On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt <torsten= 40lodderstedt....@dmarc.ietf.org> wrote:
> Hi Denis, > > > On 25. Aug 2020, at 16:55, Denis <denis.i...@free.fr> wrote: > > > The fact that the AS will know exactly when the introspection call has > been made and thus be able to make sure which client > > has attempted perform an access to that RS and at which instant of time.. > The use of this call allows an AS to track where and when > > its clients have indeed presented an issued access token. > > That is a fact. I don’t think it is an issue per se. Please explain the > privacy implications. > As I see it, the privacy implication is that the AS knows *when* the client (and potentially the user) is accessing the RS, which is also an indication of *when* the user is using the client. I think including this implication would be important to have in a Privacy Considerations section. /Dick ᐧ
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
