> > This is absolutely something that needs to be mentioned in the > security & privacy considerations. > > My worry is that by leading with an example of account numbers in the > request URL, we're sending the wrong message. > > I do see the value in rich authorization requests with no PII like > George described, so I would be happy if: > > * the example in this draft of the GET request was an example with no PII > * there was an additional example using PAR that includes the full > bank account transfer in the current draft
Hi Aaron, I fully agree with you. The examples need to be reworked. Please note: the privacy considerations section (https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02#section-6) already contains text regarding protection of PII. Does this address your concerns? best regards, Torsten. PS: sorry for not swiftly reacting on your posts, my e-mail provider’s spam filter has swallowed the whole thread :-(
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth