DataRight+: Australian CDR Profile
draft-authors-datarightplus-cdr-profile-00
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Stuart Low | ||
| Last updated | 2024-04-02 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-authors-datarightplus-cdr-profile-00
datarightplus S. Low
Internet-Draft Biza.io
Intended status: Experimental 2 April 2024
Expires: 4 October 2024
DataRight+: Australian CDR Profile
draft-authors-datarightplus-cdr-profile-00
Abstract
This is the ecosystem profile for the Australian CDR describing the
composite components to form the technical infrastructure operating
to form the Australian Consumer Data Right. This specification is
intended to result in a [CDS] compatible implementation.
Notational Conventions
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 4 October 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
Low Expires 4 October 2024 [Page 1]
Internet-Draft DataRight+: Australian CDR Profile April 2024
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Table of Contents
1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Providers . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Information Security . . . . . . . . . . . . . . . . . . 3
3.2. Resource Server . . . . . . . . . . . . . . . . . . . . . 4
3.2.1. Metrics . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.2. Forced Metadata Refresh . . . . . . . . . . . . . . . 4
4. Initiators . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. Information Security . . . . . . . . . . . . . . . . . . 5
4.2. Resource Server Client . . . . . . . . . . . . . . . . . 5
5. Ecosystem Authority . . . . . . . . . . . . . . . . . . . . . 5
5.1. Accreditation . . . . . . . . . . . . . . . . . . . . . . 5
6. Electricity Authority . . . . . . . . . . . . . . . . . . . . 6
7. Electricity Plan Website . . . . . . . . . . . . . . . . . . 6
8. Current Ecosystem Configuration . . . . . . . . . . . . . . . 6
9. Implementation Considerations . . . . . . . . . . . . . . . . 6
10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 6
11. Normative References . . . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Scope
The scope of this document is intended to be the combinatorial
outcome of a variety of specifications to achieve a compliant outcome
within the Australian Consumer Data Right. Because this document
relates to a specific ecosystem deployment it contains static
configuration information.
This document *does not* seek to navigate the complexities of
[CDR-RULES] but rather to establish a technical baseline to consider
these in each implementors context.
2. Terminology
This specification utilises the various terms outlined within
[DATARIGHTPLUS-ROSETTA].
Banking Sector Relates to the Holders, designated under the
[CDR-RULES] in the Banking industry
Energy Sector Relates to the Designated Holders, designated under
Low Expires 4 October 2024 [Page 2]
Internet-Draft DataRight+: Australian CDR Profile April 2024
the [CDR-RULES] in the Energy industry
Designated Holders Designated Holders are organisations which belong
to a designated sector, according to the [CDR-RULES] and meet
certain eligibility requirements to be required to deliver CDR
services within their sector.
3. Providers
Providers are required to deliver authorisation and resource
requirements. They are also required to integrate with the Ecosystem
Authority in the prescribed way.
3.1. Information Security
Providers MUST:
1. comply with the Provider provisions described in
[DATARIGHTPLUS-INFOSEC-BASELINE-00];
2. comply with the provisions outlined in
[DATARIGHTPLUS-ADMISSION-CONTROL-00];
3. comply with the provisions outlined in
[DATARIGHTPLUS-SHARING-ARRANGEMENT-V1-00];
4. support the following acr claim and validate the Consumer with
the following values:
1. urn:cds.au:cdr:2 where the authentication achieved matches
the Credential Level CL1 from [TDIF] or;
2. urn:cds.au:cdr:3 where the authentication achieved matches
the Credential Level CL2 from [TDIF]
5. incorporate One-Time Passwords as part of the requirement to
achieve the minimum acceptable value for the acr claim and:
1. MUST be delivered using existing and preferred channels
2. MUST be numeric digits and be between 4 and 6 digits in
length
3. MUST only be valid for the purposes of establishing
authorisations between Provider and Initiators
4. MUST be invalidated after a reasonable period of time
6. MUST authenticate a confidential client using private_key_jwt as
described in section 9 of [OIDC-Core] with a client identifier of
cdr-register
7. MUST supply a scope value of admin:metrics.basic:read for all
successful authentications of the cdr-register client identifier
_Note:_ The CDR currently mandates, essentially exclusively, the use
of One-Time Passwords while restricting the introduction of
additional "friction" via other factors. It is understood this is
currently being reconsidered.
