DSB Maintenance Iteration 9: Agenda & Meeting Notes (01 December 2021) - ConsumerDataStandardsAustralia/standards GitHub Wiki
Date and time: 01/12/2021, 2pm - 3.30pm AEDT (1pm - 2.30pm AEST)
Location: WebEx
Dial-in details:
- https://treasuryau.webex.com/treasuryau/j.php?MTID=m6786d3cadd2da38bd3ae2bf7cca07212
- Dial In Number: +61 2 9338 2221
- Dial In Access Code: 265 1917 2241
- Quick Dial: +61-2-9338-2221,,26519172241##
Chair: Mark Verstege
Maintenance overview: Further information
Maintenance project board: See here
Decision Proposal: This maintenance iteration is being consulted on under Decision Proposal 212
- Wait 5 minutes for all participants to join. Kickoff at 2:05pm (AEDT)
- Outstanding Actions
- Release plan: schedule of forwards looking standards releases
- Open Decision Proposals: key consultation dates
- Iteration 9 change request candidates
- Any other business
Meeting notes
This week is the ninth and final call of the 9th maintenance iteration. The purpose of the meeting is to finalise changes arising from the 9th maintenance iteration and agree on future dated obligations for breaking changes.
- Allow 5 min for participants to join
- Housekeeping
- Overview, purpose and intended outcomes of the meeting
- ANZ to create a change request to better support cursors for returning large result sets.
- (Issue #292) [IN PROGRESS] DSB to propose strawman solution
- (Issue #291) [IN PROGRESS] DSB to propose strawman solution
- (Issue #418) DSB will consult on a long-term strategic solution to resolve this issue however a short-term solution needs to be embedded to supports ADRs and DHs during the transition
- (Issue #418) DSB to verify that the ACCC can or is providing an operational process to distribute ADR domain lists to DHs ahead of activation and DCR requests
- (Issue #426) [IN PROGRESS] DSB to discuss with ADRs whether any are currently allowing token reuse
- (Issue #428) [IN PROGRESS] DSB to discuss CTS support for audience claim value for DHs calling the ADR revocation endpoint
- (Issue #428) [IN PROGRESS] DSB to confirm that the ACCC is updating the CTS to test the proposed wording, not the current wording
- (Issue #433) [IN PROGRESS] DSB to continue discussions with the ACCC on the CTS changes and provide a response back to the community
- v1.14.0 was published on the 29th of October 2021: Energy API standards
- v1.15.0: DP 209, DP 216 and DP 212
- v1.16.0: Not currently planned
The following decision proposals are open for community feedback
DP # | Closing date | DP |
---|---|---|
216 | Closed | Decision Proposal 216 - Profile Scope Support |
209 | Closed | Decision Proposal 209 - Transition to FAPI 1.0 Advanced Profile |
162 | Closed | Decision Proposal 162 - CX Standards | Joint Accounts |
222 | Closed | Decision Proposal 222 - CX Standards | Insights and Trusted Adviser Disclosure Consents |
225 | 18/02/2022 | Decision Proposal 225 - Data Recipient Security Standards |
211 | Pending | Decision Proposal 211 - Scope of Risk-based Authentication and Identity Proofing Framework, Threat and Attack Model |
210 | Pending | Decision Proposal 210 - Transition to FAPI 2.0 Profile |
203 | No closing date | Normative Standards Review (2021) |
158 | Closed | Decision Proposal 158 - Participant capability discovery |
Review of Q4 and new changes: https://github.com/ConsumerDataStandardsAustralia/future-plan/projects/1
All open change requests can be found here:
- Maintenance Iteration 9 extended until 1st December 2021
- Maintenance Iteration 10 will commence 16th Feb 2022
The following issues have been consulted on during this iteration. The current status is summarised.
Standards Maintenance Issues
Source | # | Sector | Change Request | Decision | Change Status | Future Dated Obligation (FD) |
Affected Schema (if applicable) |
Affected Endpoint (if applicable) |
Recommendation |
---|---|---|---|---|---|---|---|---|---|
Standards Maintenance | Issue 150 | Banking | A loan may have no end date but loanEndDate is mandatory | Change Recommended | Breaking Change | TBD | BankingLoanAccount | Get Account Details (v1 -> v2) | Change repaymentFrequency, loanEndDate and nextInstallmentDate fields to be optional. |
Standards Maintenance | Issue 291 | Banking | Credit card loyalty program data: significant gaps and lack of structure | Carry Over to Maintenance Iteration 10 | N/A | N/A | BankingProductDetailV3 BankingAccountDetail |
Get Product Detail (v3 -> v4) Get Account Detail (v1 -> v2) |
Proposes changes to better support loyalty schemes |
Standards Maintenance | Issue 292 | Banking | Credit card balance plans and payment hierarchy: inadequate information within the CDS | Carry Over to Maintenance Iteration 10 | N/A | N/A | BankingProductDetailV3 BankingAccountDetail |
Get Product Detail (v3 -> v4) Get Account Detail (v1 -> v2) |
Proposes changes to supported multiple payment plans and balances |
Standards Maintenance | Issue 391 | Common | Remove requirement for at least one address in physicalAddresses array | Change Recommended | Breaking Change | TBD | CommonPersonDetail CommonOrganisationDetail |
Get Customer Detail (v1 -> v2) | Proposed change to remove requirement of at least one address to be returned. Feedback from DHs has indicated that this is not always possible when the address held on record is invalid |
Standards Maintenance | Issue 396 | Banking | Define new Digital Wallet Payee Type to relevant schemas | Change Recommended | Breaking Change | TBD | BankingPayee BankingPayeeDetail |
Get Payees (v1 -> v2) Get Payee Detail (V1 -> v2) |
Extend payee support for provider-agnostic digital wallets. Get Payees v2 and Get Payee Detail v2 future-dated obligation TBD 2022. Data Holders can support v2 as early as is practical but no later than TBD 2022. Retirement of v1 APIs 1 month after v2 FDO (i.e., any time after one month after v2 FDO). |
Standards Maintenance | Issue 401 | Banking | Extending the list of supported feature types | Change Recommended | Breaking Change | TBD | BankingProductFeature | Get Product Detail (v3 -> v4) Get Account Detail (v1 -> v2) |
Proposes changes to supported feature types |
Standards Maintenance | Issue 402 | Banking | Support for multiple additional information documents | Change Recommended | Non-Breaking Change | None | BankingProductV3 | Get Products (v3 -> v4) Get Product Detail (v3 -> v4) |
Proposes changes to supported multiple additional product documents |
Standards Maintenance | Issue 404 | Banking | Profile scope not aligned with CX standards | Consulted on in DP216 | Breaking Change | Refer to DP216 | N/A | ID Token OIDC UserInfo endpoint |
This issue will be consulted on in Decision Proposal 216 - Profile Scope Support given the breadth of the standards changes |
Standards Maintenance | Issue 407 | Common | Align data quality NFR with Privacy Safeguard 11 | Change Recommended | Non-Breaking Change | Immediate | N/A | N/A | Changes to Data Quality NFRs working in line with OAIC feedback regarding data quality requirements in relation to Privacy Safeguard 11 |
Standards Maintenance | Issue 419 | Energy | Modification of energy billing and invoicing enumeration values | Change Recommended | Non-Breaking Change | None | EnergyInvoiceListResponse EnergyBillingListResponse |
Energy billing & invoice endpoints | - |
Standards Maintenance | Issue 420 | Energy | Modification of energy account enumeration values | Change Recommended | Non-Breaking Change | None | EnergyAccountDetail | Energy account endpoints | - |
Standards Maintenance | Issue 421 | Energy | Review of rates in energy account payload | Change Recommended | Non-Breaking Change | None | EnergyAccountDetail | Energy account endpoints | - |
Standards Maintenance | Issue 422 | Energy | Energy C&I tariff extensions | Change Recommended | Non-Breaking Change | None | EnergyAccountDetail EnergyInvoiceListResponse EnergyBillingListResponse |
Energy account endpoints Energy billing & invoice endpoints |
- |
Standards Maintenance | Issue 423 | Energy | Review of demand charges in energy billing transactions | Change Recommended | Non-Breaking Change | None | EnergyBillingListResponse | Energy billing & invoice endpoints | - |
Standards Maintenance | Issue 432 | Energy | EnergyPlanSolarFeedInTariff.tariffUType enum contains incorrect values | Change Recommended | Non-Breaking Change | None | EnergyPlanResponse | Generic Tariff endpoints | - |
Standards Maintenance | Issue 438 | Energy | Representing adjustment transactions within the Billing Payload for C&I customers | Carry Over to Maintenance Iteration 10 | Non-Breaking Change | None | EnergyBillingListResponse | Energy billing & invoice endpoints | |
Standards Maintenance | Issue 439 | Energy | Review Pricing Model & Time Zone attributes within Account Detail Payload | Carry Over to Maintenance Iteration 10 | Non-Breaking Change | None | EnergyAccountDetail | Energy account endpoints | |
Standards Maintenance | Issue 395 | InfoSec | Does DHs' PAR endpoint require enabling private key jwt client authentication in addition to request object validation? | Not Supported | No Change | N/A | N/A | N/A | No change |
Standards Maintenance | Issue 397 | InfoSec | Transaction Security Ciphers | Not Supported | No Change | N/A | N/A | N/A | Defer to FAPI 1.0. The change proposed by the DSB to defer to FAPI standards will be included in the DP 209 consultation. Standards will be changed in accordance to the schedule for FAPI 1.0 adoption |
Standards Maintenance | Issue 405 | InfoSec | Alternative mechanisms for OTP | 2022 Decision Proposal for Authentication Uplift | N/A | N/A | N/A | N/A | This change requires a DP including CX. The DSB needs to support Macquarie with C&E to enable them to remain live with an exemption in the meantime. |
Standards Maintenance | Issue 406 | InfoSec | Change Request to make 'scope' optional in the token end-point response in FAPI | Not Supported | No Change | N/A | N/A | oAuth Token endpoint | Retain current requirement for scope support. Alignment to FAPI 1.0 (Final) requirements for the scope value will be included in the DP 209 consultation. Standards will be changed in accordance to the schedule for FAPI 1.0 adoption |
Standards Maintenance | Issue 426 | InfoSec | Recipient Arrangement Revocation Endpoint exposed to Mixup Attack | Change Recommended | Breaking Change | TBC | N/A | ADR CDR Arrangement Revocation Endpoint | Standards to clarify tokens are single use and adopt Option 2 proposed by Biza to minimise attack vector. A Decision Proposal will be consulted on in 2022 to consider long-term strategic options for secure notifications and ADR callback event messaging. |
Standards Maintenance | Issue 428 | InfoSec | CTS incorrectly implements Data Holder Initiated Revocation | Change Recommended | Breaking Change | TBC | N/A | ADR CDR Arrangement Revocation Endpoint | Adopt proposal by Biza with a phase in date for ADRs. Incident management processes are recommended for use by Data Holders to open support incidents during the itervening period. |
Standards Maintenance | Issue 430 | InfoSec | [CDS Spec documentation bug- Is x-fapi-auth-date header mandatory or optional] | Change Recommended | Non-Breaking Change | None | N/A | Authenticated resource endpoints | Issue has been clarified as a documentation fix. This will change the resource endpoints to make the header mandatory. However, not all customers are authenticated by ADRs. Should this be conditional based on the authentication of the user by the ADR? Absent if the user is not authenticated? |
