Consider changing statement in Certificate Management about the use of ACCC CA issued certificates for ADR end points

[anzbankau]

ANZ would like to request a change to the registry design as it currently stands around data recipient use of the ACCC CA issued certificates for the endpoints they are hosting. Currently the standard specifies DRs can use ACCC CA certs or a Cert issued by a public CA.

Currently ANZ use a specific list of CA providers which is managed by a vendor product. Adding and maintaining a new CA adds overhead in management and potential risk the CA will not be loaded or expires.

As we understand there are no ADRs currently using ACCC CAs for these end points, we feel it would be a good time to make the change to remove the option to use the ACCC CA and resort to use of Public CA only.

Current standards reference:
ADRs may choose to secure their endpoints with an ACCC CA issued certificate or a certificate issued by a public CA
https://cdr-register.github.io/register/#certificate-management

[CDR-Register-Stream]

@anzbankau Thanks for your query.

As discussed out of band, there are effectively three options here:

Option 1. Trust public CA only
This would mean that for ADR endpoints, the ACCC CA would NOT be trusted and the ADR is free to use whichever public CA they choose.
This raises the following questions:

1. How is the list of Public CAs maintained? Is this decided by your vendor, your own change management processes or a 3rd party source like Mozilla?
2. Should a curated list of trusted Public CAs should be used in the regime

Option 2. ACCC CA only
This means public CAs could not be used. This would mean that these endpoints would be solely for use in the CDR and give no opportunity for ADRs to reuse them in other ecosystems. This is particularly pertinent for the JWKS URI

Option 3. Combination of Public CA and ACCC CA
This is what is currently specified. The pain point here is that you need to trust both Public CAs and the ACCC CA. Is this actually onerous? Are you not simply adding the ACCC CA to your master list of trusted CAs?

I'd like to invite input on this topic as to explore the advantages and disadvantages of each option and identify if there is sufficient motivation for change

[perlboy]

This seems like a relevant historical reference to make here: ConsumerDataStandardsAustralia/standards#65 (comment)

The trust of the ecosystem is already a hybrid one and the issue of this was highlighted for Data Recipients previously. Now the converse is happening with the same constraint except within an established governance environment like that within a bank rather than the somewhat "hypothetical" ADR during previous related discussions.

As stated in the previous call, the override was to allow for Data Recipients to maintain a choice in the same way that banks were given the choice when publishing PRD APIs.

My personal opinion, is and always has been, that the entire ecosystem (outside of browser loading auth/login screens) should have been constrained to the ACCC authority so that all parties could pin their trust stores to the national authority (and this authority could be delegated downstream using sub-CA's). In the context of the comment posted in May 2019 though, that decision was already made against my personal opposition to it for exactly the reasons now being discussed.

As a consequence, the summary is:

1. The ecosystem is already a hybrid one (Option 3) and Holders don't appear to have minded when it was their API endpoint
2. Personally, it should be a closed ecosystem but now things are live and the precedent has been set. If the desire is to change all endpoints to be within the ACCC ecosystem the main side affect will be that governments product comparator blowing up because it's being accessed directly from a browser.

I guess Option 3 because it's too late or Option 2 only if the decision is to enforce an ecosystem protected purely by Australian government authorities (and therefore PRD APIs need to be changed).