Skip to content

ACCC & DSB | CDR Implementation Call Agenda & Meeting Notes | 16 January 2025

Jump to bottom
CDR-Engagement-Stream edited this page Jan 16, 2025 · 11 revisions

CDR Implementation Call Banner

Agenda & Meeting Notes

When: Weekly every Thursday at 3pm-4:30pm AEST
Location: Microsoft Teams
Meeting Details: Join on your computer, mobile app or room device Click here to join the meeting
Meeting ID: 446 019 435 001
Passcode: BU6uFg
Download Teams | Join on the web
Join with a video conferencing device
[email protected]
Video Conference ID: 133 133 341 4
Alternate VTC instructions Or call in (audio only)
+61 2 9161 1229,,715805177# Australia, Sydney Phone Conference ID: 715 805 177# Find a local number | Reset PIN
Learn More | Meeting options

Agenda

  1. Introductions
  2. House Keeping
  3. Updates
  4. CDR Stream updates
  5. Presentation
  6. Q&A
  7. Any other business

Introductions

1 intro

  • 5 min will be allowed for participants to join the call.

Acknowledgement of Country

We acknowledge the Traditional Custodians of the various lands on which we work today and the Aboriginal and Torres Strait Islander people participating in this call.

We pay our respects to Elders past and present, and recognise and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of Australia.

House Keeping

2 house keeping

Recording

The Consumer Data Right Implementation Calls are recorded for note taking purposes. All recordings are kept securely, as are the transcripts which may be made from them. No identifying material shall be provided without the participant's consent. Participants may [email protected] should they have any further questions or wish to have any material redacted from the record.

Community Guidelines

By participating in the Consumer Data Right Implementation Call you agree to the Community Guidelines. These guidelines intend to provide a safe and constructive space for members to discuss implementation topics with other participants and members of the ACCC and Data Standards Body.

Updates

3 updates
⭐ indicates change from last week.

Type Updated Links
Standards ⭐ Version 1.33.0 Published: 18th of December 2024
Change log
Maintenance Iteration 22 to commence in February 2025 Registration open
DSB Newsletter To subscribe to DSB Newsletter Link here
DSB Newsletter ⭐ 10 January 2025 View in browser here
Consultation Decision Proposal 361 - Energy LCCD Phase 2 Feedback closes: 4 February 2025
Link to consultation
Consultation Noting Paper 363 - Applicability of Authentication Frameworks Link to consultation
Feedback Request for Community Feedback on Issue 674
Note: this is pertinent for Accredited Data Recipients		 Standards Maintenance Issue 674
Guidance The ACCC has updated fact sheets on CDR representatives and CDR outsourcing arrangements, as well as Guidance for CDR representative principals on ensuring compliance of their CDR representatives to reflect changes made by the v7 CDR Rules package. The revised guidance is available on the CDR website. -
Website Reminder on the new Data Standards Body website dsb.gov.au
Tooling JSON schema tools: updated to align with the latest version of CDS (1.33.0) Repository
Video 132: Noting Paper 352 - narrated by Neale Morison (12/12/2024) DSB YouTube Video
Video 133: Noting Paper 360 - narrated by Neale Morison (16/12/2024) DSB YouTube Video
Video 134: Maintenance Iteration 21 Outcomes - narrated by Neale Morison (24/12/2024) DSB YouTube Video
Video 135: CDS 1.33.0 Release Walkthrough and Changes - with Jarryd Judd (02/01/2025) DSB YouTube Video
Video 136: Decision Proposal 361 - narrated by Jarryd Judd (08/01/2025) DSB YouTube Video

CDR Stream Updates

4 cdr stream upd
Provides a weekly update on the activities of each CDR stream and their work.

Organisation Stream Member
DSB Energy Sector Hemang
DSB Information Security Mark

Presentation

5 pres
None this week.

Q&A

6 qna
Questions on Notice

Questions will be received by the community via Microsoft Teams chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.

In regards to topics for questions, we ask the participants on the call to consider the Community Guidelines when posing questions to the subject matter experts.

Answer provided

Ticket # Question Answer
2474 Part 1 We would like to seek clarification regarding the upcoming transaction security update related to cipher suites, as per the requirements mentioned:
Until March 17th, 2025:
Only the following cipher suites SHALL be permitted:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
The following cipher suites SHOULD NOT be supported:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
From March 17th, 2025:
Only cipher suites recommended in [BCP195] SHALL be permitted.
Just so you know, please go through the link:https://consumerdatastandardsaustralia.github.io/standards/index.html#transaction-security.
Query:
1. Can the changes required for compliance with section 8.5 of [FAPI-1.0-Advanced], BCP195 be applied before March 17th, 2025 (e.g., by March 16th, 2025)? We want to ensure timely compliance with the requirements and avoid any potential ambiguity.
2. Please confirm whether the Cipher suites that should not be supported Until March 17th, 2025 are expected to be removed from the current solution.		 1. Yes, as long as you are still meeting the requirements of the statement -
Until March 17th, 2025:
Only the following cipher suites SHALL be permitted:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
The following cipher suites SHOULD NOT be supported:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
2. If you are suggesting introducing some stronger ciphers that are part of BCP 195 before the obligation date, we may be able to consider a change to the Standards to support that.
Another option for you may be to only include ciphers that are common to the current requirement and the future requirement and only introduce any additional stronger ciphers from BCP 195 after the obligation date.
2474 Part 2 We need some more detailed insights to get a clear understanding of the changes please find them below.
Effective Date for Cipher Changes:
It is mentioned that the current ciphers must remain in use as below until March 17, 2025,
Until March 17th, 2025:
Only the following cipher suites SHALL be permitted:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
The following cipher suites SHOULD NOT be supported:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Could you confirm below,
1. If there is a specific date and time for the pre-March 17 requirement mentioned here, if data holder have all of the above ciphers enabled in the system, should we remove immediately? please let us know how soon this has to be achieved since this has to be done through a release iteration.
2. Will it be considered as non compliance if we keep
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 &
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ciphers till March 17th?
3.Is post-March 17 requirement transition expected to be in production on 17th March or should it be after 17th March?
Technical Rationale for Changes Post-March 17:
Could you elaborate on the technical reasoning behind the requirement to introduce new ciphers only after March 17?		 Re:
1. If there is a specific date and time for the pre-March 17 requirement mentioned here, if data holder have all of the above ciphers enabled in the system, should we remove immediately? please let us know how soon this has to be achieved since this has to be done through a release iteration.
Please refer to the Standards - Interpretation
Note that, in these standards, the key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as described in [RFC2119].
Re:
2. Will it be considered as non compliance if we keep
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 &
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ciphers till March 17th?
I cannot comment on compliance, please refer to ACCC guidance - Compliance requirements for data holders
Re:
3. Is post-March 17 requirement transition expected to be in production on 17th March or should it be after 17th March?
The Standards state:
From March 17th 2025, the following requirements SHALL apply:
In addition to section 8.5 of [FAPI-1.0-Advanced] only cipher suites recommended in [BCP195] SHALL be permitted.
This means the change applies on the 17th and onward.
Re:
Could you elaborate on the technical reasoning behind the requirement to introduce new ciphers only after March 17?
Most changes to the Standards are made with as Future-Dated Obligations. This allows all participants to adopt and be ready for changes to occur.
March 17, 2025 is one of the pre-determined Obligation Dates for changes to be aligned with.
For details, refer to - https://consumerdatastandardsaustralia.github.io/standards/includes/endpoint-version-schedule/#obligation-date-schedule

Any Other Business

7 aob
Attendees are invited to raise topics related to the Consumer Data Right that would benefit from the DSB and ACCCs' consideration.

Useful Links

View a number of informative and useful links in the Consumer Data Standards Guide on Information Links.

Check out our guides, browse through our FAQs, and post your own questions for Support. The official Consumer Data Standards website This repository contains the binding API Standards and Information Security profile created in response to the Consumer Data Right legislation and the subsequent regulatory rules. A demonstration of Product Reference data from the Banking Sector.
Consumber Data Standards on GitHub Data Standards Body video channel on YouTube Helping organisations provide consumers with intuitive, informed, and trustworthy data sharing experiences. A Postman collection with a set of unit tests. It can be used as a development testing tool for Data Holders developing a DSB compliant API.
Follow Data Standards Body on LinkedIn for updates and announcements Digital Resources Repository on DSB's GitHub website The glossary of CDR CX terminology Data Holder server reference implementation and associated tools.
DSB Event Calendar on Trumba Platform A repository of DSB Newsletters/Blog posts since 2019 This repository is the staging repository for the Consumer Data Standards. Java Artefacts Data Holder server reference implementation
  This glossary lists terms and their definitions in the context of the Consumer Data Right and Consumer Data Standards. This repository is used to contain discussions and contributions from the community of participants and other interested parties in the Australian Consumer Data Right regime. Java Artefacts Data Holder server reference implementation

Getting Started

Meetings

Maintenance Iterations

CDR Implementation Call

Clone this wiki locally