Standards Maintenance | Issue 434 | InfoSec | Update Authorize request non-normative example | Change Recommended | Non-Breaking Change | None | N/A | N/A | Documentation Fix |
Standards Maintenance | Issue 435 | InfoSec | Nominated representative end user for non-individual consumers | Carry Over to Maintenance Iteration 10 | N/A | N/A | Design is still under consultation. Dependent on the outcome of DP216. Will require custom userRole and roleType fields be supported as custom claims | ||
Standards Maintenance | Issue 418 | Register | CDR Data Holders outbound connection whitelisting | Change Recommended | Non-Breaking Change | None | Clarification has been provided that manual whitelisting is prohibited. A Decision Proposal will be raised in 2022 to consult on long-term whitelisting processes. | ||
Standards Maintenance | Issue 424 | Register | API Uplift for Data Holder Multi-Sector support | Change Recommended | Non-Breaking Change | N/A | |||
Standards Maintenance | Issue 425 | Register | API Uplift for Data Recipient Multi-Sector support | Change Recommended | Non-Breaking Change | N/A | |||
Standards Maintenance | Issue 431 | Register | Register participant statuses do not detail data holder behaviour when ADR is revoked and SP inactive | Carry Over to Maintenance Iteration 10 | N/A | None | |||
Standards Maintenance | Issue 433 | Register | Data Holder behaviour is not defined when a software product id goes "missing" | Change Recommended | Non-Breaking Change | None | Documentation Fix | ||
Standards Maintenance | Issue 440 | Register | CDR Register OpenID Configuration does not specify token signing algorithm support | Change Recommended | Non-Breaking Change | None | Documentation Fix | ||
Standards Maintenance | Issue 441 | Register | RegisterDataHolderAuth schema in GetDataHolderBrands descriptions to be clarified | Change Recommended | Non-Breaking Change | None | Documentation Fix | ||
Standards Maintenance | Issue 442 | Register | Documentation improvement: JWT Signature verification requirements during the DCR flows | Change Recommended | Non-Breaking Change | None | Documentation Fix | ||
Standards Maintenance | Issue 443 | Register | SSA definition: Deprecation of revocation_uri | Carry Over to Maintenance Iteration 10 | N/A | N/A | |||
Standards Maintenance | Issue 444 | Register | Add an unauthenticated GetDataHolderBrands endpoint exposed as a public API | Carry Over to Maintenance Iteration 10 | Non-Breaking Change | N/A |
- Address any other business arising from the community
Standards Maintenance Issues
-
Banking issues
-
Issue 150: A loan may have no end date but loanEndDate is mandatory
- No feedback offered on proposed obligation dates. DSB to provide a proposal for progression.
- Discussed conditional vs optional. The change will remain as is defining the fields as optional which still requires data to be provided when held by the DH. Optional does not mean the DH has the discretion to omit consumer data.
-
Issue 291:Credit card loyalty program data: significant gaps and lack of structure
- Agreed to carry over to Maintenance Iteration 10
-
Issue 292: Credit card balance plans and payment hierarchy: inadequate information within the CDS
- Agreed to carry over to Maintenance Iteration 10
-
Issue 396: Define new Digital Wallet Payee Type to relevant schemas
- Desire for DHs to support changes as soon as possible. Some DHs aiming for Q1 2022 support
- No feedback offered on mandatory obligation dates. DSB to provide a proposal for progression.
-
Issue 401: Extending the list of supported feature types
- No feedback offered on proposed obligation dates. DSB to provide a proposal for progression.
-
Issue 402: Support for multiple additional information documents
- No feedback offered on proposed obligation dates. DSB to provide a proposal for progression.
