DSB Maintenance Iteration 9: Agenda & Meeting Notes (01 December 2021) - ConsumerDataStandardsAustralia/standards GitHub Wiki

DSB Maintenance Iteration 9 - Agenda & Meeting Notes (2021-12-01)

Date and time: 01/12/2021, 2pm - 3.30pm AEDT (1pm - 2.30pm AEST)
Location: WebEx
Dial-in details:

Chair: Mark Verstege Maintenance overview: Further information
Maintenance project board: See here
Decision Proposal: This maintenance iteration is being consulted on under Decision Proposal 212

Agenda

  • Wait 5 minutes for all participants to join. Kickoff at 2:05pm (AEDT)
  • Outstanding Actions
  • Release plan: schedule of forwards looking standards releases
  • Open Decision Proposals: key consultation dates
  • Iteration 9 change request candidates
  • Any other business

Meeting notes

Introductions

This week is the ninth and final call of the 9th maintenance iteration. The purpose of the meeting is to finalise changes arising from the 9th maintenance iteration and agree on future dated obligations for breaking changes.

  • Allow 5 min for participants to join
  • Housekeeping
  • Overview, purpose and intended outcomes of the meeting

Actions

  • ANZ to create a change request to better support cursors for returning large result sets.
  • (Issue #292) [IN PROGRESS] DSB to propose strawman solution
  • (Issue #291) [IN PROGRESS] DSB to propose strawman solution
  • (Issue #418) DSB will consult on a long-term strategic solution to resolve this issue however a short-term solution needs to be embedded to supports ADRs and DHs during the transition
  • (Issue #418) DSB to verify that the ACCC can or is providing an operational process to distribute ADR domain lists to DHs ahead of activation and DCR requests
  • (Issue #426) [IN PROGRESS] DSB to discuss with ADRs whether any are currently allowing token reuse
  • (Issue #428) [IN PROGRESS] DSB to discuss CTS support for audience claim value for DHs calling the ADR revocation endpoint
  • (Issue #428) [IN PROGRESS] DSB to confirm that the ACCC is updating the CTS to test the proposed wording, not the current wording
  • (Issue #433) [IN PROGRESS] DSB to continue discussions with the ACCC on the CTS changes and provide a response back to the community

Release plan

  • v1.14.0 was published on the 29th of October 2021: Energy API standards
  • v1.15.0: DP 209, DP 216 and DP 212
  • v1.16.0: Not currently planned

Open / Active Decision Proposals

The following decision proposals are open for community feedback

DP # Closing date DP
216 Closed Decision Proposal 216 - Profile Scope Support
209 Closed Decision Proposal 209 - Transition to FAPI 1.0 Advanced Profile
162 Closed Decision Proposal 162 - CX Standards | Joint Accounts
222 Closed Decision Proposal 222 - CX Standards | Insights and Trusted Adviser Disclosure Consents
225 18/02/2022 Decision Proposal 225 - Data Recipient Security Standards
211 Pending Decision Proposal 211 - Scope of Risk-based Authentication and Identity Proofing Framework, Threat and Attack Model
210 Pending Decision Proposal 210 - Transition to FAPI 2.0 Profile
203 No closing date Normative Standards Review (2021)
158 Closed Decision Proposal 158 - Participant capability discovery

Future Plan

Review of Q4 and new changes: https://github.com/ConsumerDataStandardsAustralia/future-plan/projects/1

Iteration 9 Change Requests

All open change requests can be found here:

Data Standards CRs:

Maintenance Iteration Schedule

  • Maintenance Iteration 9 extended until 1st December 2021
  • Maintenance Iteration 10 will commence 16th Feb 2022

Issues Consulted

The following issues have been consulted on during this iteration. The current status is summarised.

