Archived 2024-03-12. Please see the CDS Guide on Dynamic Client Registration.
Question
When the Delete Registration API is invoked by the Accredited Data Recipient (ADR), is a Data Holder (DH) required to delete all registration data for the client?
Answer
Yes. When the Delete Registration API is invoked, all client details are to be deleted by the DH. As well as being a requirement, this is also a good security hygiene practice.
Question
When an ADR executes the Delete Registration API, should all the consents related to the relevant Software Product be deleted?
Answer
The DH is required to expire
all consents at the time the ADR status is set to revoked
or surrendered
and the status of the Software Product changes to inactive
. Therefore at the time delete is requested by the ADR, through the Delete Registration API, there should be no active consents.
If an ADR deletes a Software Product from the CDR ecosystem entirely, then the DH must delete all associated consents.
Note that when an ADR status is surrendered
and the status of the Software Product is inactive
, then all consents must be preserved.
DHs can also undertake these security hygiene tasks when the software status changes to removed
, regardless of whether an ADR calls the Delete Registration API.
Question
In the event of deletion triggered by calling the Delete Registration API, should all the tokens be deleted as well?
Answer
Yes. When the Delete Registration API is invoked, then all access and refresh tokens must be deleted.
Question
Is a Software Product authorised to be re-registered with the DH? If yes, then can an existing Software Statement Assertion (SSA) be used for such a re-registration?
Answer
Yes. An ADR must be able to initiate a re-registration of a previous Software Product with the DH. However, it may not be possible to use existing SSAs, as they have a lifetime of 10 minutes.
Comments
0 comments
Please sign in to leave a comment.