Internet-Draft | DataRight+ Security Profile: Baseline | September 2024 |
Low & Kolera | Expires 25 March 2025 | [Page] |
The DataRight+ Security Profile: Baseline is intended to be a compatible profile of the [CDS] presented as a profile of [FAPI-1.0-Advanced]. This profile focuses primarily on the obligations between Provider and Initiator with respect to authorisation requests and does so as an overlay on the underlying FAPI profile combined with the inclusion of specified authorisation types.¶
This profile does not attempt to provide elaboration on registration protocols, certificate profiles, federation or other components specified within the [CDS]. Further terminology used is deliberately jurisdiction agnostic, please refer to [DATARIGHTPLUS-ROSETTA] for specific ecosystem mappings.¶
The keywords "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 March 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This document specifies methods for the following:¶
This document does not seek to:¶
This specification uses the term "JSON Web Token (JWT)" as defined by [JWT] and the terms "Consumer", "Ecosystem Authority", "Initiator", "Personally Identifiable Information (PII)", "Provider", "User" as defined by [DATARIGHTPLUS-ROSETTA].¶
The specification also defines the following terms:¶
The resource server provided by Providers: 1. SHALL support the provisions specified in clause 5.2.2 of [FAPI-1.0-Baseline];¶
The resource server SHALL support the provisions specified in clause 6.2.2 of [FAPI-1.0-Baseline] with the following sections replaced:¶
Section 8.5 of [FAPI-1.0-Advanced] SHALL apply.¶
In addition:¶
Claims available via the profile scope will only return the details of the User which may be different to the Consumer.¶
Providers SHOULD explicitly capture Claims requested by the Initiator. If the data cluster or [OIDC] profile scope changes meaning in future this ensures the Provider only returns what the Consumer initially authorised to disclose.¶
Initiators SHOULD record the following information each time an authorisation flow is executed:¶
The following people contributed to this document:¶