Kathleen,
Thanks for the update. How would we best handle this situation, since
it's really referring to additional information that's outside the scope
of the interoperable core? Since we're not specifying what the data is,
we're not really in a position to say what the concerns are in a
concrete manner. I'm thinking a sentence or two like this in the privacy
considerations section:
If the protected resource sends additional information about the
client's request to the authorization server using an extension of
this specification, such as the client's IP address or other
information, such information could have have additional privacy
considerations.
-- Justin
On 4/19/2015 7:01 PM, Kathleen Moriarty wrote:
Hello,
Thank you for your work on draft-ietf-oauth-introspection-07. The
security considerations appear to be addressed well and I was glad to
see how a response is handled when the response code is false, to not
reveal information as to why.
The privacy considerations look good, but I do have another question
that should be addressed in the draft in regard to privacy.
Section 2.1 says an IP address (or something else) might be used to
provide context of the query, the authorization server could have
other information about the client. It would be good to mention
privacy related considerations for the client in this case in addition
to what gets returned in the Introspection Response (already covered).
Thank you.
--
Best regards,
Kathleen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth