DSB Maintenance Iteration 15: Agenda & Minutes (3 May 2023) - ConsumerDataStandardsAustralia/standards GitHub Wiki
Date and time: 03/05/2023, 2:00pm – 4:00pm AEST
Location: Microsoft Teams Meeting
Dial-in details:
- https://teams.microsoft.com/l/meetup-join/19%3ameeting_MzkxYjlkY2EtYzI0Mi00M2E2LWEzMGQtY2Y5ZmY2ODZjMjI2%40thread.v2/0?context=%7b%22Tid%22%3a%22214f1646-2021-47cc-8397-e3d3a7ba7d9d%22%2c%22Oid%22%3a%2257cd8c59-9b50-4670-bc85-25281a11ec8d%22%7d
- Meeting ID: 473 910 562 836
- Passcode: Jmsgnq
- Dial In Number: +61 2 9161 1229
- Phone Conference ID: 186 427 655#
Chair: Brian Kirkpatrick, DSB
Maintenance overview: Further information
Maintenance project board: See here
Decision Proposal: This maintenance iteration is being consulted on under Decision Proposal 303: Maintenance Iteration 15
Housekeeping
Recording
The Maintenance Iteration Calls are recorded for note taking purposes only. All recordings are kept securely, as are the transcripts which may be made from them. No identifying material will be provided without the participant's consent. Participants may email [email protected] should they have any further questions or wish to have any material redacted from the record.
Acknowledgement of Country
We acknowledge the Traditional Custodians of the various lands on which we work today and the Aboriginal and Torres Strait Islander people participating in this call.
We pay our respects to Elders past, present and emerging, and recognise and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of Australia.
Agenda
- Introductions
- Release plan
- Open Consultations
- Future Plan
- Playback Maintenance Iteration 14 Retrospective
- Outstanding Actions
- Maintenance Iteration 15 Candidates
- Any other business
Meeting notes
Introductions
The purpose of this meeting is to:
- Play back responses to the Maintenance Iteration 14 Retrospective Survey
- Groom the backlog to discuss iteration candidates for Maintenance Iteration 15
Release plan
- Current version of the standards is 1.23.0 published on 14 April 2023, refer to the release notes for details
- Version 1.24.0 release of the standards, incorporating changes consulted on in Maintenance Iteration 14, is in progress and will be posted on standards staging for review when available.
Open Consultations
The following Consultations are open for community feedback
| Consultation | Closing date |
|---|---|
| Decision Proposal 229 - CDR Participant Representation | Placeholder: no close date Link to consultation |
| Decision Proposal 267 - Telco Data Language | TBD Link to consultation |
| Noting Paper 276 - Proposed V5 Rules: Standards Impacts | TBD Link to consultation |
| Decision Proposal 288 - Non-Functional Requirements Revision | Extended to 12 May 2023 Link to consultation |
| Noting Paper 289 - Register Standards Revision | Extended to 12 May 2023 Link to consultation |
| Decision Proposal 302 - Telco Draft Feedback Cycle 2 | TBD Link to consultation |
Future Plan
Review of April-June Quarter and new changes: https://github.com/orgs/ConsumerDataStandardsAustralia/projects/23
Playback Maintenance Iteration 14 Retrospective
The DSB is trialling a new way to gain Retrospective insight for Maintenance Iterations by using a survey.
Jarryd Judd will playback the findings in this session.
Outstanding Actions
NOTE: Where a :bulb: appears it indicates the Action will be discussed later in the Agenda under Maintenance Iteration 15 Candidates.
InfoSec
-
DSB to seek legal advice on the enforceability or the binding status of the standards versus an implementation guide with regard to Issue #522 OpenID Provider Configuration End Point parameter requirements.
- In progress :bulb:
-
Issue 576 DSB to advise if the following interpretation is correct and to make an announcement in the Implementation Call to make it clear to ADRs.
- FAPI phase 4: it has been interpreted that existing clients who have already registered with a data holder must update their registration to indicate if they want to receive data in Signed format or Signed+Encrypted format. Is this correct and aligned with the intention of the DSB?
- Yes. ADRs will have to update their client registration in accordance with FAPI 1.0. Where the client no longer registers OIDC Hybrid Flow, they can discontinue use of ID token encryption. If the client continues to utilise OIDC Hybrid Flow (where Data Holders continue to offer it), then ID token encryption must also be registered.
- Response provided at the Implementation Call on 20/04/2023:
- ADRs are reminded we're entering a three month phase to transition from the hybrid flow to the authorization code flow (ACF). During that time, DH will be supporting both flows. The intention of this phasing period is for ADRs to test software products using the ACF with a fall back mechanism to hybrid flow. Any issues encountered can be resolved during transition. Once transition is complete the hybrid flow can be deprecated. ADRs are encouraged to test their implementation of ACF by updating client registrations with each DH before the 10th of July when DHs will only be required to support ACF.
- FAPI phase 4: it has been interpreted that existing clients who have already registered with a data holder must update their registration to indicate if they want to receive data in Signed format or Signed+Encrypted format. Is this correct and aligned with the intention of the DSB?