-
-
Energy issues
-
Issue 419: Modification of energy billing and invoicing enumeration values
- Origin noted there was a typo in the change proposed. DSB noted and will correct the typo
- Change accepted, no obligation date
-
Issue 420: Modification of energy account enumeration values
- Change accepted, no obligation date
-
Issue 421: Review of rates in energy account payload
- Change accepted, no obligation date
-
Issue 422: Energy C&I tariff extensions
- Change accepted, no obligation date
-
Issue 423: Review of demand charges in energy billing transactions
- Agreed to carry over to Maintenance Iteration 10
-
Issue 432: EnergyPlanSolarFeedInTariff.tariffUType enum contains incorrect values
- Change accepted, no obligation date
-
Issue 438: Representing adjustment transactions within the Billing Payload for C&I customers
- Agreed to carry over to Maintenance Iteration 10
-
Issue 439: Review Pricing Model & Time Zone attributes within Account Detail Payload
- Agreed to carry over to Maintenance Iteration 10
-
-
Common (cross-sector) issues
-
Issue 391: Remove requirement for at least one address in physicalAddresses array
- Change accepted, no obligation date. Documentation fix.
-
Issue 407: Align data quality NFR with Privacy Safeguard 11
- Change accepted.
- No feedback offered on proposed obligation dates. DSB to provide a proposal for progression.
-
-
InfoSec issues
-
Issue 404: Profile scope not aligned with CX standards
- This issue was consulted on as a decision proposal - refer to DP216 which consulted on the change
- The outcome of DP216 will be cross posted to this issue
-
- No change supported, no obligation date. Standards aligned to upstream PAR spec
-
Issue 397: Transaction Security Ciphers
- No change supported, no obligation date. See DP 209 for migration path
-
Issue 405: Alternative mechanisms for OTP
- Agreed to carry over to Maintenance Iteration 10
-
Issue 406: Change Request to make 'scope' optional in the token end-point response in FAPI
- No change supported, no obligation date. See DP 209 for migration path
-
Issue 426: Recipient Arrangement Revocation Endpoint exposed to Mixup Attack event messaging. |
- ADRs commented that they already partially support the proposed solution.
- Indication from ADRs was that full implementation of the proposal was supported and had a low implementation impact
-
Issue 428: CTS incorrectly implements Data Holder Initiated Revocation
- ADRs indicated they currently supported the proposal and supported immediate obligation dates
- Some participants advocated for immediate obligation dates for ADRs to support the change with operational and incident management processes to deal with the short term integration issues.
- Currently the issue is that this is impacting DHs and a future dated obligation will continue to persist the problem
-
Issue 430: [CDS Spec documentation bug- Is x-fapi-auth-date header mandatory or optional]
- Change accepted, no obligation date. Documentation fix.
-
Issue 434: Update Authorize request non-normative example
- Change accepted, no obligation date. Documentation fix.
-
Issue 435: Nominated representative end user for non-individual consumers
- Agreed to carry over to Maintenance Iteration 10
-
-
Register issues
-
Issue 418: CDR Data Holders outbound connection whitelisting
- Related to issue 416
- Change accepted, no obligation date. Provides clarification in regards to whitelisting friction at client registration.
-
Issue 424: API Uplift for Data Holder Multi-Sector support
- Changes proposed were accepted, with the exception that a public Data Holder API requires further consultation. Issue #444 raised to consult specifically on the DH API.
-
Issue 425: API Uplift for Data Recipient Multi-Sector support
- Changes proposed were accepted
-
- Agreed to carry over to Maintenance Iteration 10
-
Issue 433: Data Holder behaviour is not defined when a software product id goes "missing"
- Change accepted, no obligation date. Documentation fix.
-
Issue 440: CDR Register OpenID Configuration does not specify token signing algorithm support
- Change accepted, no obligation date. Documentation fix.
-
Issue 441: RegisterDataHolderAuth schema in GetDataHolderBrands descriptions to be clarified
- Change accepted, no obligation date. Documentation fix.
-
Issue 442: Documentation improvement: JWT Signature verification requirements during the DCR flows
- Change accepted, no obligation date. Documentation fix.
-
Issue 443: SSA definition: Deprecation of revocation_uri
- Agreed to carry over to Maintenance Iteration 10
-
Issue 444: Add an unauthenticated GetDataHolderBrands endpoint exposed as a public API
- Agreed to carry over to Maintenance Iteration 10
-
None
None
Where applicable, obligation dates will be circulated by updates to each GitHub issue.