Security and encryption considerations

[remitly-srivatsa]

The human readable requirement in this spec introduces security, privacy (PII etc.) considerations that should be called out.

For example, JWT provides an approach to communicate JSON based payload data usually via HTTP headers. And it also provides additional optional benefits such as signatures and encryption. Also, ID Token is a means of encapsulating user identity in JWT Tokens.

Some information conveyed through contexts may either be sensitive or may be susceptible to tampering. It would be great to either:

• add signature/encryption as standard offerings when conveying correlation context
• and/or provide guidance on how to deal with security or encryption (for example, values could be JWT tokens)
• and/or call it as out of scope for this specification

[yurishkuro]

+1 to call it as out of scope. Not because this question is not important, but because this whole paradigm of passing application-specific data as baggage in all the requests is a pretty new concept, and I feel it's premature to be locking down how values must be interpreted or represented.

[danielkhan]

We will provide PII/privacy/security wording to the spec but won't enforce a specific mechanism within the header.