[Openid-specs-fapi] Fwd: OpenID Foundation Follow-up to ACDS on CDS [SEC=OFFICIAL]

Don Thibeau don at oidf.org
Wed Dec 9 12:03:30 UTC 2020


Begin forwarded message:

From: "Stevens, Andrew" <Andrew.Stevens at isa.gov.au<mailto:Andrew.Stevens at isa.gov.au>>
Subject: Re: OpenID Foundation Follow-up to ACDS on CDS [SEC=OFFICIAL]
Date: December 8, 2020 at 10:50:46 PM EST
To: Nat Sakimura <nat.sakimura at oidf.org<mailto:nat.sakimura at oidf.org>>, "paul.franklin at accc.gov.au<mailto:paul.franklin at accc.gov.au>" <paul.franklin at accc.gov.au<mailto:paul.franklin at accc.gov.au>>, "daniel.mcauliffe at treasury.gov.au<mailto:daniel.mcauliffe at treasury.gov.au>" <daniel.mcauliffe at treasury.gov.au<mailto:daniel.mcauliffe at treasury.gov.au>>, "kate.ORourke at treasury.gov.au<mailto:kate.ORourke at treasury.gov.au>" <kate.ORourke at treasury.gov.au<mailto:kate.ORourke at treasury.gov.au>>
Cc: Don Thibeau <don at oidf.org<mailto:don at oidf.org>>, Mike Leszcz <mike.leszcz at oidf.org<mailto:mike.leszcz at oidf.org>>, "Thomas, Barry (Data61, Docklands GS)" <Barry.Thomas at data61.csiro.au<mailto:Barry.Thomas at data61.csiro.au>>

Dear Nat and Don,

I read with interest Nat’s letter (below) on November 18 regarding the OIDF’s FAPI technical conformance service for CDR participants. I was similarly interested in Don’s note (via Chris Michaels) regarding your education initiatives with the OBIE.

As the Chair of the Data Standards Body (DSB) for the CDR I carry primary responsibility for the technical standards that underpin our regime. As such, while the ACCC and Treasury may see fit to communicate with you as well, my team in the DSB will be best placed to engage with the details of your technical conformance service, both in terms of understanding what you have to offer our community and to provide technical assistance to you if you need it. From what you’ve told us so far it appears that your service could provide great benefits to CDR participants but the first step from here will be achieving a more detailed understanding both of the service you’ll be offering and of the level of engagement you’d like to see from us.

I suggest engaging directly with the DSB team to set up an initial call – Barry Thomas<mailto:barry.thomas at consumerdatastandards.gov.au>(Director), James Bligh<mailto:james.bligh at consumerdatastandards.gov.au> (Lead Architect, CDR) and Mark Verstege<mailto:mark.verstege at consumerdatastandards.gov.au> (Lead Architect, Open Banking and Infosec).

I note also that the DSB regularly runs workshops and other initiatives aimed at educating our developer community about the Consumer Data Standards. We would be very pleased to explore the possibility of collaborating with you to provide workshops along the same lines as those you have undertaken in the UK.

Thank you for reaching out to us, and for your encouraging words about our improving conformance with the FAPI standards.


Andrew Stevens
Chairman, Industry Innovation and Science Australia
M: +61 419 986 217<tel:+61%20419%20986%20217>
Andrew.Stevens at isa.gov.au<mailto:Andrew.Stevens at isa.gov.au>
Innovation and Science Australia | https://www.industry.gov.au/strategies-for-the-future/innovation-and-science-australia/isa

The department acknowledges the traditional owners of the country throughout Australia and their continuing connection
to land, sea and community. We pay our respect to them and their cultures and to the elders past and present.

Industry Innovation and Science Australia | www.industry.gov.au<http://www.industry.gov.au/>/iisa



From: "Nat Sakimura" <nat.sakimura at oidf.org<mailto:nat.sakimura at oidf.org>>
Date: Thursday, 19 November 2020 at 02:31:28
To: "Stevens, Andrew" <Andrew.Stevens at isa.gov.au<mailto:Andrew.Stevens at isa.gov.au>>, "paul.franklin at accc.gov.au<mailto:paul.franklin at accc.gov.au>" <paul.franklin at accc.gov.au<mailto:paul.franklin at accc.gov.au>>, "daniel.mcauliffe at treasury.gov.au<mailto:daniel.mcauliffe at treasury.gov.au>" <daniel.mcauliffe at treasury.gov.au<mailto:daniel.mcauliffe at treasury.gov.au>>, "kate.ORourke at treasury.gov.au<mailto:kate.ORourke at treasury.gov.au>" <kate.ORourke at treasury.gov.au<mailto:kate.ORourke at treasury.gov.au>>
Cc: "Don Thibeau" <don at oidf.org<mailto:don at oidf.org>>, "Mike Leszcz" <mike.leszcz at oidf.org<mailto:mike.leszcz at oidf.org>>
Subject: RE: OpenID Foundation Follow-up to ACDS on CDS

