Weekly OpenADE Meeting Notes Tuesday, June 24, 2014
OpenADE Task Force Topics Green Button Connect My Data Testing and Certification (target fall 2014) – Complete function block descriptions – Complete test case requirements – Amend DMD test requirements if gaps are discovered in dry run or other process Issues Raised and Implementation Questions – How to use BR=bulkID with application to account and account groupings, as well as, large ThirdParty collections of Authorizations. – Service Request 83 – including Function Block for optional customer info (service point address, etc.) – Service Request 84 – having scope selection screen on Data Custodian Site vs 3 rd Party site (need to write up description) – Service Request 85 – Duplicating TOU and CPP from ReadingType to IntervalReading as in SEP 2.0 – Service Request 86 – Desire to add digital signature to Green Button data to protect against tamper. New Resources for OpenADE Exchange requested – Tariff Model Resource – Customer Information Resource
Agenda Retail Customer Resource definition SCE Discussion issues 4,7 PG&E Discussion on how TP knows the DC “logon screen uri” What is best practice for ElectricPowerUsageSummary, ElectricPowerQualitySummary Irregular interval data Scope Selection in Oauth – namespacing? How to constrain the meaning of Scope parameter for Oauth when there may be other Oauth based services coexisting on the AuthorizationServer
Service Request 83 – including Function Block for optional customer info (service point address, etc.) Requirements – UsagePoints of RetailCustomer – Location of premise – Account ID – Sub Account (SA) ID—Service Agreement / Account is name depending on utility – Customer name, nickname (or short name) – Address and info from Lynn will provide more information – SDG&E provides only address and UPID correspondence csv and UsagePoint ID (Customer Obfuscated Key) – Current ESPI resources will never return PII – GET Subscription does not contain PII – Single Authorization covers entire Subscription and Authorization Scope – MeterID – ServicePointId – Pnode – LoadAggregationPoint, SubloadAggregationPoint – Climate zone – Account open date – Account close date – SA Open and Close date – MDM Agent Id (who does meter read) – ServiceSupplierId – EnergyServiceProviderId (may be same as service supplier) – Demand Response Provider – May need list of Ids for service providers rather than explicit?? (0..* relationship{role, href}) – Related assets ???? For example pool pump and pool pump participation in a program. – Related programs ???? Implementation – Resource Definition Probably multiple resources are good idea – REST service to exchange resource(s) GET only – Function Block(s) Wholesale vs Retail – Optionality vs Required – Possible Scope spec
Separation of PII containing Resource RetailCustomer from Subscription* Key New Resource Existing Resource Non-Resource Class *This data structure is to be developed on an aggressive schedule based on HelpDesk issue #83 and PAP10 NAESB Std REQ.18. No single API request can retrieve both PII and Anonymous data RetailCustomer UsagePoint EndDeviceAsset ServiceLocation PostionPoint TariffProfile Customer Agreement Authorization ServiceSupplier Normal ESPI Resources Subscription Anononymous EUI PII Containing information
Model UsagePoints of RetailCustomer Location of premise Account ID Sub Account (SA) ID—Service Agreement / Account is name depending on utility Customer name, nickname (or short name) Address and info SDG&E provides only address and UPID correspondence csv and UsagePoint ID (Customer Obfuscated Key) MeterID ServicePointId Pnode LoadAggregationPoint, SubloadAggregationPoint Climate zone Account open date Account close date SA Open and Close date MDM Agent Id (who does meter read) ServiceSupplierId EnergyServiceProviderId (may be same as service supplier) Demand Response Provider May need list of Ids for service providers rather than explicit?? (0..* relationship{role, href}) Related assets ???? For example pool pump and pool pump participation in a program. Related programs ????
Other Issues Dale OAuth issues PGE URIs for the dance in ApplicationInformation Question about is delivery guaranteed in ESPI with HTTPS and TLS, etc… UsagePoint relationships
Older or other slides Will build deck with new content over time.
