9. Client Registration Endpoint</h3>
+<h3 id='client-registration-endpoint'>Client Registration Endpoint</h3>
 <blockquote>
 <p>Non-Normative Example</p>
 </blockquote>
@@ -2622,7 +2518,7 @@ <h3 id='13-9-client-registration-endpoint'>13.9. Client Registration Endpoint</h
 <td>No</td>
 </tr>
 </tbody></table>
-<h4 id='13-9-1-request'>13.9.1. Request</h4>
+<h4 id='request'>Request</h4>
 <p>To register as a new Client at a Data Holder&#39;s Authorisation Server, a Data Recipient MUST <code>POST</code> its Client metadata to the Data Holder&#39;s Registration Endpoint in the form of an (encoded) signed <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32">JWT</a> <strong>[JWT]</strong>.  This process is specified in <a href="https://openid.net/specs/openid-connect-registration-1_0.html">OpenID Connect Registration</a> <strong>[OIDC-CR]</strong>. The registering <strong>[JWT]</strong> is signed by the private key of the Client and MUST include a <a href="https://tools.ietf.org/html/rfc7591#page-14">software statement</a>.  The software statement is an encoded <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32">JWT</a> <strong>[JWT]</strong> signed by the CDR Certificate Authority private key and thus supports non-repudiation.  The content of and mechanism for retrieving and generating a software statement is beyond the scope of this profile.</p>
 
 <p>The registering <strong>[JWT]</strong> MUST include, at a minimum, the following fields:</p>
@@ -2657,11 +2553,11 @@ <h4 id='13-9-1-request'>13.9.1. Request</h4>
 
 <p>Data Holders MUST ensure that the <code>CN</code> (Common Name) in the Client certificate <code>subject</code> field matches the <code>software_id</code> claim present in the software statement.
 Data Holders MUST verify that the embedded software statement has been signed by the CDR Certificate Authority.</p>
-<h4 id='13-9-2-response'>13.9.2. Response</h4>
+<h4 id='response'>Response</h4>
 <p>The Data Holder MUST respond in accordance with <a href="https://openid.net/specs/openid-connect-registration-1_0.html">OpenID Connect Registration</a> <strong>[OIDC-CR]</strong> sections 3.2 and 3.3.</p>
 
