Question

An Accredited Data Recipient (ADR) can advertise its end points through software product during registration. This can be used by Data Holder (DH) to determine the arrangements revocation end point. Considering this, does the URI have to be <RecipientBaseUri>/arrangements/revoke? Can DR specify the endpoint as <RecipientBaseUri>/consent/revoke or any other subpath?

Answer

The revocation endpoint must be <RecipientBaseUri>/arrangements/revoke as defined explicitly in the standards. Otherwise data holders will have no idea how to call it. The dynamic registration process allows for the ADR to tell the DH the value of RecipientBaseUri, but there is no mechanism for the ADR to tell the DH the full path.

In previous versions of the Consumer Data Standards (CDS) a revocation_uri field was included in dynamic registration, which could be used to define a full path for the revocation end point. We have now moved to a based path model instead of specific paths. This results in a lower impact if new end points are required as part of the ADR implementation.

There is a non-normative example in the documentation for CDS Security Profile, End points, CDR Arrangement Revocation End Point.

See:

• CDS Security Profile, End points, CDR Arrangement Revocation End Point