For May 20 Topics Use Case for “verified for billing” – Added ServiceStatus – return data – Simple status or, outstanding batchlists – Consensus: Don’t really need this extension because the DC can determine if it wants to send a notification of what hasn’t been retrieved at its discretion. Revised Authorization document Use Case for Small ThirdParty / Mega ThirdParty … maybe another day in future revenue-quality data that is valid for billing purposes
Service Status Consensus: Don’t really need this extension because the DC can determine if it wants to send a notification of what hasn’t been retrieved at its discretion. As is in standard Enhanced to add current outstanding batchlist text /espi/1_1/resource/Batch/Bulk/1?start-index=1&max-results=1000&published-max= T04:00:00Z& published-min= T04:00:00Z 1
Authorization What happens when authorization changes – UsagePoints or period – When Authorization changes, place authorizationUri in notification to ThirdParty which can then re-establish its state
What can you negotiate with Scope? FBTerms – data content, CMD services ValueTerms – default durations and blocking, history length, subscription frequency (i.e. daily data cycle) ResourceTerms – specific resources available by api, bulkID assignments, bulkaccount Other?
Scope Negotiation DCTP HTTP Redirect with Scope={scope1} {scope2} … RC Logon Authorization request Scope={scope2} Authorization response Scope={scope2} access-token resourceUri authorizationUri referenceId … Oversimplified sequence diagram of Use Case #2 showing essence of scope negotiation
Scope issues Limit Scope to access-token and minimal exchange requirements Add list of UPs in a subsequent GET request – Could include UPs, optional location, additional data – We would define new resource that has this data Are there options? – FB_XX Minimum data – » UsagePoint – FB_XY Optional data » location Should it be a different namespace and XSD? – We need to make sure they are mutually exclusive – the usage and the PII containing data – Namespace and separate schema minimize the opportunity for comingling of data Single authorization with multiple UPs with different scopes – Don suggested that the scope is a union of capabilities. You need to get the data to see details – Jerry suggests scope be provided with UP?
CSV from GB Data XSLT Transform GBData.XML GreenButtonDa taStyleSheetCSV.xslt CSV File that opens in Excel
Notification DCTP HTTP POST Content-type: application/atom+xml
A Couple of Use Cases Use Case 1: How to do Gas and Electric in one Authorization – An Authorization – Two UsagePoints – One Gas One Electric – Different Scope Use Case 2: CISR based Authorization – Customer logs in has id for utility website – Each login has multiple electricity accounts – Each account can be multiple usage points – Customer login id becomes obfuscated {referenceId} which can be used in REST Uris of the form: /espi/1_1/resource/RetailCustomer/{referenceId}/** – Authorization enables a subcriptionID and authorizationID which is (internally) correlated to the customer and the subselection of usagepoints
Discussion on Authorization Structure Authorization enables the following URLs: /espi/1_1/resource/RetailCustomer/ /UsagePoint/... (SA == UsagePoint, CISR == subscription == authorization) with Access-token GET /espi/1_1/resource/RetailCustomer/ /UsagePoint urn:uuid:40BE6242-F7E6-4B51-828E-59B5FC0C35F0 a galaxy far, far away T04:00:00Z...
Customer Information Resource Requirements – UsagePoints of RetailCustomer – Location of premise – Account ID – Sub Account (SA) ID -- Service Agreement / Account is name depending on utility – Customer name – SDG&E provides only address and UPID correspondence csv and UsagePoint ID (Customer Obfuscated Key) – Current ESPI resources will never return PII – GET Subscription does not contain PII – Single Authorization covers entire Subscription and Authorization Scope Implementation – Resource Definition – REST service to exchange resource(s) – Function Block – Possible Scope spec
NAESB REQ.18 Extended Customer Information This data is already part of the PAP10 parent model to ESPI – REQ.18 This data is part of CIM and associated with CustomerAgreement ServiceLocation may be equal to ServiceDeliveryPoint which is no longer in CIM
Common Information Model (CIM) Customer Overview IEC and IEC 61970
UsagePoint (from espiderived.xsd) Obfuscated tariff ID Obfuscated customerAgmtID
Possible Arrangement of Data “pulling the string” RetailCustomer UsagePoint EndDeviceAsset ServiceLocation PostionPoint TariffProfile Customer Agreement Authorization ServiceSupplier Key Account Resource Existing Resource ERP Resource Normal ESPI Resources
Possible Arrangement of Data “pulling the string” RetailCustomer UsagePoint EndDeviceAsset ServiceLocation PostionPoint TariffProfile Customer Agreement Authorization ServiceSupplier Key New Resource Existing Resource Non-resource included
FB3 - Core REST Services – [TR_CR003] Verify ReadServiceStatus returns “active” status
FB31 - Core REST Services – [TR_CR001] Verify the Authorization can be retrieved using the authorizationUri (from the authorization process in FB-14 or FB-40) – [TR_CR002] Verify the Authorization resource does not contain PII by inspection – [TR_CR003] Verify ReadServiceStatus returns “active” status – [TR_CR004] Verify Batch/Subscription/{subscriptionId} returns a valid Atom feed with all UsagePoints and related data including all interval data – [TR_CR005] Verify structured URIs are of the form {DataCustodianResourceEndpoint}[/{keyterm}/{id}]* based on the structure of Green Button APIs – [TR_CR006] Verify /RetailCustomer/{retailCustomerID}/UsagePoint Returns list of UsagePoints only under the Authorization – [TR_CR007] Verify Batch/RetailCustomer/{RetailCustomerId}/UsagePoint/{UsagePointId} Returns all data under and including a single UsagePoint – [TR_CR008] Verify that resources returned by the resourceUri are valid to the schema, proper linking, and verify that the data meets the test requirements based on PICS for content and consistency
FB 13: Security Testing Cyber Security and Privacy Test Requirements – Based on Authorization.docx section 2.7 From SGIP SGCC Committee review of REQ.21 Reviewed with NIST Cyber Security staff NAESB REQ.21 section Initial set of test requirements on next slide
Initial Set of Test Requirements [TR_TC001] Test software shall issue a service request over an SSL session and shall verify that the response HTTP header contains the following fields and information – fields TBD [TR_TC002] Verify that REST request headers include – fields TBD [TR_TC003] Verify that the Data Custodian implements TLS 1.2. [TR_TC004] Verify that when communicating with a Retail Customer the Data Custodian negotiates the highest level of TLS mutually supported. [TR_TC005] Verify that when communicating with a Retail Customer the Data Custodian rejects TLS_RSA_WITH_NULL_SHA cipher suites. [TR_TC006] Verify that when communicating with a Retail Customer at a minimum the Data Custodian accepts the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite. [TR_TC007] Verify that when communicating with a Third Party the Data Custodian negotiates the highest level of TLS mutually supported. [TR_TC008] Verify that the Data Custodian maintains an unexpired unrevoked RSA certificate with a public key length of at least 2048 bits. [TR_TC009] Test software or manual inspection shall verify that the Data Custodian RSA certificate was issued by a Certificate Authority (CA) that has been successfully audited according to the criteria of ETSI or WebTrust. [TR_TC010] Test software or manual inspection shall verify that Tokens and IDs communicated by the Data Custodian are opaque and if based on actual Customer information that they are randomized using a secure method to protect privacy. [TR_TC011] Test software or manual inspection shall verify that Tokens and IDs communicated by the Data Custodian consist of at least 48 bits and can be the random number part of an RFC2422 UUID. [TR_TC012] Manual inspection of supporting documentation shall confirm that the Data Custodian implementation utilizes software libraries which are FIPS level 1 or higher and listed on the CMVP website. [TR_TC013] Verify that the Third Party implements TLS 1.1 or higher. [TR_TC014] Verify that when communicating with a Retail Customer the Third Party negotiates the highest level of TLS mutually supported. [TR_TC015] Verify that when communicating with a Data Custodian the Third Party negotiates the highest level of TLS mutually supported. [TR_TC016] Verify that the Third Party maintains an unexpired unrevoked RSA certificate with a public key length of at least 2048 bits. [TR_TC017] Test software or manual inspection shall verify that the Third Party RSA certificate was issued by a Certificate Authority (CA) that has been successfully audited according to the criteria of ETSI or WebTrust. [TR_TC018] Test software or manual inspection shall verify that Tokens and IDs communicated by the Third Party are opaque and if based on actual Customer information that they are randomized using a secure method to protect privacy. [TR_TC019] Test software or manual inspection shall verify that Tokens and IDs communicated by the Third Party consist of at least 48 bits and can be the random number part of an RFC2422 UUID. [TR_TC020] Manual inspection of supporting documentation shall confirm that the Third Party implementation utilizes software libraries which are FIPS level 1 or higher and listed on the CMVP website.