Maintenance Iteration 15 Candidates
The items tabled below have been carried over from MI14. The DSB invites participants to propose items for consideration and prioritisation. You can do this by posting a comment on Decision Proposal 303 and attending the meeting on 3 May to provide context and detail on your requirements in support of your request.
| Domain | # | Issue | Proposal Status | Change Proposed | Standards Staging link |
|---|---|---|---|---|---|
| MI 15 | 586 | Maintenance Iteration 15 Holistic Feedback | |||
| InfoSec | 522 | OpenID Provider Configuration End Point parameter requirements | Carried over from MI14 | ||
| Banking | 567 | BankingProductLendingRateV2 - Lending Rates - FIXED/INTEREST_ONLY period end date cannot be determined | Carried over from MI14 | ||
| Banking | 569 | Home Loan Revert rate and product is not available | Carried over from MI14 | ||
| Schema | 538 | Payload conventions; optional fields with null values aren't defined in schemas | Carried over from MI14 | ||
| Schema | 413 | 400 Error code missing in swagger for some endpoints | Proposed in MI14 but not addressed |
Other Business
Meeting Minutes
Playback Maintenance Iteration 14 Retrospective
ADDED TO THE MINUTES ON 10/05/2023
On this occasion the MI14 Retrospective was conducted via a survey. Only one response was received before the MI call. The survey was extended to COB 05/05/2023 for anyone wanting to contribute, no further responses were provided.
Q. What should the team start doing?
A. "Action urgent change requests (e.g. CR576 and CR547 in MI13) with greater priority, it is difficult to ensure compliant with the CDS when they are changed on the day of implementation (e.g. FAPI Phase 3)"
DSB acknowledged these challenges, however the last two URGENT changes related to transitional elements that are not well understood and were only discovered during implementation. As a group, more thought and commitment to the analysis is required from participants during the consultation period of the original change. This will ensure these gaps can be identified and resolved before the standards and associated transition plans are formulated and published, eliminating the need for last minute URGENT changes.
Outstanding Actions
InfoSec
-
DSB to seek legal advice on the enforceability or the binding status of the standards versus an implementation guide with regard to Issue #522 OpenID Provider Configuration End Point parameter requirements.
- In progress
-
Issue 576 DSB to advise if the following interpretation is correct and to make an announcement in the Implementation Call to make it clear to ADRs.
- FAPI phase 4: it has been interpreted that existing clients who have already registered with a data holder must update their registration to indicate if they want to receive data in Signed format or Signed+Encrypted format. Is this correct and aligned with the intention of the DSB?
- Yes. ADRs will have to update their client registration in accordance with FAPI 1.0. Where the client no longer registers OIDC Hybrid Flow, they can discontinue use of ID token encryption. If the client continues to utilise OIDC Hybrid Flow (where Data Holders continue to offer it), then ID token encryption must also be registered.
- Response provided at the Implementation Call on 20/04/2023:
- ADRs are reminded we're entering a three month phase to transition from the hybrid flow to the authorization code flow (ACF). During that time, DH will be supporting both flows. The intention of this phasing period is for ADRs to test software products using the ACF with a fall back mechanism to hybrid flow. Any issues encountered can be resolved during transition. Once transition is complete the hybrid flow can be deprecated. ADRs are encouraged to test their implementation of ACF by updating client registrations with each DH before the 10th of July when DHs will only be required to support ACF.
- FAPI phase 4: it has been interpreted that existing clients who have already registered with a data holder must update their registration to indicate if they want to receive data in Signed format or Signed+Encrypted format. Is this correct and aligned with the intention of the DSB?
Maintenance Iteration 15 Candidates
The issues tabled below were discussed with participants; the outcome is reflected in the status column.
| Domain | # | Issue | Description | Status | Link |
|---|---|---|---|---|---|
| MI 15 | 586 | Maintenance Iteration 15 Holistic Feedback | Maintenance Iteration Holistic Decision Proposal | Decision Proposal | Placeholder |
| InfoSec | 522 | OpenID Provider Configuration End Point parameter requirements | Discussion covered both options (1) Prescriptive CDS documentation and (2) Referal to upstream standards. | Candidate | Staging TBC |
| InfoSec | 559 | FAPI 1.0 Final Phase 3 Obligation example for authorisation request using the Authorisation Code Flow does not have "response_mode" attribute | Documentation Fix. | Candidate | Staging TBC |
| Banking | 567 | BankingProductLendingRateV2 - Lending Rates - FIXED/INTEREST_ONLY period end date cannot be determined | Changes will be proposed in a Decision Proposal | Decision Proposal | Placeholder TBC |
| Banking | 569 | Home Loan Revert rate and product is not available | Changes will be proposed in a Decision Proposal | Decision Proposal | Placeholder TBC |
| Banking | 536 | Define new toUType value to relevant schemas | Added to iteration candidates | Candidate | Staging TBC |
| Banking | 585 | Clarify Base and Adjustment Rate Types | Added to iteration candidates | Candidate | Staging TBC |
| Banking | 584 | Flag for account(s) not shared | Considered a large change. Specific Decision Proposal recommended approach | Decision Proposal | Placeholder TBC |
| Schema | 538 | Payload conventions; optional fields with null values aren't defined in schemas | To be considered along with 413, 578. | Candidate | Staging TBC |
| Schema | 578 | Native OAS Versioning Support | To be considered along with 413, 583. | Candidate | Staging TBC |
| Schema | 413 | 400 Error code missing in swagger for some endpoints | To be considered along with 538, 578. | Candidate | Staging TBC |
| Schema | 575 | Inconsistency of data types in various schema | Added to iteration candidates | Candidate | Staging TBC |
| Register | 581 | ADR ability to remove DCR without clientId | Changes will be proposed in a Decision Proposal | Decision Proposal | Placeholder TBC |
| NFR | 554 | OTP NFR added to the Consumer Data Standards | Participants concluded it would be sensible to defer further consultation, subject to the outcomes of Decision Proposal 288 - Non Functional Requirements Revision and Noting Paper 280 - CX of Authentication Uplift. | Out of Scope | Refer comment for further links. |
Other Business
FAPI 1.0 Phase 4 Retire Hybrid Flow Future Dated Obligations July 10th 2023
New Actions
None
Next Steps
DSB will progress analysis on solution proposals for the candidates and invites the community to post comments for consideration on candidates and issues requiring Decision Proposals.