On 18. Dec 2024, at 00:49, Christian Amsüss <[email protected]> wrote: > > treated as sensitive henceforth
One other problem is that just marking information as “sensitive”, with no further information, indicates you cannot do anything at all with it, so you might as well simply discard it. You need to have the information somewhere what you are supposed to be able (term of art: authorized) to do with the data. (I would pose this as a disclosure that comes with authorization information attached or derivable from context.) In the general case, you also will need to handle changes to (such as revocations of) this authorization, which makes this information dynamic.) A simple bit (expressed by the mere presence of a tag) is not that useful. Grüße, Carsten _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
