Internet-Draft | DataRight+: Australian CDR Profile | April 2024 |
Low | Expires 5 October 2024 | [Page] |
This is the ecosystem profile for the Australian CDR describing the composite components to form the technical infrastructure operating to form the Australian Consumer Data Right. This specification is intended to result in a [CDS] compatible implementation.¶
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 October 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The scope of this document is intended to be the combinatorial outcome of a variety of specifications to achieve a compliant outcome within the Australian Consumer Data Right. Because this document relates to a specific ecosystem deployment it contains static configuration information.¶
This document does not seek to navigate the complexities of [CDR-RULES] but rather to establish a technical baseline to consider these in each implementors context.¶
This specification utilises the various terms outlined within [DATARIGHTPLUS-ROSETTA].¶
Providers are required to deliver authorisation and resource requirements. They are also required to integrate with the Ecosystem Authority in the prescribed way.¶
Providers MUST:¶
support the following acr
claim and validate the Consumer with the following values:¶
incorporate One-Time Passwords as part of the requirement to achieve the minimum acceptable value for the acr
claim and:¶
private_key_jwt
as described in section 9 of [OIDC-Core] with a client identifier of cdr-register
¶
scope
value of admin:metrics.basic:read
for all successful authentications of the cdr-register
client identifier¶
Note: The CDR currently mandates, essentially exclusively, the use of One-Time Passwords while restricting the introduction of additional "friction" via other factors. It is understood this is currently being reconsidered.¶
Providers operating within the Banking Sector MUST comply with the provisions outlined in [DATARIGHTPLUS-RESOURCE-SET-COMMON-00] and [DATARIGHTPLUS-RESOURCE-SET-BANKING-00].¶
Providers operating within the Energy Sector MUST comply with the provisions outlined in [DATARIGHTPLUS-RESOURCE-SET-COMMON-00] and [DATARIGHTPLUS-RESOURCE-SET-ENERGY-00].¶
In addition to the aforementioned requirements Providers MUST deliver protected resource(s), in accordance with [DATARIGHTPLUS-REDOCLY-ID1], as follows:¶
Resource Server Endpoint | Required Scope | Valid x-v
|
---|---|---|
GET /admin/metrics
|
admin:metrics.basic:read
|
5
|
In addition to the aforementioned requirements Providers MUST deliver protected resource(s), in accordance with [DATARIGHTPLUS-REDOCLY-ID1], as follows:¶
Resource Server Endpoint | Required Scope | Valid x-v
|
---|---|---|
GET /admin/metrics
|
admin:metadata:update
|
1
|
On requesting this endpoint the Provider MUST trigger a refresh of the information obtained from the Ecosystem Directory.¶
Initiators are required to comply with Ecosystem Authority requirements and integrate with Providers in prescribed ways.¶
Within the Australian CDR Initiators are commonly referred to as Software Products.¶
Initiators MUST:¶
Initiators MUST access Provider resource server infrastructure in accordance with:¶
The Electricity Plan Website MUST comply with the relevant provisions outlined within [DATARIGHTPLUS-RESOURCE-SET-ENERGY-00].¶
The Electricity Plan Website for the Australian CDR is Energy Made Easy operated by the Australian Energy Regulator.¶
The following outlines the currently understood endpoint configuration for the Australian CDR ecosystem:¶
Where One-Time Password OTP are in use the generation method SHOULD incorporate controls, such as retry limits, to minimise the risk of enumeration attacks.¶
The following people contributed to this document:¶
We acknowledge the contribution to the [CDS] of the following individuals:¶