Hi Scott,
Am 20.10.22 um 21:02 schrieb Hollenbeck, Scott:
Am 19.10.22 um 14:13 schrieb Hollenbeck, Scott:
[SAH] If the PII data you're referring to is what's included in the
userClaims, this might not be an issue if the claims aren't returned,
correct?
Correct
[SAH] Does anyone object to removing the "userClaims" object from the
"farv1_session" data structure?
[PK] IMHO it's not the best idea to remove userClaims completely.
PII claims can be useful for UX, there are also non PII claims which can
be returned,
like the Specialized Claims for RDAP, which won't be possible at all if
we remove userClaims.
The provisions of making userClaims optional, under the policy of the
RDAP server
and adding security considerations are in my eyes the right measures to
address the concerns.
We also didn't complete the discussion about the web clients, where we
can also minimise the risks
by adding a possibility of confidential clients if necessary.
Kind regards,
Pawel
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
