ACCC & DSB | CDR Implementation Call Agenda & Minutes | 11 September 2025 - ConsumerDataStandardsAustralia/standards GitHub Wiki

imp-call_header

Agenda

Sign up: Sign Up
When: Fortnightly on Thursday's at 3pm-4:30pm (Canberra time)
Location: Microsoft Teams (dial in details are below)

Join on your computer, mobile app or room device
Click here to join the meeting
Meeting ID: 426 030 545 881 4
Passcode: 5d7Kp73X
Download Teams | Join on the web

Dial in by phone
+61 2 9161 1229,,538826932# Australia, Sydney
Find a local number
Phone conference ID: 538 826 932#

Join on a video conferencing device
Tenant key: [email protected]
Video ID: 135 792 992 7

Agenda

  1. Introductions
  2. House Keeping
  3. CDR Stream updates
  4. General Updates
  5. Presentation
  6. Q&A
  7. Any other business

Introductions

imp-call_intro

  • 5 min will be allowed for participants to join the call.
  • This call is jointly facilitated by the ACCC and the DSB, and we welcome observers from APRA, OAIC and the Treasury.

Acknowledgement of Country

We acknowledge the Traditional Custodians of the various lands on which we meet today and pay our respects to their Elders past and present.

House Keeping

imp-call_house-keeping

Recording

The Consumer Data Right Implementation Calls are recorded for note taking purposes only. Recordings and transcripts are kept securely. No identifying material is provided without the participant's consent. Participants may email [email protected] with any questions or a request to have material redacted from the record.

Community Guidelines

By participating in the Consumer Data Right Implementation Call you agree to the Community Guidelines. These guidelines intend to provide a safe and constructive space for members to discuss implementation topics with other participants and members of the ACCC and Data Standards Body.

CDR Stream Updates

imp-call_stream-updates
Provides a weekly update on the activities of each CDR stream and their work.

Organisation Stream Member Minutes
No Updates

General Updates

imp-call_updates

⭐ indicates change from last week.

Type Updated Links
Standards Version 1.35.0

Note: The DSB are progressing and in the final stages of getting approval to publish consultation for Maintenance Iteration 23 (MI23) that concluded. Consultation will be published either by the end of the week or early next week pending the internal review and the Chair's approval. This will allow for further consultation of 28 days on the changes that have been proposed as part of MI23.		 Published: 29 July 2025
Change log
Maintenance ⭐ Maintenance Iteration 24
concluded on 3 September 2025.

The changes will be published for a further 28 days of consultation. You can view meetings notes from the previous calls here.
Maintenance ⭐ Change to Maintenance Release Process
The DSB is currently revising how we implement maintenance releases due to audit review findings and direct feedback from external parties.

This will mean that the MI 24 maintenance release will be the last to be carried out in the current format. While we are in a transition phase, we ask that you still maintain the current processes for raising issues or changes in the system, where they will be added to our prioritisation list for evaluation and appropriate action.

The changes will be announced pretty soon, so keep an eye out on the DSB newsletter for further information on the changes.
DSB Newsletter ⭐ The DSB Newsletter is published fortnightly, the next edition will be published on September 19 2025

Presentation

imp-call_presentation

None this week.

Q&A

imp-call_q+a

Questions will be received by the community via Microsoft Teams chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.

In regards to topics for questions, we ask the participants on the call to consider the Community Guidelines when posing questions to the subject matter experts.

To view questions and answers from previous CDR Implementation Calls, click here.

