Welcome to the Consumer Data Right Support Portal

Check out our guides, browse through our FAQs, and post your own questions for Support.

New to the Consumer Data Right? Learn more

[ARCHIVE] Certificates for TLS in collection arrangement Follow

Avatar
Jarryd
  • Created:
  • Last edited:
  • Updated

Please note this article is no longer relevant and has been archived.

 

The following questions apply to situations in which a Provider is nominated by multiple Principals.

Question

In the case of a Collection Arrangement, the Provider has one certificate of its own.

Can a Provider's certificate be used, by all the Principals, for making API calls to Data Holders requiring TLS?

Answer

Each Principal must have a client certificate issued to it, which the Provider uses to request CDR data on the Principal's behalf.

The ACCC and the ADRs are able to revoke a certificate, based on security hygiene processes or suspected or proven unauthorised disclosure of the private key.

To ensure only one Principal is affected by a revocation, the client certificate used to collect CDR data MUST be used exclusively for the Principal to which it belongs.

 

Question

On certificates which are hosted via JWKS (JSON Web Key Sets):

  • can the same JWKS can be used by the Provider for multiple Principals?
  • What type of keys need to be hosted in JWKS? We know that there needs to be a public key which is used by CDR/DH to verify the JWT that are issued by Provider. Should it also include a public key which is to be used for id_token encryption by the DH (Data Holder)?
  • Are there key rotation requirements, or other NFRs ( Non-Functional Requirements) related to keys hosted in JWKS? 

Answer

JWKs should be treated the same way as CA issued certificates. The CDR Register provides the functionality to have a dedicated JWKS endpoint per software product.

JWKS endpoints can be shared by duplicating the jwks_uri for each software product. If JWKS endpoints are to be shared, dedicated keys should be issued per software product.

ID token signing and encryption public keys should be published on the corresponding JWKS endpoints.

The DSB (Data Standards Body) does not specify key rotation requirements. Organisations are responsible for their own certificate and key rotation policies. However we do provide a recommendation on cache age for clients retrieving JWKS. Clients are recommended to have a maximum cache age of 15 mins.

Consult your security team to determine how your organisation manages these keys and their rotations. The CDR Register provides for many different configurations and it is up to each organisation to ensure best practices are followed.

 

Comments

0 comments

Please sign in to leave a comment.