Skip to content

Commit

Permalink
Addressed privacy changes identified by Yaron
Browse files Browse the repository at this point in the history
  • Loading branch information
tulshi committed Mar 29, 2024
1 parent c3daba2 commit 3553120
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion draft-ietf-oauth-transaction-tokens.md
Original file line number Diff line number Diff line change
Expand Up @@ -535,7 +535,10 @@ How requesting clients authenticate to the Transaction Token Service is out of s
Some `rctx` claims may be considered personal information in some jurisdictions
and if so their values need to be obsfucated. For example, originating IP address
(`req_ip`) is often considerd personal information and in that case must be
protected through some obsfucation method (e.g. SHA256).
protected through some obsfucation method (e.g. salted SHA256).

## Logging
Txn-Tokens SHOULD NOT be logged if they contain Personally Identifiable Information (PII). What constitutes PII depends upon the use case, but in some cases even an email address (which could be a `sub` value) can be protected PII, which should not be logged.

# IANA Considerations {#IANA}

Expand Down

0 comments on commit 3553120

Please sign in to comment.