Answers provided

Ticket # Question Answer
2496 Clarification on Transaction Security Update - Cipher Suites Compliance
Can you confirm whether, after 17 March 2025, Data Holders are required to support all ciphers recommended in the BCP 195 documentation, or do they have discretion in selecting which ciphers to support? Specifically, would it be acceptable for a Data Holder to support only the following two cipher suites from the BCP 195 list?
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 Based on the current status, it is likely to be acceptable to only support those cipher suites as they are two of the four recommended, and section 4.2.1. Implementation Details of RFC9325 states "Clients SHOULD include TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the first proposal to any server."
2499 Clarification on disabling the hybrid flow and allowing only the ACF
  1. Do the standards recommend any specific error code & error description if an ADR attempts the Hybrid flow auth call OR are we ok with http error response 400 with a meaningful error message?
  2. Do we also need to error out hybrid flow DCR requests?
  3. We currently still have ADRs registered with us as hybrid flow profile.
    1. Are they supposed to do a DCR delete and re-register with us with ACF profile? OR Their profile will stay as-is just that their authorization call will be ACF?
    2. Do we as DHs need to take any actions on these profiles?
  4. ACF has been mandated for Data Recipients post 12th May 2025, so if we go live with this change earlier then we will need to error out the hybrid flow authorization calls specifically for those ADRs
  1. Please refer to the standards. There are no error codes specific to this scenario in the standards as the normative standards apply. In this case I think you may be referring to [PAR].
  2. After 12 May 2025, hybrid flow should not be supported.
  3. ADRs should not delete their registration, as that would trigger arrangement revocation at the DH. They should update their registration via the Update DCR endpoint.
    You may wish to encourage ADRs to update their registration if they intend to continue sending authorisation requests.
  4. It should be possible to support both flows until hybrid is retired. Negotiation of supported types is handled through the discovery document, PAR and authorisation endpoints.
2552 DigiCert ONE Transition & Compatibility
Clarification regarding the upcoming transition to DigiCert ONE platform and the issuance of new Intermediate CA ("CDR Intermediate CA 2025") for the ACCC issued certificates. For upcoming renewal:
  • Will we receive only a new ICA-signed certificates from new platform, or will we receive 2 certificates one from old platform and another from new platform?
  • How is backward compatibility ensured for Data Recipients during the transition period or is there an expectation that data holder must update trust stores or validation logic?
  • Will a test environment with the new certificates be available for testing and if so when would it be available?
  • Is there ACCC recommended approach to handle multiple certificate validation for same domains or Is ACCC coming up with a new guidance?
 Please follow this link for more detail information into transition to DigiCert
2576 Clarification of rules around Tokens and Claims
v1.32 of the standards had a rule within Hybrid Flow requirements stating:
"The ID Token returned from the Authorisation End Point MUST NOT contain any PI claims."

With v1.33 this moved into the Baseline ID Token Requirements and now states:
"ID Tokens MUST NOT contain any PI claims"

The original rule was limited to a specific portion of hybrid flow (authorisation endpoint), because the ID token would be sent in a less secure way, but there was no such restriction on the ID token that was obtained later in the workflow where it's directly given to the ADR in an MTLS connection.

That later stage (token endpoint) was similar for both hybrid flow and code flow and was even explicitly expected in this Zendesk article

With the PI rule moved to baseline requirements, this changes to make it also apply to the token endpoint id token.		 This change occurred as part of retiring Hybrid Flow in v1.33.0 as a result of issue #666, which was included in Maintenance Iteration 21.

As of 12 May 2025, hybrid flow is no longer supported.

There are some notes in the Version Delta here

Any Other Business

imp-call_any-other-business

Attendees are invited to raise topics related to the Consumer Data Right that would benefit from the DSB and ACCCs' consideration.

Minutes from 28 August Implementation Call: https://github.com/ConsumerDataStandardsAustralia/standards/wiki/ACCC-&-DSB-%7C-CDR-Implementation-Call-Agenda-&-Minutes-%7C-28-August-2025

The Next CDR Implementation Call

The Next CDR Implementation Call

25 September 2025

Thursday, 3:00pm (Canberra Time)

Useful Links

imp-call_useful-links View a number of informative and useful links in the Consumer Data Standards Guide on Information Links.

Data Standards Body Consumer Data Right Digital ID Contact & Media
Chair Standards Accreditation Standards Website
News Maintenance Iteration AGDIS Standards Email
Advisory Committee CX Guidelines Calendar
Support Portal LinkedIn
YouTube
GitHub
Newsletter
⚠️ **GitHub.com Fallback** ⚠️