Is missing "Privacy consideration" OK?
The draft is missing “Privacy consideration”. Do we need to add one?
Comments (5)
-
-
reporter So, perhaps:
7. Privacy Considerations
As JARM is a response mode for OAuth, all the privacy considerations towards OAuth apply. In addition, the following apply.
7.1 PII in Authorization Response
If only
code
andstate
parameters are returned in the Authorization Response for a confidential client, since they are used only once, andcode
needs a client credential to be redeemed, they pose a relatively low privacy risk. However, it is possible that other extensions return PII in the Authorization Response. In such a case, encrypted JARM could be utilised to prevent uncovering of their values lowering the privacy risk.In the case of a public client, just leaking the
code
would have a greater privacy impact as it can be redeemed for an Access Token which could be exchanged with PII. In this case, encrypted JARM could be utilised to lower the risk as well.
-
reporter - changed status to open
Accepted in principle. Mandate to the editor given.
The last paragraph may need to be dropped.
-
-
- changed status to resolved
- Log in to comment
I think we could point out that encrypted JARM could be utilised to prevent PII in any of the response artefacts to leak.