[FB_14] Authorization and Authentication (Oauth 2.0) – Verifying response to invalid authorization request (invalid access-token for resource) – Verify rejection of request missing access-token – Missing header parameters – Invalidation of access-token at end of authorization period
Function Blocks for CMD FunctionBlocks for Green Button Connect My DataDescription [FB_3] Core Green Button Connect My DataCore Services [FB_13] Security and Privacy classesHTTPS support [FB_14] Authorization and Authentication (Oauth 2.0)Oauth [FB_19] Partial update data IntervalBlocks without full data sets – e.g. just entrys containing IntervalBlocks [FB_31] Core Rest ServicesThird Party Access to Subscription/Authorization [FB_32] Resource Level RESTThird Party Access to UsagePoints, MeterReading, … and collections [FB_33] Management REST InterfacesGET PUT POST DELETE individual resources … [FB_34] SFTP for BulkOptionally support the SFTP delivery of Bulk for Bulk request [FB_35] REST for BulkSupport the REST request for Bulk [FB_36] Third Party (Client) Dynamic RegistrationUse Case 1 [FB_37] Query Parameters [FB_38] On Demand RequestsWithout Notification [FB_39] PUSH modelNotification followed by GET [FB_40] Offline RetailCustomer Authorization to Complement OAuth This is a out of band authorization process without the automated OAuth protocol exchange but producing the same artifacts. [FB_42] Third Party Core REST Services [FB_43] Third Party Management REST Services [FB_xx] Not a Function Block (Implementation Specific)Implementation Specific RESTful API [FB_44] Security and Privacy for Simple Third Party [FB_45] Security and Privacy for Certificate-based Third Party
Opaque vs Structured URIs No structure, support Opaque URIs using either HTTPS or FTPS protocols in conjunction with the espiDerived.xsd schema. Make Opaque URIs part of the CORE CMD function block.Opaque URIs espiDerived.xsdCORE CMD function block Optional support Structured URIs using either HTTPS or FTPS protocols: make Opaque URIs part of the CORE CMD function block, and structured URIs an optional Function Block in CMD Testing & Certification in conjunction with the espiDerived.xsd schemaCORE CMD function blockoptional Function BlockespiDerived.xsd Required Structure, make structured URIs a requirement but allow some variability – e.g. User versus RetailCustomer; Thus structured URIs would be part of the CORE CMD function block in CMD Testing & Certification in conjunction with the espiDerived.xsd schema.tructured URIs would be part of the CORE CMD function blockespiDerived.xsd Specific Required Structure based on espiDerived.xsd Resource Names as described in two documents: GreenButtonAtomLinks and Authorization document espiDerived.xsdGreenButtonAtomLinksAuthorization document
Changes in espiderived.xsd from espi.xsd *Enumerations: The largest volume of changes is in the explicit documentation of the many enumerations in the standard. In the standard, only a few examples from the IEC standard were provided in a comment. Values that distinguish measurements of Wh, W, VAr, VA, gas, water, etc… are tested for in DMD if corresponding FBs are indicated. *Errors of data type corrected – value, cost, and currency all had deficient data types that were recognized early on *Representation of conversion factors from UTC to Local Time: LocalTimeParameters resource was added *Missing overallConsumptionLastPeriod was added to make ElectricPowerUsageSummary rational as a record of billing period consumption Support for OAuth 2.0: the second largest volume of changes to the schemas is in support of CMD (no impact to DMD) * Differences tested for in T&C
Test Requirements for CMD Brainstorm FB31 - Core REST Services – Verify the authorization can be retrieved – Lack of PII – Ditto Batch/Subscription, Batch/RetailCustomer, and UsagePoint – Verify that resource returned is valid to schema and links are correct – Verify structured URIs – Verify all required content is present (based on PICs) – Could be FB_14 Verifying response to invalid authorization request (invalid access-token for resource) Verify rejection of request missing access-token Missing header parameters Invalidation of access-token at end of authorization period
For February 25 John Teeter raises issue of path vs opaque URIs for REST services for individual and subscription resources – Does the uri give any indication of what will be retrieved or not?
Some URIs Found In GBDMD Files URI ::= protocol://hostname:port/datacustodian/espi/1_1/resource/ resource endpoint of the server
Opaque URIs – No need to test structure – No need to recognize structure in sw Structured URIs – Easier to recognize the links – Easier to validate what you are doing by looking at them – If I have interval block, I know all the possible URIs for that UsagePoint Possible Outcomes of OpenADE Discussion? – No structure, support opaqueness – Optional Structure, make structured URIs an optional Function Block – Required Structure, make structured URIs a requirement but allow some variability – e.g. User versus RetailCustomer – Single Required Structure – defined structure based roughly on GreenButtonAtomLinks and Authorization documents
SFTP for Bulk Transfer Pertinent to the SFTP discussion are the concepts that each Third Party has a defined relationship with the Data Custodian. – For automated exchange of information about his relationship there is a special Authorization obtained in Use Case #1 (see the Authorization.docx -- erenceMaterial/GreenButtonAuthorization.docx). erenceMaterial/GreenButtonAuthorization.docx – We anticipate that when the Data Custodian has data available, it sends an asynchronous Notification to the Third Party. – This Notification provides URIs of note that it is assumed the Third Party will want to retrieve. For the purposes of Bulk transfer, this URI will be: – sftp://hostname:port/DataCustodian/espi/1_1/resource/Batch/Bulk/{bulkId} sftp://hostname:port/DataCustodian/espi/1_1/resource/Batch/Bulk/{bulkId} – where {bulkId} is a unique identifier assigned by the Data Custodian and the balance of the URI is presented in the ApplicationInformation resource that both parties share (contains all relevant URIs and data for interchange via OAuth etc…). The Third Party would then retrieve the bulk data by using an SFTP client with that URI. This is a straw man concept for discussion on the call. Its advantage is that it in harmony with overall architecture of the Green Button Connect My Data RESTful architecture and simply adds SFTP as a means of transfer when a large data set is to be returned. Used to Retrieve the data using SFTP protocols – How to initiate the SSH connection? – What is the role if any of the client_credentials authorization to control access to SFTP enabled resources? Discussion – – After authorization of TP, they use Pene test, so what is benefit of access-token? – sftp user:pw, user=, password= Summary – sftp://hostname:port/DataCustodian/espi/1_1/resource/Batch/Bulk/{bulkId} sftp://hostname:port/DataCustodian/espi/1_1/resource/Batch/Bulk/{bulkId} – sftp user:pw, user=, password=
Function Blocks for CMD FunctionBlocks for Green Button Connect My DataDescription [FB_3] Core Green Button Connect My DataCore Services [FB_13] Security and Privacy classesHTTPS support [FB_14] Authorization and Authentication (OAuth)Oauth [FB_19] Partial update dataIntervalBlocks without full data sets (Ups,MR, …) [FB_31] Core Rest ServicesThird Party Access to Subscription/Authorization [FB_32] Resource Level REST Third Party Access to UsagePoints, MeterReading, … and collections [FB_33] Management REST InterfacesGET PUT POST DELETE individual resources … [FB_34] SFTP for Bulk Optionally support the SFTP delivery of Bulk for Bulk request [FB_35] REST for BulkSupport the REST request for Bulk [FB_36] Third Party (Client) Dynamic RegistrationUse Case 1 [FB_37] Query Parameters [FB_38] On Demand RequestsWithout Notification [FB_39] PUSH modelNotification followed by GET [FB_40] Offline Authorization to Complement OAuth [FB_42] Third Party Core REST Services [FB_43] Third Party Management REST Services [FB_xx] Not a Function Block (Implementation Specific)Implementation Specific RESTful API
Authorization Sequence – Scope – access-token – Refresh-token – resourceUri (the subscription) – authorizationUri – expiration of the access-token and refresh-token – token-type
