Both of the automated interfaces currently in use (TDA and SFTP) depend on older technologies. The future DAS service should be upgraded to a more modern technology, which will simplify the implementation for offices, improve security and authentication mechanisms, and potentially allow for faster document exchange.
A new REST API is proposed to modernize the automated interfaces between offices and WIPO DAS:
- REST Web Services., OpenID Connect and asymmetric encryption for unpublished document content to secure the exchange process and content
- Please click here to download the specification in yaml
API Security
For advanced API Security, the FAPI (Financial grade API) – Part 2 standard adds an extra-layer on top of OAuth2.0 and OIDC.
- private_key_jwt, if the client sends its credentials as a JWT.
- tls_client_auth, if the client uses a CA-signed certificate for mutual TLS authentication.
- self_signed_tls_client_auth, if the client uses a self-signed certificate for mutual TLS authentication.
Access control implementation
To allow safe, secure and trustable authentication, DAS API will have to implement one of the authentication permitted by FAPI part 2. In order not to the implementation of the backend infrastructure too complex, the proposed implementation will only support the private_key_jwt authentication method. The private_key_jwt authentication is based on the asymmetric key signature of the login information, those details – login info + signature - are sent to the authorization server which returns an access token if valid. The access token can then be used to call the DAS API.
Mutual TLS authentication
The other tls_client_auth and self_signed_tls_client_auth authentication methods defined in the FAPI part 2 standard leverages mutual TLS which necessitates tailored backend servers infrastructure. They are not proposed for DAS API authentication due the non-negligible additional costs and complexity that they will generate .
The following controls must be enforced to guaranty the same level of security than the TDA VPN connection
Network access-control
Decrease the threat surface and avoid data exfiltration:
- Restrict communication between WIPO and IP Offices with white listed IP addresses
- Perform egress/ingress filtering on the approved protocols to avoid data exfiltration.
- Achieve non-disclosure countermeasure and information protection in transit by enabling TLS1.2 encryption.
API mandatory controls
Protect access to API
- API DDOS protection
- API –Threat protection
Possible setups
DAS protocol necessitates bi-directional communication between offices and WIPO, in practical terms it means that offices must also support private_key_jwt authentication. To ease integration and give freedom to office to choose, we propose two possible setups:
WIPO authorization server setup
Office will use the WIPO authorization server infrastructure for authentication:
Inbound traffic: whenever a call is received from the WIPO central DAS service the office will have to contact and verify the token against the WIPO authorization server.
Outbound traffic: office will authenticate using its client id registered in WIPO authorization server and will use the returned access_token to call the WIPO DAS API.Mutual authorization server setup
Office wants to take care of the authentication by itself consequently provides the private_key_jwt authentication.
Inbound traffic: The WIPO central DAS service will authenticate against a client id registered in the office authorization server and will use the returned access_token to call the office DAS API
Outbound traffic: office will authenticate using its client id registered in WIPO authorization server and will use the returned access_token to call the WIPO DAS API.