> -----Original Message----- > From: [email protected] <[email protected]> > Sent: Tuesday, October 25, 2022 3:15 AM > To: Hollenbeck, Scott <[email protected]> > Cc: [email protected]; [email protected] > Subject: [EXTERNAL] Re: [regext] I-D Action: draft-ietf-regext-rdap-openid- > 18.txt >
[SAH] [snip] > > [SAH] OK, if we keep the "userClaims" I probably need to add text to > > the Security Considerations section. How about this: > > > > "Some of the responses described in this specification return > > information to a client from an RDAP server that is intended to help > > the client match responses to queries and manage sessions. Some of > > that information, such as the "userClaims" described in Section 4.1.1, > > can be personally identifiable and considered sensitive if disclosed > > to unauthorized parties. An RDAP server operator SHOULD develop > > policies for information disclosure to ensure that personally > > identifiable information is disclosed only to clients that are > > authorized to process that information." > > > [ML] Sorry but, based on the last sentence, it appears to be unclear to me > how > clients are identified by the server as authorized clients and leaving such > an > aspect unspecified purposefully could open the way to unsecure > implementations. > > Have two possible solution in mind: > > - if it is the server that decides on its own whether a client is authorized > or not, > think that the client should be identified in some way. I personally reject > this > solution due to the security implications connected with clients issuing > their > credentials in clear as GET parameters of the /farv1_login request. > > - otherwise, if a client is authorized by the end user, think text should > clarify > that consent for disclosing claims is given explicitly by the end user. > > Anyway, a server should manage errors due to unauthorized clients. [SAH] OK, I agree, it shouldn't say "authorized to process that information" without addressing client authorization somewhere in the document. I prefer that latter suggestion that Mario made - noting that clients are authorized by the end user, and that consent for disclosing claims is given explicitly by the end user. Does this work? Scott _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