 <p><a id="consent"></a></p>
-<h2 id='14-consent'>14. Consent</h2>
+<h2 id='consent'>Consent</h2>
 <aside class="warning">
 How querying, communication, and revocation of consent will be supported technically are a current key area of focus. An approach to consent will be published in January 2019, for the purposes of delivering version 1 of the standards.
 </aside>
@@ -2675,7 +2571,7 @@ <h2 id='14-consent'>14. Consent</h2>
 <ul>
 <li>Support the <code>grant type</code> of <code>client_credentials</code> strictly for the purpose of passing an Access Token to a Data Recipient which can be then used to invoke the Consent API.</li>
 </ul>
-<h2 id='15-normative-references'>15. Normative References</h2>
+<h2 id='normative-references'>Normative References</h2>
 <table><thead>
 <tr>
 <th><strong>Reference</strong></th>
@@ -2767,7 +2663,7 @@ <h2 id='15-normative-references'>15. Normative References</h2>
 <td>Vectors of Trust, draft-richer-vectors-of-trust-15 <a href="https://tools.ietf.org/html/draft-richer-vectors-of-trust-15">https://tools.ietf.org/html/draft-richer-vectors-of-trust-15</a></td>
 </tr>
 </tbody></table>
-<h2 id='16-informative-references'>16. Informative References</h2>
+<h2 id='informative-references'>Informative References</h2>
 <table><thead>
 <tr>
 <th><strong>Reference</strong></th>
@@ -2795,71 +2691,6 @@ <h2 id='16-informative-references'>16. Informative References</h2>
 <td>X.1254 - Entity authentication assurance framework: <a href="https://www.itu.int/rec/T-REC-X1254-201209-I/en">https://www.itu.int/rec/T-REC-X1254-201209-I/en</a></td>
 </tr>
 </tbody></table>
-<h2 id='17-appendix'>17. Appendix</h2><h3 id='17-1-client-credentials-grant-type'>17.1. Client Credentials grant type</h3>
-<p><img src="images/clientCredentialsSequence.png" alt="Part A" /></p>
-<h3 id='17-2-redirect-authentication-flow'>17.2. Redirect Authentication Flow</h3><h4 id='part-a-data-recipient-to-data-holder'>Part A - Data Recipient to Data Holder</h4>
-<p><img src="images/redirPartA.png" alt="Part A" /></p>
-<h5 id='steps'>Steps</h5>
-<ol>
-<li>The end-user navigates to a Data Recipient Website.</li>
-<li>The end-user selects their preferred Data Holder.</li>
-<li>The end-user&#39;s browser is redirected to the Data Holder&#39;s Authorisation Endpoint.</li>
-<li><em>One</em> of the following may occur:
-
-<ol>
-<li>The end-user may cancel the process at any point (in Parts <strong>A</strong>, <strong>B</strong> or <strong>C</strong>) and will be returned to the passed redirection URI for the Data Recipient with the relevant error code.</li>
-<li>The end-user is denied access.  This may happen as a result of too many failed attempts or other conditions relating to the end-user&#39;s account.  The end-user&#39;s browser will be redirected to the passed redirection URI for the Data Recipient with the relevant error code.</li>
-<li>The end-user successfully authenticates and begins the authorisation step (see Part <strong>B</strong>).</li>
-</ol></li>
-</ol>
-<h4 id='part-b-data-holder-authentication'>Part B - Data Holder Authentication</h4>
-<p><img src="images/redirPartB.png" alt="Part B" /></p>
-<h5 id='steps-2'>Steps</h5>
-<p>Part <strong>B</strong> illustrates the different authentication methods a Data Holder may present to the end-user.  It is important from a usability perspective that the Data Holder authentication choices presented to the end-user are consistent with those currently utilised by the end-user when accessing their existing Data Holder online accounts.</p>
-
-<p>The following options may be used:</p>
-
-<ol>
-<li>All Credentials/Factors are captured through the Browser.  On success, the authorisation process begins (Part <strong>C</strong>) .</li>
-<li>Two Factor Authentication (2FA)
-
-<ol>
-<li>A userId and optionally a password are entered to the browser and submitted by the end-user.</li>
-<li>A code or notification is sent to a end-user&#39;s pre-registered mobile/device application (detached authentication device).  This step is optional as an end-user&#39;s device application may generate codes in isolation, as is the case for Time-based One-Time Password (TOTP).</li>
-<li> The end-user views the code or event on their detached authentication device.</li>
-<li><em>One</em> of the following may occur:
-
-<ol>
-<li>The end-user directly enters the code (or scans a QR Code) into the browser and submits the request.  On success, the authorisation process begins (Part <strong>C</strong>).</li>
-<li>The end-user does not enter the code into the browser.  The end-user acknowledges the authentication through the device and a secure message is sent from the device to the Data Holder via a backchannel. On receipt of the message, the Data Holder&#39;s website redirects the end-user&#39;s browser to the authorisation page (Part <strong>C</strong>).</li>
-</ol></li>
-</ol></li>
-</ol>
-<h4 id='part-c-post-authorisation-data-recipient-to-data-holder'>Part C - Post Authorisation Data Recipient to Data Holder</h4>
-<p><img src="images/redirPartC.png" alt="Part C" /></p>
-<h5 id='steps-3'>Steps</h5>
-<p>This process continues from Part <strong>B</strong> after a successful authentication.</p>
-
-<ol>
-<li>The end-user authorises the transaction.</li>
-<li><em>One</em> of the following may occur:
-
-<ol>
-<li>The Data Holder creates a new pairwise identifier for the end-user and Data Recipient combination.  This is the first time the end-user has authenticated to the Data Holder in the context of a request from this Data Recipient.</li>
-<li>This is a reauthentication.  The end-user has previously authenticated to the Data Holder in the context of an authentication request from this Data Recipient.  The existing pairwise identifier for the end-user and Data Recipient is allocated to the authorisation.</li>
-</ol></li>
-<li> The Data Holder creates the authorisation code and ID Token for the authorisation instance.</li>
-<li> The end-user&#39;s browser is redirected to the Data Recipient&#39;s redirect URI.  The ID Token and authorisation code generated in Step 3 are attached to the URL as a fragment.  The Data Recipient web server processes the request.</li>
-<li> The Data Recipient decrypts the ID Token, verifies the signature and issuer of the ID Token, verifies the state/code hashes within the token, and also matches the presented state against its own session state.  The Data Recipient then sends a POST request to the Data Holder Token Endpoint using Client Authentication and the Authorisation Code.</li>
-<li>The Data Holder Endpoint authenticates the Data Recipient client and matches the authorisation code. On success, the Endpoint responds with an Access Token, Refresh Token and an ID Token.</li>
-<li>The Data Holder creates an event relating to the authorisation.  This event is propagated/handled and may result in shared resource owners being notified about the authorisation.</li>
-<li> The Data Recipient verifies the ID Token and on success, invokes the UserInfo Endpoint using the Access Token as a Bearer Token.  The Data Holder verifies the token, applies the necessary Holder of Key verification check and on success, returns the requested UserInfo claims.</li>
-<li> The Data Recipient optionally begins calling the Data Holder APIs with the Access Token and renders the result to the end-user&#39;s browser.</li>
-</ol>
-<h3 id='17-3-sample-data-holder-domain-model'>17.3. Sample Data Holder Domain Model</h3>
-<p><img src="images/holderDomain.png" alt="Domain Model" /></p>
-<h4 id='description'>Description</h4>
-<p>This diagram depicts the domain model of a hypothetical Data Holder. It is in no way prescriptive but illustrates the associations between the authorisation-related entities that may exist within a Data Holder&#39;s domain.</p>
 <h1 id="consumer-data-standards-banking-apis">Banking APIs</h1>
 <h2 id='get-accounts'>Get Accounts</h2>
 <p><a id="opIdlistAccounts"></a></p>
@@ -14369,6 +14200,12 @@ <h1 id='change-log'>Change Log</h1>
 </tr>
 </thead><tbody>
 <tr>
+<td>13/5/2019</td>
+<td>0.8.4</td>
+<td>InfoSec Update</td>
+<td>Imported the InfoSec content without update for recent proposals</td>
+</tr>
+<tr>
 <td>12/5/2019</td>
 <td>0.8.3</td>
 <td>Optionality Update</td>
diff --git a/slate/source/includes/_security.md.erb b/slate/source/includes/_security.md.erb
index fe024e1a..1bb1616b 100644
--- a/slate/source/includes/_security.md.erb
+++ b/slate/source/includes/_security.md.erb
@@ -2,54 +2,13 @@
 