Proposed CMD Function Blocks FunctionBlocks for Green Button Connect My DataDescription [FB_3] Core Green Button Connect My DataCore Services [FB_13] Security and Privacy classesHTTPS support [FB_14] Authorization and Authentication (OAuth)Oauth [FB_19] Partial update dataIntervalBlocks without full data sets (Ups,MR, …) [FB_31] Core Rest ServicesThird Party Access to Subscription/Authorization [FB_32] Resource Level RESTThird Party Access to UsagePoints, MeterReading, … and collections [FB_33] Management REST InterfacesGET PUT POST DELETE individual resources … [FB_34] SFTP for BulkOptionally support the SFTP delivery of Bulk for Bulk request [FB_35] REST for BulkSupport the REST request for Bulk [FB_36] Third Party (Client) Dynamic RegistrationUse Case 1 [FB_37] Query Parameters [FB_38] On Demand RequestsWithout Notification [FB_39] PUSH modelNotification followed by GET [FB_40] Offline Authorization to Complement OAuth NEED to Discuss [FB_42] Third Party Core REST Services [FB_43] Third Party Management REST Services [FB_xx] Not a Function Block (Implementation Specific)Implementation Specific RESTful API
Draft of API Allocations to FBs Function BlocksCRUDAPI URL [FB_3] Core Green Button Connect My DataGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/ReadServiceStatus [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/ApplicationInformation/{ApplicationInformationID} [FB_31] Core Rest ServicesPUThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/ApplicationInformation/{ApplicationInformationID} [FB_31] Core Rest ServicesDELETEhttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/ApplicationInformation/{ApplicationInformationID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/Authorization/{AuthorizationID} [FB_31] Core Rest ServicesPUThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/Authorization/{AuthorizationID} [FB_31] Core Rest ServicesDELETEhttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/Authorization/{AuthorizationID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/Batch/Subscription/{SubscriptionID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/Batch/RetailCustomer/{retailCustomerID}/UsagePoint [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/Batch/RetailCustomer/{RetailCustomerId}/UsagePoint/{UsagePointId} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/RetailCustomer/{RetailCustomerID}/UsagePoint/{UsagePointID}/ElectricPowerQualitySummary [FB_31] Core Rest ServicesGET cPowerQualitySummaryID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/RetailCustomer/{RetailCustomerID}/UsagePoint/{UsagePointID}/ElectricPowerUsageSumary [FB_31] Core Rest ServicesGET owerUsageSummaryID} [FB_31] Core Rest ServicesGET ngID}/IntervalBlock [FB_31] Core Rest ServicesGET ngID}/IntervalBlock/{IntervalBlockID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/LocalTimeParameter [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/LocalTimeParameter/{LocalTimeParameterID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/MeterReading [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/MeterReading/{MeterReadingID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/RetailCustomer/{RetailCustomerID}/UsagePoint/{UsagePointID}/MeterReading [FB_31] Core Rest ServicesGET ngID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/ReadingType [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/ReadingType/{ReadingTypeID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/Subscription/{SubscriptionID} [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/RetailCustomer/{RetailCustomerID}/UsagePoint [FB_31] Core Rest ServicesGEThttps://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/RetailCustomer/{RetailCustomerID}/UsagePoint/{UsagePointID}
Scope TermExpansion Scope [ FBTerms ], [ ValueTerms ], [ ResourceTerms ]; FBTerms“FB=“, { [FBTerm], ”_”}, FBTerm, ScopeDelimiter ; FBTerm“4” | “5” | “6” | “7” | “8” | “9” | “10” | “11” | “12” | “15” | “16” | “17” | “18” | “19” | “27” | “28” | “29” ValueTerms{ ( "IntervalDuration=", nonNegativeNumber | namedFrequency), | ( "BlockDuration=", nonNegativeNumber | namedFrequency), | ( "HistoryLength=", nonNegativeNumber), | ( "SubscriptionFrequency=", nonNegativeNumber | namedFrequency), ScopeDelimiter }; ResourceTerms { (“ApplicationInformation,” | “Authorization,” | “UsagePoint,” | “IntervalBlock,” | “MeterReading,” | “ElectricPowerQualitySummary,” | “ElectricPowerUsageSummary,” | “ReadingType,” | “Subscription,” | “LocalTimeParameters,” | (“BulkAccountCollection=”, nonNegativeNumber) | “BR=”, brID), ScopeDelimiter} ScopeDelimiter“;” namedFrequency“billingPeriod” | “daily” | “monthly” | “seasonal” | “weekly” | nonNegativeNumberdigit, { digit }; digit0 | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" ; Where: ResourceTerms The ESPI resource – default is “Subscription”. If a Bulk resource is specified via the “BR” term, the value of the {bulkID} is provided after the equals sign (“=”). There could be one or more terms in this list that express the granularity of notifications about resource changes. FBTermsThe function blocks supported (only data content FBs are listed) ValueTermsThese are parameterized terms IntervalDurationThis is the minimum default length of an interval in seconds (e.g. 900 for 15 minutes, 3600 for one hour, …) BlockDuration This is the length of a block that contains the intervals (based on enumeration of MacroPeriodKind in ESPI above as namedFrequency) HistoryLength This is the length of history buffer of records in number of Interval Blocks (e.g. 12 for a year if BlockDuration is “monthly”). Note: this is what the DataCustodian offers; however, the buffer may not be full for transitional metering systems; in these cases less data will be returned until the buffer is full. BulkAccountCollection Used where the DC wants to provide for the reporting of multiple UsagePoints in a single Subscription. The number of UsagePoints is represented by the value in the assignment statement – e.g. 4 UsagePoints would be BulkAccountCollection=4.
Green Button Connect My Data Testing and Certification Complete function block descriptions – Current: [FB_3] Green Button Connect My Data [FB_13] Security and Privacy classes [FB_14] Authorization and Authentication (OAuth) [FB_19] Partial update data – New?: Core Rest Services – GET Batch/Subscription – … Resource Level REST – GET PUT POST DELETE individual resources … SFTP for Bulk REST for Bulk Use Case 1: Client Registration Query Parameters On Demand Requests (as opposed to Notification followed by GET) PUSH model Offline Authorization to Complement OAuth – should this be outside the scope of standard and testing or standardized? – No standard isolated way to get the token to a third party without OAuth – On exceptional basis some customers can’t be required to use a web account – Sometime commercial accounts don’t need privacy and want a service provider just to register the data. – Could use Notification service to tell TP about new authorizations made by DC. Out of band how RetailCustomer is identified to the TP – “transitive” model TP gets bulk data from DC and then becomes DC – can this architecture be of help here? – Possible provision by DC of access token for conveyence to thirdparty devoid of customer information. Maybe even encrypted for TP as in software activations: » “Please provide this to your TP (the text between the ====) » ============================================= » ashoiqwherfhdjnvcjq2dhijvkqnvoiikdfv » =============================================“
Questions retailCustomerID=authorization=subscription – Corresponds to a single authorization – Results in one or more usagePoints being associated with subscription – Scope= “FB=4,5,15;IntervalDuration=3600;BlockDuration=monthly;HistoryLen gth=13;BulkAccountCollection=10” Says that the BulkAccountCollection has 10 usage points Authorization provides two URIs that can be used: resourceUri GET this to retrieve usage data (all UPs) authorizationUri GET/PUT details of Authorization Notification is a list of URIs All nested resources under the UPs are accessible under the single authorization
Service Request 83 – including Function Block for optional customer info (service point address, etc.)
Service Request 84 – having scope selection screen on Data Custodian Site vs 3 rd Party site
[85] Time of Use tier indicator alignment with SEP 2.0
Here is a list of topics raised by you all that we will touch on Issues Raised and Implementation Questions – How to use BR=bulkID – relates to HD #61 – Service Request 83 – including Function Block for optional customer info (service point address, etc.) – Service Request 84 – having scope selection screen on Data Custodian Site vs 3 rd Party site – Tariff Model Resource Green Button Connect My Data Testing and Certification – Complete function block descriptions – Complete test case requirements
How to use BR=bulkID – relates to HD #61 Application Profiles – BulkID was proposed for large sets of authorizations – One account level authorization on top of service level accounts – how to do this Degrees of freedom we have now – can we cover – Subscription – 1 or more Usage Points Granularity of a customer authorization – BulkID “macro” for a large set of existing authorizations – Is there another degree needed?