Standards Maintenance Issues

Source # Sector Change Request Decision Change Status Future Dated
Obligation (FD)
Affected Schema
(if applicable)
Affected Endpoint
(if applicable)
Recommendation
Standards Maintenance Issue 150 Banking A loan may have no end date but loanEndDate is mandatory Change Recommended Breaking Change TBD BankingLoanAccount Get Account Details (v1 -> v2) Change repaymentFrequency, loanEndDate and nextInstallmentDate fields to be optional.
Standards Maintenance Issue 291 Banking Credit card loyalty program data: significant gaps and lack of structure Carry Over to Maintenance Iteration 10 N/A N/A BankingProductDetailV3
BankingAccountDetail
Get Product Detail (v3 -> v4)
Get Account Detail (v1 -> v2)
Proposes changes to better support loyalty schemes
Standards Maintenance Issue 292 Banking Credit card balance plans and payment hierarchy: inadequate information within the CDS Carry Over to Maintenance Iteration 10 N/A N/A BankingProductDetailV3
BankingAccountDetail
Get Product Detail (v3 -> v4)
Get Account Detail (v1 -> v2)
Proposes changes to supported multiple payment plans and balances
Standards Maintenance Issue 391 Common Remove requirement for at least one address in physicalAddresses array Change Recommended Breaking Change TBD CommonPersonDetail
CommonOrganisationDetail
Get Customer Detail (v1 -> v2) Proposed change to remove requirement of at least one address to be returned. Feedback from DHs has indicated that this is not always possible when the address held on record is invalid
Standards Maintenance Issue 396 Banking Define new Digital Wallet Payee Type to relevant schemas Change Recommended Breaking Change TBD BankingPayee
BankingPayeeDetail
Get Payees (v1 -> v2)
Get Payee Detail (V1 -> v2)
Extend payee support for provider-agnostic digital wallets. Get Payees v2 and Get Payee Detail v2 future-dated obligation TBD 2022. Data Holders can support v2 as early as is practical but no later than TBD 2022. Retirement of v1 APIs 1 month after v2 FDO (i.e., any time after one month after v2 FDO).
Standards Maintenance Issue 401 Banking Extending the list of supported feature types Change Recommended Breaking Change TBD BankingProductFeature Get Product Detail (v3 -> v4)
Get Account Detail (v1 -> v2)
Proposes changes to supported feature types
Standards Maintenance Issue 402 Banking Support for multiple additional information documents Change Recommended Non-Breaking Change None BankingProductV3 Get Products (v3 -> v4)
Get Product Detail (v3 -> v4)
Proposes changes to supported multiple additional product documents
Standards Maintenance Issue 404 Banking Profile scope not aligned with CX standards Consulted on in DP216 Breaking Change Refer to DP216 N/A ID Token
OIDC UserInfo endpoint
This issue will be consulted on in Decision Proposal 216 - Profile Scope Support given the breadth of the standards changes
Standards Maintenance Issue 407 Common Align data quality NFR with Privacy Safeguard 11 Change Recommended Non-Breaking Change Immediate N/A N/A Changes to Data Quality NFRs working in line with OAIC feedback regarding data quality requirements in relation to Privacy Safeguard 11
Standards Maintenance Issue 419 Energy Modification of energy billing and invoicing enumeration values Change Recommended Non-Breaking Change None EnergyInvoiceListResponse
EnergyBillingListResponse
Energy billing & invoice endpoints -
Standards Maintenance Issue 420 Energy Modification of energy account enumeration values Change Recommended Non-Breaking Change None EnergyAccountDetail Energy account endpoints -
Standards Maintenance Issue 421 Energy Review of rates in energy account payload Change Recommended Non-Breaking Change None EnergyAccountDetail Energy account endpoints -
Standards Maintenance Issue 422 Energy Energy C&I tariff extensions Change Recommended Non-Breaking Change None EnergyAccountDetail
EnergyInvoiceListResponse
EnergyBillingListResponse
Energy account endpoints
Energy billing & invoice endpoints
-
Standards Maintenance Issue 423 Energy Review of demand charges in energy billing transactions Change Recommended Non-Breaking Change None EnergyBillingListResponse Energy billing & invoice endpoints -
Standards Maintenance Issue 432 Energy EnergyPlanSolarFeedInTariff.tariffUType enum contains incorrect values Change Recommended Non-Breaking Change None EnergyPlanResponse Generic Tariff endpoints -
Standards Maintenance Issue 438 Energy Representing adjustment transactions within the Billing Payload for C&I customers Carry Over to Maintenance Iteration 10 Non-Breaking Change None EnergyBillingListResponse Energy billing & invoice endpoints
Standards Maintenance Issue 439 Energy Review Pricing Model & Time Zone attributes within Account Detail Payload Carry Over to Maintenance Iteration 10 Non-Breaking Change None EnergyAccountDetail Energy account endpoints
Standards Maintenance Issue 395 InfoSec Does DHs' PAR endpoint require enabling private key jwt client authentication in addition to request object validation? Not Supported No Change N/A N/A N/A No change
