Sorry for the slow response on this Kathleen, my day job has been keeping me busy recently. And, honestly, I was kind of hopeful someone would volunteer some text in the meantime. But that didn't happen so how about the following?
A JWT may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it’s desirable to prevent disclosure of certain information the client, the JWT may be be encrypted to the authorization server. Deployments should determine the minimum amount of information necessary to complete the exchange and include only such claims in the JWT. In some cases the "sub" (subject) claim can be a value representing an anonymous or pseudonymous user as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [ http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1]. On Thu, Jul 3, 2014 at 3:26 PM, Kathleen Moriarty < kathleen.moriarty.i...@gmail.com> wrote: > > Hello, > > I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. The > only question/comment I have is that I don't see any mention of privacy > considerations in the referenced security sections. COuld you add > something? It is easily addressed by section 10.8 of RFC6749, but there is > no mention of privacy considerations. I'm sure folks could generate great > stories about who accessing what causing privacy considerations to be > important. > > Thanks & have a nice weekend! > > -- > > Best regards, > Kathleen > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth