Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates to Certificate Management #577

Closed
ACCC-CDR opened this issue Feb 7, 2023 · 4 comments
Closed

Updates to Certificate Management #577

ACCC-CDR opened this issue Feb 7, 2023 · 4 comments
Labels
Proposal made The DSB has proposed a specific change to the standards to address the change request Register

Comments

@ACCC-CDR
Copy link

ACCC-CDR commented Feb 7, 2023

Description

Various updates are requested to be made to the Certificate Management section of the Consumer Data Standards in order to match the security issuing procedures of the ACCC.

Area Affected

Security Profile > Certificate Management

Change Proposed

Various changes are proposed.

Data Recipient Server Certificates

Currently within the Certificate Management section of the Consumer Data Standards, there is an option for Data Recipients to request a server certificate issued by the Register CA. They are also given the option to use a server certificate issued by a Public CA.

As the Data Recipient hosted endpoints are not mTLS there is no need to use a Register CA issued server certificate. As such, the ACCC has never issued a server certificate to a Data Recipient. Data Recipients can simply use a server certificate issued by a Public CA, which would then align to their current certificate management practices for their software product.

Therefore, it is recommended that the wording around server certificate issuance to a Data Recipient is updated to remove the option to request a Register CA issued server certificate.

Certificate Signing Request

Also, to provide additional guidance to participants requesting Register CA issued certificates, the following amendments are requested to the Certificate Signing Request Profile section:

  • Include additional fields that can be provided in a CSR
  • Change Common Name to Software Product Name only for client certificate
  • Change Organization to include the Brand Name only
  • Add a mandatory indicator to specify which fields are required or optional
  • Include a statement that if optional fields are required then they will be validated to ensure correctness

For e.g.

CSR Field Field Requirement Server Client
Common Name (CN) Mandatory Primary DNS Name
e.g. api1.test.entity.com
Software Product Name
SAN Optional Secondary DNS Name(s)
e.g. api2.test.entity.com
N/A
Organization (O) Mandatory Brand Name Brand Name
Organizational Unit (OU) Mandatory Consumer Data Right Consumer Data Right
Country (C) Mandatory Country of participant
e.g. AU
Country of participant
e.g. AU
State (ST) Optional State of the Participant
e.g. New South Wales
State of the Participant
e.g. New South Wales
Locality (L) Optional Locality of the Participant
e.g. Sydney
Locality of the Participant
e.g. Sydney
Email Address Optional Participant's email address to be displayed in the issued certificate Participant's email address to be displayed in the issued certificate
Signature Algorithm Mandatory SHA256 SHA256
Key Algorithm Mandatory RSA RSA
Key Size Mandatory 2048 2048

Note: optional values, if provided, will be validated to be correct.

Certificate Trust Model

Remove the Test Environment details from the Certificate Trust Model section. Participants will be provided the trust chain for the test environment when they begin CTS.

DSB Proposed Solution

The DSB proposed solution is presented here.

@perlboy
Copy link

perlboy commented Feb 7, 2023

Firstly, discrepancies in ACCC issuing versus the Standard have been gradual particularly throughout 2022. Biza customers had certificates issued at the beginning of last year which had different constraints on them than those issued at the end of the year, this lack of clarity led to multiple back and forths and requirements from the ACCC that, quite frankly, were in violation of the prescribed Standard. There's a broader question here of what the point of a Standard actually is if government bodies aren't going to comply with it.

Secondly, the use of a Software Product Name exclusively for the client certificate conflicts with the use of either Software Product or Brand name for authentication to the register ("client_id, iss and sub claims MUST be set to the ID of the calling client Data Recipient Brand ID OR Software Product ID issued by the CDR Register") . This seems to therefore suggest there are broader changes that should be enacted.

Finally, on the dropping of Register CA certificate availability for Recipients. It's unclear what the design of AI looks like however if there are more drivers for Holder -> Recipient comms it's a very real possibility that such APIs may be preferred to be conducted over an ACCC CA secured channel.

