Security Guidelines

You will access Canada Post services securely through TLS 1.1 or greater using a digital certificate. To ensure communications remain secure, familiarize yourself with the following aspects of digital certificate validation.

Digital Certificate

A digital certificate is a part of a public key infrastructure (PKI). PKI is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate—through the use of public key cryptography—the legitimacy of all participants in an electronic transaction. A certificate authority (CA) issues the certificates. Each contains information such as subject, validity dates, issuer, and a public key.

Chain of Trust and Certificate Authorities

Digital certificates are verified using a chain of trust in a certificate hierarchy. In this hierarchy, each certificate is linked to the Certificate Authority above it in the hierarchy. This process repeats until the certificate of the root CA is reached. The root CA is the trust anchor for
the chain.

Avoid Pinning

Pinning is when you decided to ignore the chain of trust and only accept a specific certificate for Canada Post, thus “pinning” your trust on said certificate.

Though the practice may provide a sense of security, it introduces a tight coupling to Canada Post’s certificate at a particular point in time. As Canada Post regularly updates its certificate for various reasons, if a customer has pinned their certificate a service disruption in unavoidable when Canada Post publishes a new certificate.

The use of SSL pinning is strongly discouraged and will result in service disruptions upon every certificate update. It is strongly recommended to allow appropriate certificate chain validation to occur at runtime.

Please remove SSL pinning from your application if possible.

Certificate Validity

Every certificate is valid only for the time specified in the validity period. During authentication, this validity period is verified.

Certificate Revocation List

A certificate authority can revoke a certificate for one of many reasons, such as a compromise of the certificate’s private key. When a certificate is revoked, any chains under the revoked certificate in the hierarchy are invalidated and are not trusted during authentication. Revoked certificates are published by the issuer in a certificate revocation list.

Securing Your Application

Most application frameworks such as Java or .NET perform certificate validity and revocation checks by default. It is important to ensure that your application does not disable these checks. It is also important that the entire chain of trust is validated. In this way, spoofing and man-in-the-middle attacks can be mitigated.

Access through Firewall

If firewall access control is used on your end to limit access to external sites you might have trouble accessing the web service endpoint as our endpoint does not have a fixed IP address.

We recommend that you use name-based whitelisting (whitelist soa-gw.canadapost.ca and ct.soa-gw.canadapost.ca instead of IP addresses) on your firewall; and if your firewall does not support name-based whitelisting then route the requests through a proxy and apply the name-based whitelisting at the proxy.