 ## Overview
 
-This Information Security profile has been developed as part of the introduction in Australia of the [Consumer Data Right](https://www.accc.gov.au/focus-areas/consumer-data-right "ACCC Consumer Data Right webpage") legislation to give Australians greater control over their data.
-
-The Consumer Data Right is intended to apply sector by sector across the whole economy, beginning in the banking, energy and telecommunications sectors.  These standards have been developed to facilitate the Consumer Data Right by acting as a specific baseline for implementation.
-
-These standards are governed by the Consumer Data Standards team inside Data61.  Data61 has been appointed as the interim standards body. The work of the team is  overseen by Mr. Andrew Stevens as interim Chair, with industry and consumer advice provided by an Advisory Committee. Data61 works closely with the Australian Competition and Consumer Commission (ACCC) as lead regulator of the Consumer Data Right, supported by the Office of the Australian Information Commissioner (OAIC).
-
-Securing of the API end points defined by the standards will be accomplished through alignment with well defined industry protocols and security profiles.  Context specific constraints are then applied to these profiles to provide implementation clarity or reduce risk.
-
-In particular the standards are aligned to the [Financial API (FAPI) Read/Wite profile](http://openid.net/specs/openid-financial-api-part-2.html).
-
-Note that the FAPI Read/Write profile builds on the [FAPI Read Only profile](http://openid.net/specs/openid-financial-api-part-1.html)  and implies alignment with the use of [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html).
-
-The FAPI Read/Write profile implies specific implementation decisions that are worthy of explicit statement. There are also some additional, specific constraints are applicable for implementations conforming to these standards:
-
-- Only the Hybrid Authorisation flow will be supported
-- Public Clients will not be supported.  All payload data will be transferred via backchannel communication
-- Use of TLS mandated for all interactions
--	Requirement to use TLS 1.2 or greater
--	The version and configuration of TLS for implementations conforming with standards will not be a lower version, or less secure, than that of other digital channels deployed by the data provider
--	A TLS server certificate check shall be performed, as per RFC 6125
--	Mutual TLS will be used to secure back-channel communication between the data consumer and data provider
-- For all interactions (except for authorisation) the cipher suites that may be used will be limited to:
-    - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-    - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
-
-## 1. InfoSec Profile 0.2.0
-
-<aside class="warning">
-This is an early draft of the CDR Information Security Profile and thus subject to change.
-</aside>
-
-### 1.1. History
-
-| Author          | Date       | Version | Description               |
-|-----------------|------------|---------|------------|
-| LP			     | 22/11/2018 | 0.0.1   | Created |
-| LP			     | 30/11/2018 | 0.0.2  | Created  |
-| LP			     | 10/12/2018 | 0.0.3  | Created  |
-| LP			     | 20/12/2018 | 0.1.0  | Created  |
-| LP			     | 07/01/2019 | 0.1.1  | Created  |
-| BK			     | 06/05/2019 | 0.2.0  | Created  |
+This information security profile will be built upon the foundations of the
+[Financial-grade API Read Write Profile](https://openid.net/specs/openid-financial-api-part-2.html) **[FAPI-RW]**, the [Financial-grade API Client Initiated Backchannel Authentication Profile](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md?fileviewer=file-view-default) **[FAPI-CIBA]**, and other standards relating to
+[Open ID Connect 1.0](http://openid.net/specs/openid-connect-core-1_0.html) **[OIDC]**.
 
-The detailed change log for this artifact is available [here](https://github.com/ConsumerDataStandardsAustralia/standards/includes/security/infosec_changelog.md).
+For information on the specific normative references that underpin this profile refer to the [Normative References section](#normative-references).
 
-### 1.2. Symbols and Abbreviated terms
+### Symbols and Abbreviated terms
 -   **API**: Application Programming Interface
 -   **CA**: Certificate Authority
 -   **CDR:** Consumer Data Right
@@ -81,24 +40,7 @@ The detailed change log for this artifact is available [here](https://github.com
 -   **TLS:** Transport Layer Security
 -   **VoT:** Vector of Trust
 
-### 1.3. Requirements Notation and Conventions
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://tools.ietf.org/html/rfc2119) **[RFC2119]**.
-
-## 2. Overview
-This artifact details the [Consumer Data Right](https://www.accc.gov.au/focus-areas/consumer-data-right) **[CDR]** Information Security
-Profile (CDR-SP). This profile will be built upon the foundations of the
-[Financial-grade API Read Write Profile](https://openid.net/specs/openid-financial-api-part-2.html) **[FAPI-RW]**, the [Financial-grade API Client Initiated Backchannel Authentication Profile](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md?fileviewer=file-view-default) **[FAPI-CIBA]**, and other standards relating to
-[Open ID Connect 1.0](http://openid.net/specs/openid-connect-core-1_0.html) **[OIDC]**.
-
-Whilst this is a technical artifact, it is guided by the core principles that
-have to led to the creation of the Consumer Data Right. These are:
-
--   The CDR should be *consumer focussed*.
--   The CDR should encourage *competition*.
--   The CDR should create *opportunities*.
--   The CDR should be *efficient and fair*.
-
-## 3. CDR Federation
+## CDR Federation
 The CDR Federation will facilitate the secure exchange of consumer data and federation metadata between
 multiple system entities which will assume one or more of the following roles:
 
@@ -110,14 +52,14 @@ multiple system entities which will assume one or more of the following roles:
     -   It is envisaged that only one registry will be supported and will be
         maintained by the Australian Competition and Consumer Commission (ACCC).
 