Low Expires 4 October 2024 [Page 3]
Internet-Draft DataRight+: Australian CDR Profile April 2024
3.2. Resource Server
Providers operating within the Banking Sector MUST comply with the
provisions outlined in [DATARIGHTPLUS-RESOURCE-SET-COMMON-00] and
[DATARIGHTPLUS-RESOURCE-SET-BANKING-00].
Providers operating within the Energy Sector MUST comply with the
provisions outlined in [DATARIGHTPLUS-RESOURCE-SET-COMMON-00] and
[DATARIGHTPLUS-RESOURCE-SET-ENERGY-00].
3.2.1. Metrics
In addition to the aforementioned requirements Providers MUST deliver
protected resource(s), in accordance with
[DATARIGHTPLUS-REDOCLY-ID1], as follows:
+==========================+==========================+===========+
| Resource Server Endpoint | Required Scope | Valid x-v |
+==========================+==========================+===========+
| GET /admin/metrics | admin:metrics.basic:read | 5 |
+--------------------------+--------------------------+-----------+
Table 1
3.2.2. Forced Metadata Refresh
In addition to the aforementioned requirements Providers MUST deliver
protected resource(s), in accordance with
[DATARIGHTPLUS-REDOCLY-ID1], as follows:
+==========================+=======================+===========+
| Resource Server Endpoint | Required Scope | Valid x-v |
+==========================+=======================+===========+
| GET /admin/metrics | admin:metadata:update | 1 |
+--------------------------+-----------------------+-----------+
Table 2
On requesting this endpoint the Provider MUST trigger a refresh of
the information obtained from the Ecosystem Directory.
4. Initiators
Initiators are required to comply with Ecosystem Authority
requirements and integrate with Providers in prescribed ways.
Within the Australian CDR Initiators are commonly referred to as
Software Products.
Low Expires 4 October 2024 [Page 4]
Internet-Draft DataRight+: Australian CDR Profile April 2024
4.1. Information Security
Initiators MUST:
1. comply with the Initiator provisions described in
[DATARIGHTPLUS-INFOSEC-BASELINE-00];
2. comply with the provisions outlined in
[DATARIGHTPLUS-ADMISSION-CONTROL-00];
3. comply with the provisions outlined in
[DATARIGHTPLUS-SHARING-ARRANGEMENT-V1-00];
4.2. Resource Server Client
Initiators MUST access Provider resource server infrastructure in
accordance with:
1. [DATARIGHTPLUS-INFOSEC-BASELINE-00] and;
2. [DATARIGHTPLUS-RESOURCE-SET-COMMON-00] and;
3. [DATARIGHTPLUS-RESOURCE-SET-BANKING-00] and;
4. [DATARIGHTPLUS-RESOURCE-SET-ENERGY-00]
5. Ecosystem Authority
The Ecosystem Authority MUST comply with the requirements outlined
within [DATARIGHTPLUS-ADMISSION-CONTROL-00].
The Ecosystem Authority for the Australian CDR is the Australian
Competition and Consumer Commission (ACCC)
(https://www.accc.gov.au/).
5.1. Accreditation
The Ecosystem Authority performs external validation of participant
capabilities, particularly of the Initiator Entity.
This occurs by way of a combination of Ecosystem Authority
verification, external technology audit standards (notably ASAE3150)
and legal assertions by a Initiator Entity carrying higher
accreditation as to the suitability of new subordinate Initiator
Entities.
As a result of this validation Initiator Entities are granted an
accreditation status which in turn influences the authorisation
scopes that are made available to thee relevant Initiator. Further
detail on this process in the context of the CDR can be found within
the [CDR-RULES] and within guidelines published on the CDR website
(https://cdr.gov.au).
Low Expires 4 October 2024 [Page 5]
Internet-Draft DataRight+: Australian CDR Profile April 2024
The subject of accreditation is not intended to be covered by this
specification. As a consequence this document focuses primarily on
the relationship between Provider and Initiator with the Ecosystem
Authority providing third party assurance with respect to technical
admission control.
6. Electricity Authority
The Electricity Authority MUST comply with the relevant provisions
outlined within [DATARIGHTPLUS-RESOURCE-SET-ENERGY-00].
The Electricity Authority for the Australian CDR is the Australian
Energy Market Operator (AEMO) (https://aemo.com.au/en).
7. Electricity Plan Website
The Electricity Plan Website MUST comply with the relevant provisions
outlined within [DATARIGHTPLUS-RESOURCE-SET-ENERGY-00].
