independentid
commented
11 months ago Dean,
All of your concerns in the first paragraph are addressed in JWE, JWS, JWT, and SET. I am not sure what additional things we need to say. It is not typical to repeat other specs, rather IETF references them.
Regarding the second paragraph I assume you are referring to:
By their nature, however, SCIM Signals carry no personal information and aid parties in ensuring the protection of privacy information and account security.
Agreed, that paragraph needs some attention. I think the word "additional" is missing. I think the paragraph needs another look in general.
Broadly speaking, the draft does not describe privacy considerations adequately. This is reflected in my comments on the use of JWE and JWS, as well as the lack of enforcing the end-to-end encryption of data in transit. These gaps should be addressed more thoroughly in the Privacy Considerations since clients and servers do not always know a priori whether an TLS terminating proxy may be in use thus impacting the decision to use JWS and/or JWE for the events to prevent tampering and disclosure of the event data.
The document states that "SCIM signals carry no personal information". I had to read and re-read this a few times to see that it refers to the events in 2.5 and not events in 2.4 which may carry personal information (e.g. example in 2.4.3). Please clarify in the language that this is specific to 2.5, assuming my reading is correct.