-### 3.1. Data Holder
+### Data Holder
 The Data Holder (DH) is a system entity that authenticates a consumer
 (resource owner or user), as part of an authorisation process initiated by a Data
 Recipient, and issues an authorisation for that Data Recipient to access the consumer's data via published APIs.
 
 A Data Holder assumes the role of an **[OIDC]** [OpenID Provider](https://openid.net/specs/openid-connect-core-1_0.html#Overview).
 
-### 3.2. Data Recipient
+### Data Recipient
 A Data Recipient (DR) is system entity that is authorised by a
 Data Holder to access consumer resources (APIs). A Data Recipient MUST capture consumer consent prior to commencing an authorisation process with a Data Holder.
 
@@ -125,7 +67,7 @@ A Data Recipient MUST be accredited in order to participate in the CDR Federatio
 
 A Data Recipient assumes the role of an **[OIDC]** [Relying Party (Client)](https://openid.net/specs/openid-connect-core-1_0.html#Overview).
 
-### 3.3. Registry
+### Registry
 <aside class="warning">
 The role and the functionality of the Registry is subject to change.
 </aside>
@@ -139,7 +81,7 @@ Recipients. Data Holders and Data Recipients must be created as entities in the
 
 A full description of the Registry is beyond the scope of this document.
 
-## 4. Authentication Flows
+## Authentication Flows
 This profile supports the authentication flows specified by [FAPI](https://openid.net/wg/fapi/) **[FAPI]**.  These are:
 
 -  The Hybrid Flow outlined at [section 3.3](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth) of **[OIDC]**.
@@ -148,7 +90,7 @@ This profile supports the authentication flows specified by [FAPI](https://openi
     -  This MAY be supported by Data Holders.
 
 <a id="hybrid-flow"></a>
-### 4.1. OIDC Hybrid Flow
+### OIDC Hybrid Flow
 The **[OIDC]** Hybrid Flow is a type of redirection flow where the consumers user
 agent is redirected from a Data Recipient’s (Relying Party) web site to a Data
 Holder’s Authorisation endpoint in the context of an **[OIDC]** authentication
@@ -160,7 +102,7 @@ Only a `response_type` (see [section 3](https://openid.net/specs/openid-connect-
 The `request_uri` parameter SHALL NOT be supported.
 
 <a id="ciba-flow"></a>
-### 4.2. Client-Initiated Backchannel Authentication (CIBA)
+### Client-Initiated Backchannel Authentication (CIBA)
 Client Initiated Backchannel Authentication (CIBA) enables a Data Recipient (Client) to
 initiate the authentication of an end-user at a Data Holder (OpenID Provider) by means of decoupled or out-band
 mechanisms **[FAPI-CIBA]**.
@@ -172,12 +114,12 @@ Login hints MUST not reveal Personal Information (PI) about the consumer or end-
 Client rules for **[FAPI-CIBA]** are outlined under [section 5.2.3 of the FAPI CIBA profile](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md?fileviewer=file-view-default#markdown-header-523-confidential-client).
 
 <a id="client-authentication"></a>
-## 5. Client Authentication
+## Client Authentication
 Data Holder's MUST support the `private_key_jwt` Client Authentication method specified at [section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) of **[OIDC]**.
 
 The PKI Mutual TLS OAuth Client Authentication Method SHALL not be supported.  However as specified under [section 11.2](#mutual-tls), all back-channel communication between Data Recipient and Data Holder systems MUST incorporate, unless stated otherwise, MTLS as part of the TLS handshake.
 
-### 5.1. private\_key\_jwt
+### private\_key\_jwt
 
 
 > Non-Normative Example
@@ -229,12 +171,12 @@ When invoking a protected endpoint, the aforementioned assertion MUST be sent wi
 -  `client_assertion_type`: This MUST be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
 -  `client_assertion`: The encoded assertion JWT.
 
-## 6. OIDC Client Types
+## OIDC Client Types
 Only Confidential Clients SHALL be supported under this profile. Therefore, Public clients SHALL NOT be supported.
 
-## 7. Tokens
+## Tokens
 
-### 7.1. ID Token
+### ID Token
 
 > Non-Normative Example - acr
 
@@ -288,26 +230,26 @@ If the ID Token contains a `vot` claim, it MUST also contain a `vtm` claim:
 
 - `vtm`: The trustmark URI as specified in [section 5](https://tools.ietf.org/html/draft-richer-vectors-of-trust-15#section-5) of **[VOT]** .
 
-#### 7.1.1. Hashing value for state and authorisation code
+#### Hashing value for state and authorisation code
 The `c_hash` value MUST be generated according to [section 3.3.2.11](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken) of **[OIDC]**.
 