The Electricity Plan Website for the Australian CDR is Energy Made
Easy (https://energymadeeasy.gov.au/) operated by the Australian
Energy Regulator (https://www.aer.gov.au/).
8. Current Ecosystem Configuration
The following outlines the currently understood endpoint
configuration for the Australian CDR ecosystem:
9. Implementation Considerations
Where One-Time Password OTP are in use the generation method SHOULD
incorporate controls, such as retry limits, to minimise the risk of
enumeration attacks.
10. Acknowledgement
The following people contributed to this document:
* Stuart Low (Biza.io) - Editor
We acknowledge the contribution to the [CDS] of the following
individuals: - James Bligh (Data Standards Body) - Lead Architect for
the Consumer Data Right - Mark Verstege (Data Standards Body) - Lead
Architect, Banking & Information Security for the Consumer Data Right
- Ivan Hosgood (formerly Data Standards Body & ACCC) - Solutions
Architect
11. Normative References
Low Expires 4 October 2024 [Page 6]
Internet-Draft DataRight+: Australian CDR Profile April 2024
[CDR-RULES]
Department of the Treasury, "Competition and Consumer
(Consumer Data Right) Rules 2020",
<https://www.legislation.gov.au/F2020L00094/2023-07-22/
text>.
[CDS] Data Standards Body (Treasury), "Consumer Data Standards
(CDS)", <https://consumerdatastandardsaustralia.github.io/
standards>.
[DATARIGHTPLUS-ADMISSION-CONTROL-00]
Low, S. and B. Kolera, "DataRight+: Admission Control
Baseline", <https://datarightplus.github.io/datarightplus-
admission-control-baseline/draft-authors-datarightplus-
admission-control-00/draft-authors-datarightplus-
admission-control.html>.
[DATARIGHTPLUS-INFOSEC-BASELINE-00]
Low, S. and B. Kolera, "DataRight+ Security Profile:
Baseline", <https://datarightplus.github.io/datarightplus-
infosec-baseline/draft-authors-datarightplus-infosec-
baseline-00/draft-authors-datarightplus-infosec-
baseline.html>.
[DATARIGHTPLUS-REDOCLY-ID1]
Low, S., Kolera, B., and W. Cai, "DataRight+: Redocly
(ID1)", <https://datarightplus.github.io/datarightplus-
redocly/?v=ID1>.
[DATARIGHTPLUS-RESOURCE-SET-BANKING-00]
Low, S., "DataRight+: Banking Resource Set",
<https://datarightplus.github.io/datarightplus-resource-
set-banking/draft-authors-datarightplus-resource-set-
banking-00/draft-authors-datarightplus-resource-set-
banking.html>.
[DATARIGHTPLUS-RESOURCE-SET-COMMON-00]
Low, S., "DataRight+: Common Resource Set",
<https://datarightplus.github.io/datarightplus-resource-
set-common/draft-authors-datarightplus-resource-set-
common-00/draft-authors-datarightplus-resource-set-
common.html>.
Low Expires 4 October 2024 [Page 7]
Internet-Draft DataRight+: Australian CDR Profile April 2024
[DATARIGHTPLUS-RESOURCE-SET-ENERGY-00]
Low, S., "DataRight+: Energy Resource Set",
<https://datarightplus.github.io/datarightplus-resource-
set-energy/draft-authors-datarightplus-resource-set-
energy-00/draft-authors-datarightplus-resource-set-
energy.html>.
[DATARIGHTPLUS-ROSETTA]
Low, S., "DataRight+ Rosetta Stone",
<https://datarightplus.github.io/datarightplus-rosetta/
draft-authors-datarightplus-rosetta.html>.
[DATARIGHTPLUS-SHARING-ARRANGEMENT-V1-00]
Low, S. and B. Kolera, "DataRight+: Sharing Arrangement
V1", <https://datarightplus.github.io/datarightplus-
sharing-arrangement-v1/draft-authors-datarightplus-
sharing-arrangement-v1-00/draft-authors-datarightplus-
sharing-arrangement-v1.html>.
[OIDC-Core]
Sakimura, N., "OpenID Connect Core 1.0 incorporating
errata set 1",
<http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[TDIF] Commonwealth of Australia (Digital Transformation Agency),
"Trusted Digital Identity Framework ( TDIF)",
<https://www.digitalidentity.gov.au>.
Author's Address
Stuart Low
Biza.io
Email: stuart@biza.io
Low Expires 4 October 2024 [Page 8]