November 18, 2020

Mr Andrew Stevens
Chairman, Consumer Data Standards Australia

Mr Paul Franklin
Executive General Manager, Consumer Data Right, Australian Competition and Consumer Commission

Ms Kate O’Rourke
Principal Advisor, The Treasury, Australia

Mr Daniel McAuliffe
Project Lead, Consumer Data Right, The Treasury, Australia

RE: OpenID Foundation Follow-up to ACDS on CDS

Dear Mr Stevens, Mr Franklin, Ms O’Rourke, and Mr McAuliffe,

This communication follows the letter I sent on August 13, 2019, as Chair of the OpenID Foundation’s Financial-grade API (FAPI) Working Group<https://openid.net/wg/fapi/>. In my prior communication, I noted the Foundation performed an analysis of the Australian Consumer Data Standards (ACDS) that highlighted some deviations from the OpenID Connect and Financial Grade API ( FAPI ) standards.  Now that the majority of deviations have been removed this enables CDR Data Holders and Data Recipients to demonstrate their technical conformance with the FAPI standards. This increases the reliability of systems leveraging these standards, the repeatability in successive systems and trust among all stakeholders in the ecosystem.

The ACDS’s adoption of FAPI enables the members of your community to leverage the OpenID Foundation certification program<https://openid.net/certification/>. It is a mature model in use today, at scale, via the Open Banking Implementation Entity from UK regulators, identity providers (Data Holders) and relying-parties (Data Recipients) to self-certify their OpenID Connect and FAPI deployments. The tests are available to all, today, at no cost, at any time. The test suite can be run by participants themselves locally on their infrastructure or by using the OIDF’s hosted service. At a time of their choosing participants’ test results are checked by the OIDF, a modest fee and they are added to a publicly available list of organizations that have demonstrated conformance to the FAPI standard.  This greatly assists participants, all types, large and small to achieve ACDS compliance and interoperate globally.

The Foundation recently updated the FAPI conformance suite to ensure that servers following the CDR standards comply with the underlying FAPI specifications.  A number of Australian organizations have tested these tests against their CDR environments. The interoperability and security issues found in the deployments of Data Holders and Data Recipients were then able to be fixed well before they caused concerns.

The success of testing the tests’ allows the Foundation to launch a FAPI compliance service for CDR data holders. This new service also optionally covers the new pushed authorization spec that CDR plans to start introducing in November 2020.  This is timely and important given the CDR’s is a new protocol without the benefit of existing test suites and few vendor implementations.

The purpose of this communication is to gauge the Australian Competition and Consumer Commission’s (ACCC), and relevant internal parties, interest in supporting the OIDF’s launch of a FAPI technical conformance service for CDR participants. Your support would help expand its value to Accredited Data Recipients, and influence evolving the service in the future. We welcome ACCC’s involvement in the FAPI Working Group at any time. Any feedback on the FAPI CDR compliance service is welcome, especially prior to launch.

The Foundation’s considerable investment in its certification program ensures trusted implementations of open standards. The return is measured in positive impacts on interoperability and security. The UK’s use of the Foundation’s test suites has resulted in reduced engineering costs for all parties and facilitated market entry for new participants. This becomes particularly important as CDR is expanded to more entities. It highlights the importance that standards like FAPI evolve within their working groups.

OIDF’s certification program has proven its value to UK OpenBanking. It has revealed and assisted in resolving a significant number of interoperability and security problems in production systems in the nine largest UK banks while reducing integration costs for all. The certification and FAPI teams continue to work to ensure the tests reflect the intent of the specification authors and the needs of users.

We have run a series of joint workshops with the OpenBanking Implementation Entity in the UK, the Financial Data Exchange in the US to increase understanding of the standards and the benefits of the certification tools.  We hope we could run similar workshops with the assistance of the appropriate Australian entities.

Please consider engaging with the OpenID Foundation on the launch of the CDR testing service. Your involvement benefits the community at large by alignment with ACCC and ACDS goals. We would be happy to arrange a call to answer any questions you might have. Thank you for your consideration.


Nat Sakimura
Chair, OpenID Foundation
Co-Chair FAPI Working Group

Don Thibeau : Executive Director, OpenID Foundation
Email: don at oidf.org<mailto:don at oidf.org>
Voice: +1 202.841.8222

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20201209/d69d3f2d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ATT00001.png
Type: image/png
Size: 162 bytes
Desc: ATT00001.png
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20201209/d69d3f2d/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: brand-banner-iisa-inline-logo.png
Type: image/png
Size: 13573 bytes
Desc: brand-banner-iisa-inline-logo.png
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20201209/d69d3f2d/attachment-0003.png>

More information about the Openid-specs-fapi mailing list