-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feedback 05 - Client Registration #5
Comments
NAB would like to provide the following initial feedback on Client Registration. Static Client Registration
Cache Refresh Metadata Request
Incident ManagementWhat is the mechanism for notification? Will there be an ACCC API to receive these notifications? Is there any consideration to overlay of business hours to this 24 hour notification window? |
Biza.io wishes to ask what the ACCC's future intentions are regarding support within the CDR of Dynamic Registration endpoints and whether they will be supported for publishing? In the latest standards there is an expectation that .well-known endpoints will be published (so it's "dummy dynamic") but dynamic registration is never mentioned. From what I can find in the Standards issues historically this decision was informed by ACCC to facilitate admission control. With this in mind Biza.io supports, for the case of expediency of Proof of Ecosystem, testing start using static registration information but suggests it is done so in context of eventually migrating to the adoption of OpenID Connect Dynamic Registration combined with OpenID Connect Federation. Biza.io wishes to note that static registration is not the only method to provide ACCC with the ability to provide a trust line from themselves to participants. Firstly, the shared CA which is separate discussion. Secondly, the 8th draft of the implementors draft for version 1.0 of the OpenID Connect Federation was released 4 weeks ago. OIDC Reg + Federation provides the following key advantages:
Consequently, in the context of the Static registration publication Biza suggests that the static registration data mirrors format's already established within these internationally adopted standards. This will allow future support in line with the international standards without requiring significant metadata rework in the published Static directory. In an effort to "put up or shut up", find openid-provider.txt an initial metamodel for an OpenID Provider schema object based on OpenID Connect Dynamic OP standards. |
Commonwealth Bank supports Dynamic Client Registration (as Open Banking UK has implemented). We strongly prefer this approach to static client registration. We also believe that Dynamic Client Registration would be compatible with the ACCC requirements for the Registry. The Open Banking Dynamic Client Registration profile is built on existing standards, which have been tested by industry. However, static client registration is a new concept that introduces new implementation risk through customisation. The proposed mechanism will rely on Data Holders updating their cached data to reflect changes made to the status of an Accredited Data Recipient (ADR). The proposed design does not include a central highly available Registry. This design will drive a number of complexities and subsequent design choices: These complexities mean that the Register may not communicate changes to a participant’s accreditation or data sharing status to Data Holders as expected or in a timely way. This will increase the number of scenarios in which a Data Holder may not update their cache, and the risk that the Data Holder will continue to share consumer data with the suspended (or terminated) Data Receiver. The risk is particularly acute, as more Data Holders become participants in the CDR. Commonwealth Bank recommends that the Registry is closely aligned to already existing and tested Standards (e.g. SCIM for exchanging identity details and the OIDC dynamic client registration Open Banking profile) to take advantage of a number of benefits including: Commonwealth Bank also recommends adoption of a highly available and scalable Registry (and Certificate Revocation List, or ‘CRL’) and Certificate Authority (CA) endpoints. Full description of the lifecycle of CDR participants is required in the documentation, including the on-boarding, suspension and revocation of participation. Data Holder/ Registry Authentication Details are required on how Data Holders should authenticate with the Registry endpoint, and how the Registry will authenticate with Data Holders in order to facilitate access to these APIs. Further clarity is also required regarding whether a Data Recipient’s accreditation status applies to the corporate entity and therefore all the CDR applications they develop, or whether accreditation applies to each separate Data Receiver application. We recommend adoption of the UK’s Registry model, which enables dynamic client registration. Certificate Revocation The Standards also omit technical details regarding: Incident Management |
This thread has been created to allow for feedback on the Register Client Registration process.
Client Registration requirements, registration process and associated sequence diagrams can be viewed at: https://cdr-register.github.io/register/#client-registration
The ACCC seeks input from the financial community on what rules and timings organisations currently use when caching security data.
The ACCC seeks input from the financial community on what their current processes are regarding dealing with compromised third parties.
A number of stakeholders commented on this aspect of the draft rules. The ACCC is currently considering these comments and the appropriate amendments to make to the rules in light of that feedback. To assist that process the ACCC is interested in views, via this forum, about:
(a) the types of security incidents where it would be appropriate to ensure that data requests are not sent or responded to;
(b) obligations on Data Holders and Accredited Data Recipients to notify the ACCC of security incidents that may affect the security of the CDR ecosystem – including the way that those incidents should be reported and a practical timeframe for that occurring.
All feedback is welcome.
The text was updated successfully, but these errors were encountered: