[Openid-specs-fapi] Fwd: Consumer Data Standards | September 2019 Release of Consumer Data Standards V1.0.0

Ralph Bragg ralph.bragg at raidiam.com
Mon Sep 30 07:43:09 UTC 2019

Yeah it’s an interesting approach to mandate the security mechanisms that must be used. Raises questions regarding ability to innovate.

From: Nicholas Irving <nirving at darkedges.com>
Date: Monday, 30 September 2019 at 07:59
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Cc: Ralph Bragg <ralph.bragg at raidiam.com>
Subject: Re: [Openid-specs-fapi] Fwd: Consumer Data Standards | September 2019 Release of Consumer Data Standards V1.0.0

Interesting read.

Is this requirement safe for Hybrid.

  *   Data Holders MUST request a user identifier that can uniquely identify the customer and that is already known by the customer in the redirected page
  *   Data Holders MUST NOT request that the customer enter an existing password in the redirected page
  *   Data Holders MUST provide a one-time password (OTP) to the customer through an existing channel or mechanism that the customer can then enter into the redirected page
It implies to me that the Data Holder implicitly trusts the requester has control of the device registered for the OTP. This means I could pick up a device that I know is registered to a bank account and give access to the CDR API without providing any credentials that I own.

I know they are trying to give easy access to the service, but surely registering first time should at least ask for credentials.

Nicholas Irving
On Mon, 30 Sep 2019, 16:34 Ralph Bragg via Openid-specs-fapi, <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
The Australian v1.
From: Consumer Data Rights Data61 <CDR-Data61 at csiro.au>
Sent: Monday, September 30, 2019 7:21:12 AM
To: McLachlan, Terri (Data61, Eveleigh) <Terri.Mclachlan at data61.csiro.au<mailto:Terri.Mclachlan at data61.csiro.au>>
Subject: Consumer Data Standards | September 2019 Release of Consumer Data Standards V1.0.0

Since the previous release on 17 July of the draft Consumer Data Standards (CDS), the Data Standards Body (DSB) has continued to liaise with the broader ecosystem participants to develop and refine the standards in support of the Australian Government’s Consumer Data Right regime.  The standards are intended to make it easier and safer for consumers to share access to the data collected about them by businesses, and – with their explicit approval – to share this data via application programming interfaces (APIs) with trusted, accredited third parties.

The DSB is pleased to announce the 30 September 2019 release which is expected to become the initial binding data standards for the Consumer Data Right (CDR) regime. The version 1.0.0 release of the CDS represents the baseline for implementation in accordance with the rules and phasing timetable made by the Australian Competition and Consumer Commission (ACCC).

We know that many in the community have been monitoring the open discussions relating to the CDS and have actively contributed to making these what they are, with feedback in workshops, on GitHub, via email and in bilateral discussions. We thank the CDR community for their active participation which has helped develop these binding standards and encourage everyone to continue to help evolve these as living standards to serve the future CDR regime.

In this September 2019 V1.0.0 release of the standards we are publishing:

  *   A non-technical summary of outcomes for each work stream, see attached;
  *   The latest version of the Consumer Data Standards<https://consumerdatastandardsaustralia.github.io/standards/>, containing API standards, Information Security profile and Customer Experience Guidelines<https://consumerdatastandards.org.au/cx-standards/>; and
  *   Payload validation tools<https://consumerdatastandards.org.au/workinggroups/engineering/> to aid participants in verifying conformance.

You can access the V1.0.0 of the Consumer Data Standards in full here<https://consumerdatastandardsaustralia.github.io/standards/>.

Please note that we continue to encourage interested participants to provide on-going feedback on the Consumer Data Standards through GitHub. All such feedback will be included in the backlog list for consideration in future versions of the standards.

For further information or any questions, please email cdr-data61 at csiro.au<mailto:cdr-data61 at csiro.au>.

We look forward to working with everyone as we move closer to a live implementation of the standards.

Many thanks and regards


Terri McLachlan
Secretariat Liaison Manager | Consumer Data Standards
CSIRO | Data61
E terri.mclachlan at data61.csiro.au<mailto:terri.mclachlan at data61.csiro.au> T +61 2 9490 5722
Level 5, 13 Garden Street, Eveleigh NSW 2015

[Data61 | CSIRO logo]
D61+ LIVE | Carriageworks, Sydney | 2–3 October 2019 | Register here<https://d61live.csiro.au/>
Australia’s leading science, technology and innovation event
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190930/0b859c03/attachment-0001.html>

More information about the Openid-specs-fapi mailing list