authcontext suggests putting sensitive data in event attributes

cloudevents / spec

CloudEvents Specification

https://cloudevents.io

Apache License 2.0

5k stars 581 forks source link

authcontext suggests putting sensitive data in event attributes #1251

Open sasha-tkachev opened 8 months ago

sasha-tkachev commented 8 months ago

From the authid definition

This might, for example, be a unique ID in an identity database (userID), an email of a platform user or service account, or the label for an API key.

Emails are considered as PII therefore sensitive data. May cause issues with compliance such as GDPR.

The spec says that we SHOULD NOT put sensitive data into extension attributes

I suggest removing this suggestion from the spec, or suggesting to put the hash of the email or something

github-actions[bot] commented 7 months ago

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

duglin commented 7 months ago

@inlined any thoughts on this one?

github-actions[bot] commented 6 months ago

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

duglin commented 5 months ago

@inlined any comments on this one?

github-actions[bot] commented 4 months ago

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.