 The `s_hash` value MUST be generated according to [section 5.1](https://openid.net/specs/openid-financial-api-part-2.html#introduction) of **[FAPI-RW]**.
 
-### 7.2. Access Token
+### Access Token
 Access Tokens MUST be used as specified in [section 10.3] (https://tools.ietf.org/html/rfc6749#section-10.3) of **[OAUTH2]**. An
 Access Token MUST expire `n` minutes after it is issued by the Data Holder where `n` is determined by **[CDR]** rules.
 
 The process for refreshing an Access Token is described in [section 12.1](https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken) of **[OIDC]**.
 
-### 7.3. Refresh Token
+### Refresh Token
 Refresh Tokens MUST be supported by Data Holders.  The usage of Refresh Tokens is specified in [section 12](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens) of **[OIDC]**.
 A Refresh Token MUST expire `n` days after it is issued where `n` is determined by **[CDR]** rules.
 
-## 8. Scopes and Claims
+## Scopes and Claims
 Industry-specific scopes (for example, `bank_account`) will not be referenced in
 this profile.
 
-### 8.1. OIDC Scopes
+### OIDC Scopes
 The following scopes MUST be supported:
 
 - `openid`: As described as [section 3.1.2.1](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) of **[OIDC]**, this scope MUST be present on each authentication request.
@@ -316,7 +258,7 @@ The following scopes MUST be supported:
     - family_name claim
     - given_name claim
 
-### 8.2. Claims
+### Claims
 The following [normal](https://openid.net/specs/openid-connect-core-1_0.html#NormalClaims) **[OIDC]** claims MUST be supported. This list includes, but is not limited to, **[OIDC]** [standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) :
 
 - `sub`: [Pairwise Pseudonymous Identifier (PPID)](#identifiers) for the End-User at the Data Holder.
@@ -333,7 +275,7 @@ The following **[VOT]** claims MAY be supported:
 -  `vtm`: The **[VOT]** trustmark URI.
 
 <a id="identifiers"></a>
-## 9. Identifiers and Subject Types
+## Identifiers and Subject Types
 The identifier for an authenticated end-user (subject) MUST be passed in the `sub` claim of an [ID Token](https://openid.net/specs/openid-cocnnect-core-1_0.html#IDToken) and [UserInfo response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse) as defined by **[OIDC]**. The
 Data Holder MUST generate the `sub` value as a Pairwise Pseudonymous Identifier (PPID)
 as described in [section 8](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) of **[OIDC]**. Furthermore, the identifier SHOULD also be unique relative to the scenario in which the end-user has authenticated. For example, the identifier generated for the same person when they are using a business account SHOULD be different to the identifier that is generated when that same individual is authorising as an individual.
@@ -342,7 +284,7 @@ It is RECOMMENDED that the `sub` value is generated as a universally unique
 Identifier (UUID) **[RFC4122]**.
 
 <a id="levels-of-assurance-loas"></a>
-## 10. Levels of Assurance (LoAs)
+## Levels of Assurance (LoAs)
 Levels Of Assurance (LoAs), returned after a successful authentication, MAY be represented in 2 different forms:
 
 - [Single Ordinal](#ordinal-loa): A single LoA value is represented.
@@ -351,7 +293,7 @@ Levels Of Assurance (LoAs), returned after a successful authentication, MAY be r
   - Data Holder's MAY support this mechanism.
 
 <a id="ordinal-loa"></a>
-### 10.1. Single Ordinal
+### Single Ordinal
 A Single LoA value is carried in the `acr` claim which is described in [section 2](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) of **[OIDC]**.
 
   - An LoA of 2 is represented by the URI: `urn:cds.au:cdr:2`
@@ -368,9 +310,9 @@ A Single LoA value is carried in the `acr` claim which is described in [section
 *WRITE* operations SHALL only be allowed where __at least__ an LoA of 3 has been achieved.
 
 <a id="vector-loas"></a>
-### 10.2. Vector
+### Vector
 
-### 10.2.1. Overview
+### Overview
 This profile incorporates support for [Vectors of Trust](https://tools.ietf.org/html/draft-richer-vectors-of-trust-15) **[VOT]**. A Vector, in this context, allows for the representation of multiple orthogonal components dimensions that may, but are not limited to, carry information relating to:
 
 - Identity Proofing
@@ -381,7 +323,7 @@ This profile incorporates support for [Vectors of Trust](https://tools.ietf.org/
 It is anticipated that due to their characteristics, which include composability, extensibility, and expressiveness, VoTs will be become the relevant standard for assurance representation at Identity Providers. Furthermore, as the **[CDR]** matures and incorporates requirements for Identity Proofing, Credential Management, and Assertion Presentation, these independent LoAs will be progressively added to the VoT **[CDR]** ecosystem. However, the dynamic capabilities of **[VOT]** will ensure that their addition does not break existing **[CDR]** implementations.
 
 <a id="vot-values"></a>
-### 10.2.2. VoT Values
+### VoT Values
 
 The following VoT values SHALL be supported to represent authentication assurance levels when employing **[VOT]**.  These are carried in the `vot` claim of an ID Token:
 
@@ -397,8 +339,8 @@ The following VoT values SHALL be supported to represent authentication assuranc
 The Trustmark URI is yet to be defined.
 </aside>
 
-## 11. Transaction Security
-### 11.1. Ciphers
+## Transaction Security
+### Ciphers
 All HTTP calls MUST be made using HTTPS incorporating TLS >= 1.2. Only the following cipher suites SHALL be permitted in accordance with [section 8.5](https://openid.net/specs/openid-financial-api-part-2.html#tls-considerations) of **[FAPI-RW]**:
 
 -   TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
@@ -407,7 +349,7 @@ All HTTP calls MUST be made using HTTPS incorporating TLS >= 1.2. Only the follo
 -   TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384
 
 <a id="mutual-tls"></a>
-### 11.2. Mutual TLS
+### Mutual TLS
 
 <aside class="information">
 Additional content will be added to this section when the Registry requirements are established. For example, verification/revocation of transport certificates.
@@ -418,7 +360,7 @@ All back-channel communication between Data Recipient and Data Holder systems MU
 - The presented Client transport certificate MUST be issued by the CDR Certificate Authority (CA).  The Server MUST NOT trust Client transport certificates issued by other authorities.
 - The presented Server transport certificate MUST be issued by the CDR Certificate Authority (CA).  The Client MUST NOT trust Server transport certificates issued by other authorities.
 
-### 11.3. Holder of Key Mechanism
+### Holder of Key Mechanism
 
 MTLS MUST be supported as a Holder of Key (HoK) Mechanism.
 
@@ -427,7 +369,7 @@ OAUTB SHALL NOT be supported due to a lack industry support.
 MTLS HoK allows issued tokens to be bound to a client certificate as specified in [section 3](https://tools.ietf.org/id/draft-ietf-oauth-mtls-07.html#SenderConstrainedAccess) of **[MTLS]**.
 
 <a id="request-object"></a>
-## 12. Request Object
+## Request Object
 
 > Non-Normative Example - acr as an Essential Claim
 
@@ -482,7 +424,7 @@ Request Object references SHALL NOT be supported.
 
 The `iss` claim SHALL NOT be supported as it duplicates the role of the `client_id` claim.
 
-### 12.1. Data Holder Authorisation Server VoT
+### Data Holder Authorisation Server VoT
 
 > Non-Normative Example - vtr
 
@@ -532,7 +474,7 @@ If a Data Holder supports Vectors of Trust **[VOT]**, they MUST accept Request o
 	- This is the VoT equivalent of an `acr` essential claim.
 	- If the `vot` Claim is requested as an Essential Claim for the ID Token with a values parameter requesting specific VoT values, the Data Holder Authorization Server MUST return a `vot` Claim Value that matches one of the requested values. The Data Holder Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this requirement cannot be met, then the Data Holder Authorization Server MUST treat that outcome as a failed authentication.
 
-### 12.2. Data Recipient Client using VoT
+### Data Recipient Client using VoT
 
 > Non-Normative Example - vot as an Essential Claim
 
@@ -570,9 +512,9 @@ For *WRITE* operations, a Data Recipient:
 
 - SHALL, where a Data Holder supports **[VOT]**, request user authentication with a Credential Level of 2 (`CL2`) or greater by requesting the `vot` claim as an essential claim.
 
-## 13. Endpoints
+## Endpoints
 
-### 13.1. OpenID Provider Configuration Endpoint
+### OpenID Provider Configuration Endpoint
 
 > Non-Normative Example
 
@@ -651,7 +593,7 @@ Data Holders that support [CIBA](https://bitbucket.org/openid/fapi/src/master/Fi
 - `backchannel_authentication_request_signing_alg_values_supported`: JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for signed authentication requests. Only `ES256` and `PS256` SHALL be supported.
 
 <a id="authorisation-endpoint"></a>
-### 13.2. Authorisation Endpoint
+### Authorisation Endpoint
 
 > Non-Normative Example
 
@@ -721,7 +663,7 @@ The `request_uri` parameter SHALL NOT be supported.
 
 A description of requirements relating to the `request` parameter can be found in the [section 12](#request-object).
 
-### 13.3. Backchannel Authorisation Endpoint
+### Backchannel Authorisation Endpoint
 | Description | Value   |
 |---|---|
 | Hosted By  | Data Holder  |
@@ -735,7 +677,7 @@ Data Holder's that feature **[FAPI-CIBA]** MUST support the `poll` mode and MAY
 
 A description of requirements relating to the `request` parameter can be found in the [section 12](#request-object).
 
-### 13.4. Token Endpoint
+### Token Endpoint
 | Description | Value   |
 |---|---|
 | Hosted By  | Data Holder  |
@@ -749,7 +691,7 @@ To obtain an Access Token, an ID Token, and a Refresh Token, the Data Recipient
 
 Data Holders MUST support a Token Endpoint.
 
-### 13.5. UserInfo Endpoint
+### UserInfo Endpoint
 | Description | Value   |
 |---|---|
 | Hosted By  | Data Holder  |
@@ -761,7 +703,7 @@ The requirements for the UserInfo Endpoint are specified in [section 3.3.3] (htt
 
 Data Holders MUST support a UserInfo Endpoint.
 
-### 13.6. JWKS Endpoint
+### JWKS Endpoint
 
 > Non-Normative Example
 
@@ -800,7 +742,7 @@ The JWKS Endpoint returns a **[JSON]** document containing a JSON Web Key Set de
 - `kid`: This is used to match a specific key within a JWKS and thus must be unique within the set.
 - `use`: This is used to identify the intended use of the public key.  Supported values are `sig` and `enc`.
 
-### 13.7. Introspection Endpoint
+### Introspection Endpoint
 
 | Description | Value   |
 |---|---|
@@ -821,7 +763,7 @@ An Introspection Endpoint Response SHALL only include the following fields:
       is currently active.
 - `exp`:  A JSON number representing the number of seconds from 1970-01-01T00:00:00Z to the UTC expiry time.
 
-### 13.8. Revocation Endpoint
+### Revocation Endpoint
 
 | Description | Value   |
 |---|---|
@@ -834,7 +776,7 @@ Data Holders MUST implement a Token Revocation Endpoint as described in [section
 
 Revocation of Refresh Tokens and Access Tokens MUST be supported.
 
-### 13.9. Client Registration Endpoint
+### Client Registration Endpoint
 
 > Non-Normative Example
 
@@ -896,7 +838,7 @@ Dynamic Client Registration functionality is directly impacted by the emerging r
 | Client Authentication Required| No|
 | Bearer Token Required| No|
 
-#### 13.9.1. Request
+#### Request
 
 To register as a new Client at a Data Holder's Authorisation Server, a Data Recipient MUST `POST` its Client metadata to the Data Holder's Registration Endpoint in the form of an (encoded) signed [JWT](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32) **[JWT]**.  This process is specified in [OpenID Connect Registration](https://openid.net/specs/openid-connect-registration-1_0.html) **[OIDC-CR]**. The registering **[JWT]** is signed by the private key of the Client and MUST include a [software statement](https://tools.ietf.org/html/rfc7591#page-14).  The software statement is an encoded [JWT](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32) **[JWT]** signed by the CDR Certificate Authority private key and thus supports non-repudiation.  The content of and mechanism for retrieving and generating a software statement is beyond the scope of this profile.
 
@@ -927,12 +869,12 @@ This request MUST be made with MTLS as specified in [section 11.2](#mutual-tls).
 Data Holders MUST ensure that the `CN` (Common Name) in the Client certificate `subject` field matches the `software_id` claim present in the software statement.
 Data Holders MUST verify that the embedded software statement has been signed by the CDR Certificate Authority.
 
-#### 13.9.2. Response
+#### Response
 
 The Data Holder MUST respond in accordance with [OpenID Connect Registration](https://openid.net/specs/openid-connect-registration-1_0.html) **[OIDC-CR]** sections 3.2 and 3.3.
 
 <a id="consent"></a>
-## 14. Consent
+## Consent
 
 <aside class="warning">
 How querying, communication, and revocation of consent will be supported technically are a current key area of focus. An approach to consent will be published in January 2019, for the purposes of delivering version 1 of the standards.
@@ -947,7 +889,7 @@ A Data Holder Token Endpoint MUST:
 - Support the `grant type` of `client_credentials` strictly for the purpose of passing an Access Token to a Data Recipient which can be then used to invoke the Consent API.
 
 
-## 15. Normative References
+## Normative References
 
 | **Reference**  | **Description**  |
 | --- | --- | --- |
@@ -973,7 +915,7 @@ A Data Holder Token Endpoint MUST:
 | <a id="RFC7662"></a>**[RFC7662]**  | OAuth 2.0 Token Introspection: <https://tools.ietf.org/html/rfc7662>|
 | <a id="VOT"></a>**[VOT]** | Vectors of Trust, draft-richer-vectors-of-trust-15 <https://tools.ietf.org/html/draft-richer-vectors-of-trust-15>
 