Standards Maintenance Issue 397 InfoSec Transaction Security Ciphers Not Supported No Change N/A N/A N/A Defer to FAPI 1.0. The change proposed by the DSB to defer to FAPI standards will be included in the DP 209 consultation. Standards will be changed in accordance to the schedule for FAPI 1.0 adoption
Standards Maintenance Issue 405 InfoSec Alternative mechanisms for OTP 2022 Decision Proposal for Authentication Uplift N/A N/A N/A N/A This change requires a DP including CX. The DSB needs to support Macquarie with C&E to enable them to remain live with an exemption in the meantime.
Standards Maintenance Issue 406 InfoSec Change Request to make 'scope' optional in the token end-point response in FAPI Not Supported No Change N/A N/A oAuth Token endpoint Retain current requirement for scope support. Alignment to FAPI 1.0 (Final) requirements for the scope value will be included in the DP 209 consultation. Standards will be changed in accordance to the schedule for FAPI 1.0 adoption
Standards Maintenance Issue 426 InfoSec Recipient Arrangement Revocation Endpoint exposed to Mixup Attack Change Recommended Breaking Change TBC N/A ADR CDR Arrangement Revocation Endpoint Standards to clarify tokens are single use and adopt Option 2 proposed by Biza to minimise attack vector. A Decision Proposal will be consulted on in 2022 to consider long-term strategic options for secure notifications and ADR callback event messaging.
Standards Maintenance Issue 428 InfoSec CTS incorrectly implements Data Holder Initiated Revocation Change Recommended Breaking Change TBC N/A ADR CDR Arrangement Revocation Endpoint Adopt proposal by Biza with a phase in date for ADRs. Incident management processes are recommended for use by Data Holders to open support incidents during the itervening period.
Standards Maintenance Issue 430 InfoSec [CDS Spec documentation bug- Is x-fapi-auth-date header mandatory or optional] Change Recommended Non-Breaking Change None N/A Authenticated resource endpoints Issue has been clarified as a documentation fix. This will change the resource endpoints to make the header mandatory. However, not all customers are authenticated by ADRs. Should this be conditional based on the authentication of the user by the ADR? Absent if the user is not authenticated?
Standards Maintenance Issue 434 InfoSec Update Authorize request non-normative example Change Recommended Non-Breaking Change None N/A N/A Documentation Fix
Standards Maintenance Issue 435 InfoSec Nominated representative end user for non-individual consumers Carry Over to Maintenance Iteration 10 N/A N/A Design is still under consultation. Dependent on the outcome of DP216. Will require custom userRole and roleType fields be supported as custom claims
Standards Maintenance Issue 418 Register CDR Data Holders outbound connection whitelisting Change Recommended Non-Breaking Change None Clarification has been provided that manual whitelisting is prohibited. A Decision Proposal will be raised in 2022 to consult on long-term whitelisting processes.
Standards Maintenance Issue 424 Register API Uplift for Data Holder Multi-Sector support Change Recommended Non-Breaking Change N/A
Standards Maintenance Issue 425 Register API Uplift for Data Recipient Multi-Sector support Change Recommended Non-Breaking Change N/A
Standards Maintenance Issue 431 Register Register participant statuses do not detail data holder behaviour when ADR is revoked and SP inactive Carry Over to Maintenance Iteration 10 N/A None
Standards Maintenance Issue 433 Register Data Holder behaviour is not defined when a software product id goes "missing" Change Recommended Non-Breaking Change None Documentation Fix
Standards Maintenance Issue 440 Register CDR Register OpenID Configuration does not specify token signing algorithm support Change Recommended Non-Breaking Change None Documentation Fix
Standards Maintenance Issue 441 Register RegisterDataHolderAuth schema in GetDataHolderBrands descriptions to be clarified Change Recommended Non-Breaking Change None Documentation Fix
Standards Maintenance Issue 442 Register Documentation improvement: JWT Signature verification requirements during the DCR flows Change Recommended Non-Breaking Change None Documentation Fix
Standards Maintenance Issue 443 Register SSA definition: Deprecation of revocation_uri Carry Over to Maintenance Iteration 10 N/A N/A
Standards Maintenance Issue 444 Register Add an unauthenticated GetDataHolderBrands endpoint exposed as a public API Carry Over to Maintenance Iteration 10 Non-Breaking Change N/A

Any other business

  • Address any other business arising from the community



Meeting Minutes

Notes

Standards Maintenance Issues

Actions

None

Other business

None

Next Steps

Where applicable, obligation dates will be circulated by updates to each GitHub issue.

⚠️ **GitHub.com Fallback** ⚠️