Contributed by Jerry Yip Clarification/confirmation about ESPI standard: Does ‘shared resource key’ referenced in the NAESB Ratified word doc correspond to Access Token for oAuth? Yes: This is the access token in the new Oauth 2.0 paradigm. Formal Submission of Application Profile for bulk (vs. batch?) use case as part of GB/GBC Conformance Testing Plan Write up coming to test concept of BulkIDs Question: (options to address 1 Acct to many SA issue) - Does UUID correspond to usage point (1-to-1 relationship)? Is there passing of UUIDs (as resource terms in Scope section of GBAuthorization) during authorization sequence? (how would 3 rd Party know multiple usage points have been authorized via single oAuth sequence/login?) - Can multiple access tokens be issued (1 token per SA) per oAuth session? An Authorization is one access_token How does Third Party get to know the depth of data (how many Ups) are in the authorization Perhaps an extension of scope string to have numUPs? Request to consider scope selection screens at Data Custodian Portal instead of 3 rd party portal (Need customer to select SAs to share – only Data Custodian has that info) – also minimizes number of redirects (?) Customer info as optional functional block (atom feed) for authorization (sharing with 3Ps) John suggests – prep a large multi account data set and test against a reference sw implementation and measure. SFTP and Streaming, compressed and non-compressed method and compare.
=
How to use BR=bulkID with application to account and account groupings, as well as, large ThirdParty collections of Authorizations Establish Use Case Story for Commercial Accounts Design Scope String(s) that convey it Repaint the storyboard with appropriate content
Application Profile Per footnote 1, pg 20 of GBAuthorization.doc: – A “Web Customer” may actually manage more than one “Retail Customer” where “Retail Customer” is an actual “Customer Account”. Thus identifying the specific Retail Customer may be part of the scope selection on both sides. The scenarios in this section refer to the “Retail Customer” for simplicity. Suggest: new FB or Application Profile to properly capture this scenario [FB_31] Web Customer Manages Multiple Customer Accounts (OR: 3.9 Application Profile) For GBCMD, this FB/AP contains tests associated with a Web Customer accessing a Data Custodian’s Web Portal to manage multiple customer accounts. Upon log in to the Data Custodian’s Web Portal, the web customer can manage multiple customer accounts, for which each customer account can represent multiple usage points (for electricity and/or gas). This mostly impacts large agricultural and commercial customer accounts for which a single web customer can represent hundreds to thousands of individual usage points – imagine a franchise manager with multiple branch locations across a data custodian’s service territory. In this scenario, the Web Customer should have the ability to authorize, deauthorize and change scope on an individual “usage point” basis and optionally at the larger aggregated web customer or customer account basis. This includes the ability to perform one-time authorization of multiple customer accounts by a single web customer to third party, and any subsequent scope changes (whether on an aggregated or individual basis) – third party acknowledgement/communication of which customer accounts have been authorized, deauthorized or whose scope has changed needs to be determined. Notes: – Whether scope selection in this scenario should live on the 3 rd party portal vs. the Data Custodian’s portal needs to be determined as well. – Collection has one description or multiple? – What is the scope string for this use case? – Is there a need for a bulkId in this case (maybe not). – New Scope Resource Term= “BulkAccountCollection” – Scope= “FB=4,5,15;IntervalDuration=3600;BlockDuration=monthly;HistoryLength=13;BulkAccountCollection” 1/14/2014 – To allow the TP to know how many Ups are being provided, suggest Add to BulkAccountCollection a number of UsagePoints BulkAccountCollection=nnn
UsagePoint Grouping in Commercial Account Management BulkId SubscriptionId UsagePointId /web account Via gui Scope= “FB=4,5,15;IntervalDuration=3600;BlockDuration=monthly;HistoryLength=13;BulkAccountCollection”