-## 16. Informative References
+## Informative References
 
 | **Reference**  | **Description**                                                                                                                                                                   |
 |----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -982,60 +924,3 @@ A Data Holder Token Endpoint MUST:
 | <a id="FAPI"></a>**[FAPI]**      | Financial-Grade API - Home Page <https://openid.net/wg/fapi/>                                                                                                     |
 | <a id="RFC4122"></a>**[RFC4122]**  | A Universally Unique Identifier (UUID) URN Namespace: <https://tools.ietf.org/html/rfc4122> |
 | <a id="X.1254"></a>**[X.1254]**   | X.1254 - Entity authentication assurance framework: <https://www.itu.int/rec/T-REC-X1254-201209-I/en> |
-
-## 17. Appendix
-
-### 17.1. Client Credentials grant type
-![Part A](/images/clientCredentialsSequence.png)
-
-### 17.2. Redirect Authentication Flow
-
-#### Part A - Data Recipient to Data Holder
-![Part A](/images/redirPartA.png)
-##### Steps
-1. The end-user navigates to a Data Recipient Website.
-2. The end-user selects their preferred Data Holder.
-3. The end-user's browser is redirected to the Data Holder's Authorisation Endpoint.
-4. *One* of the following may occur:
-  1. The end-user may cancel the process at any point (in Parts **A**, **B** or **C**) and will be returned to the passed redirection URI for the Data Recipient with the relevant error code.
-  2. The end-user is denied access.  This may happen as a result of too many failed attempts or other conditions relating to the end-user's account.  The end-user's browser will be redirected to the passed redirection URI for the Data Recipient with the relevant error code.
-  3. The end-user successfully authenticates and begins the authorisation step (see Part **B**).
-
-
-#### Part B - Data Holder Authentication
-![Part B](/images/redirPartB.png)
-##### Steps
-Part **B** illustrates the different authentication methods a Data Holder may present to the end-user.  It is important from a usability perspective that the Data Holder authentication choices presented to the end-user are consistent with those currently utilised by the end-user when accessing their existing Data Holder online accounts.
-
-The following options may be used:
-
-1. All Credentials/Factors are captured through the Browser.  On success, the authorisation process begins (Part **C**) .
-2. Two Factor Authentication (2FA)
-    1. A userId and optionally a password are entered to the browser and submitted by the end-user.
-    2. A code or notification is sent to a end-user's pre-registered mobile/device application (detached authentication device).  This step is optional as an end-user's device application may generate codes in isolation, as is the case for Time-based One-Time Password (TOTP).
-    3.  The end-user views the code or event on their detached authentication device.
-    4. *One* of the following may occur:
-        1. The end-user directly enters the code (or scans a QR Code) into the browser and submits the request.  On success, the authorisation process begins (Part **C**).
-        2. The end-user does not enter the code into the browser.  The end-user acknowledges the authentication through the device and a secure message is sent from the device to the Data Holder via a backchannel. On receipt of the message, the Data Holder's website redirects the end-user's browser to the authorisation page (Part **C**).
-
-#### Part C - Post Authorisation Data Recipient to Data Holder
-![Part C](/images/redirPartC.png)
-##### Steps
-This process continues from Part **B** after a successful authentication.
-
-1. The end-user authorises the transaction.
-2. *One* of the following may occur:
-  1. The Data Holder creates a new pairwise identifier for the end-user and Data Recipient combination.  This is the first time the end-user has authenticated to the Data Holder in the context of a request from this Data Recipient.
-  2. This is a reauthentication.  The end-user has previously authenticated to the Data Holder in the context of an authentication request from this Data Recipient.  The existing pairwise identifier for the end-user and Data Recipient is allocated to the authorisation.
-3.  The Data Holder creates the authorisation code and ID Token for the authorisation instance.
-4.  The end-user's browser is redirected to the Data Recipient's redirect URI.  The ID Token and authorisation code generated in Step 3 are attached to the URL as a fragment.  The Data Recipient web server processes the request.
-5.  The Data Recipient decrypts the ID Token, verifies the signature and issuer of the ID Token, verifies the state/code hashes within the token, and also matches the presented state against its own session state.  The Data Recipient then sends a POST request to the Data Holder Token Endpoint using Client Authentication and the Authorisation Code.
-6. The Data Holder Endpoint authenticates the Data Recipient client and matches the authorisation code. On success, the Endpoint responds with an Access Token, Refresh Token and an ID Token.
-7. The Data Holder creates an event relating to the authorisation.  This event is propagated/handled and may result in shared resource owners being notified about the authorisation.
-8.  The Data Recipient verifies the ID Token and on success, invokes the UserInfo Endpoint using the Access Token as a Bearer Token.  The Data Holder verifies the token, applies the necessary Holder of Key verification check and on success, returns the requested UserInfo claims.
-9.  The Data Recipient optionally begins calling the Data Holder APIs with the Access Token and renders the result to the end-user's browser.
-
-### 17.3. Sample Data Holder Domain Model
-![Domain Model](/images/holderDomain.png)
-#### Description
-This diagram depicts the domain model of a hypothetical Data Holder. It is in no way prescriptive but illustrates the associations between the authorisation-related entities that may exist within a Data Holder's domain.
diff --git a/slate/source/includes/_standards.md.erb b/slate/source/includes/_standards.md.erb
index aa3f1a2f..6234c95d 100644
--- a/slate/source/includes/_standards.md.erb
+++ b/slate/source/includes/_standards.md.erb
@@ -1,6 +1,6 @@
 # Standards
 
-These standards represent **version 0.8.2** of the high level standards which will support the creation of version 1.  See the [versioning section](#versioning) for more information on how versions are managed in the standard.
+These standards represent **version 0.8.4** of the high level standards which will support the creation of version 1.  See the [versioning section](#versioning) for more information on how versions are managed in the standard.
 
 Note that, in this proposal, the key words **MUST**, **MUST NOT**, **REQUIRED**, **SHALL**, **SHALL NOT**, **SHOULD**, **SHOULD NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL** are to be interpreted as described in [RFC2119](http://tools.ietf.org/html/rfc2119).
 
diff --git a/slate/source/includes/changelog.md b/slate/source/includes/changelog.md
index 3583b6d7..a5094acd 100644
--- a/slate/source/includes/changelog.md
+++ b/slate/source/includes/changelog.md
@@ -4,6 +4,7 @@ The following table lists the changes made to these standards in reverse date or
 
 |Change Date|Version|Description|Detail Of change|
 |-----------|-------|-----------|----------------|
+|13/5/2019|0.8.4|InfoSec Update|Imported the InfoSec content without update for recent proposals 
 |12/5/2019|0.8.3|Optionality Update|Clarified the meaning of a field declaration of optional
 |7/5/2019|0.8.2|Minor fixes|Minor fixes for product category enum
 |6/4/2019|0.8.1|Negative Rates|Modified RateString to allow for negative rates and not just positive or zero rates