Editorial: Section 5.2.2.2.1. Duplicate Clause?
Are both statements required in this sentence. I’ve read both of them backwards and forwards trying to see how they could be interpreted differently.
- if returning any sensitive personally identifiable information (PII) in the ID Token in the authorization response, should sign and encrypt the ID Token;
- if not encrypting the ID Token, should not return sensitive personally identifiable information (PII) in the ID Token in the authorization response
Comments (10)
-
-
I’d suggest making it only about encryption. i.e., “if PII in ID Token in authz response, should/shall encrypt”. A statement like “if returning any sensitive personally identifiable information (PII) in the ID Token in the authorization response, should sign and encrypt the ID Token” could be read as not needing the signature if there’s no PII. But the signature is needed for other reasons. And required by other parts of FAPI and OIDC.
-
Brian’s proposal seems sensible. Thoughts?
-
reporter if PII in ID Token in authz response, shall encrypt gets my vote
if returning any
sensitive personally identifiable information (PII) in the ID Token in the authorization response, shall encrypt the ID Token
I don’t think restating the semantics / requirements of an id_token is necessary.
-
- changed status to resolved
fixes
#322- Editorial: Section 5.2.2.2.1. Duplicate Clause→ <<cset 04fba975ad57>>
-
fixes
#322- Editorial: Section 5.2.2.2.1. Duplicate Clause→ <<cset 2dc23de3dc0d>>
-
Merged in issue_322 (pull request #200)
fixes
#322- Editorial: Section 5.2.2.2.1. Duplicate ClauseApproved-by: Nat Sakimura
→ <<cset 09b551557e0a>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
I think because they’re “should” rather than must they have slightly different meanings, but the points they’re making definitely overlap. The second one more strongly says “if you’re not going to follow the recommendation to encrypt, you should at least reduce the number of claims returned from the Authorization Endpoint”.