Alternatively there's a broader question about what the point of securing a single surface with an ACCC CA certificate actually is, that is to say, the value the ACCC CA actually serves at a server (ie. Holder) level is dubious. I suspect many holders would prefer to simply roll-up their CDR services into their normal PKI management procedures. Why not ditch the ACCC CA server certificate entirely and use it purely for MTLS client purposes, possibly in both directions depending on AI?

@CDR-API-Stream CDR-API-Stream moved this from Full Backlog to Iteration Candidates in Data Standards Maintenance Feb 21, 2023
@CDR-API-Stream CDR-API-Stream moved this from Iteration Candidates to Full Backlog in Data Standards Maintenance Feb 21, 2023
@CDR-API-Stream CDR-API-Stream moved this from Full Backlog to Iteration Candidates in Data Standards Maintenance Feb 21, 2023
@CDR-API-Stream CDR-API-Stream moved this from Iteration Candidates to In Progress: Design in Data Standards Maintenance Mar 15, 2023
@JamesMBligh
Copy link
Contributor

JamesMBligh commented Mar 27, 2023

After discussions in the MI meetings and inter-agency discussions with the ACCC the proposed solution for the issues raised in this CR will be:

  • Discussion of the use of the CDR CA in general will be deferred to the Register Review consultation
  • The Certificate Signing Request and Certificate Trust Model sections will be updated as outlined in the issue description to reflect the practice of the Registrar

Note that we did seriously consider taking this section out of the standards as it is more operational/guidance in nature but we have decided to retain it for the moment as removing it without a clear and discoverable location for community members to find the information would cause more problems than it solves. This isn't a permanent position, however.

@JamesMBligh JamesMBligh added the Proposal made The DSB has proposed a specific change to the standards to address the change request label Mar 27, 2023
@perlboy
Copy link

perlboy commented Apr 16, 2023

Not sure if this is the right thread however recent changes to the ACCC CTS approach to certificate authorities preclude the ability for Holders to deliberately test a Production environment against the CTS, effectively forcing them to conduct CTS testing on a non-production environment and most probably leading to differences between what has been tested and what is released to Data Recipients.

Specifically the following statements within the Standards would be in violation if a Holder wished to complete CTS successfully:

Use of MTLS
All back-channel communication between Data Recipient Software Product and Data Holder systems MUST incorporate, unless stated otherwise, [MTLS] as part of the TLS handshake:
The presented Client transport certificate MUST be issued by the CDR Certificate Authority (CA). The Server MUST NOT trust Client transport certificates issued by other authorities.
The presented Server transport certificate MUST be issued by the CDR Certificate Authority (CA). The Client MUST NOT trust Server transport certificates issued by other authorities.

The ACCC has recently announced that the CTS will no longer be issuing certificates from the CDR Certificate Authority. While the announcement makes reference to the new authority being "production-like" this seems to ignore the fundamental laws of cryptography.

Conversely (or perversely?) the ACCC requires Holders to make an attestation that the environment is Production-like, Biza does not consider an environment with an incorrect CA to be Production-like so will be unable to provide this attestation.

@CDR-API-Stream CDR-API-Stream moved this from In Progress: Design to In Progress: Staging in Data Standards Maintenance Apr 26, 2023
@CDR-API-Stream CDR-API-Stream moved this from In Progress: Staging to Awaiting Chair Approval in Data Standards Maintenance Apr 28, 2023
@nils-work
Copy link
Member

nils-work commented May 10, 2023

Changes for this issue were staged here and incorporated into Standards version 1.24.0.

@github-project-automation github-project-automation bot moved this from Awaiting Chair Approval to Done in Data Standards Maintenance May 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Proposal made The DSB has proposed a specific change to the standards to address the change request Register
Projects
Status: Done
Development

No branches or pull requests

5 participants