Privacy consideration and obfuscation aspects

[obfuscoder]

In section Privacy considerations it is mentioned that some data within the tokens may be considered PII and the example of the client IP address is given. Indeed, IP addresses are considered PII in quite a lot of jurisdictions. However, that doesn't necessarily mean that the IP address or any other PII must be obfuscated as it is stated in the current draft. I think this is depending on what is being done with the Txn-Token. You could even consider the subject identifier to be PII. It should be clear that when adding PII to the Txn-Token, the entire Txn-Token must be handled according to privacy preserving policies in respect to relevant jurisdictions.

[gffletch]

A great point. Any thoughts on how to improve the wording? Obsfucation is one option, anonymization is another. I know of some implementations that encrypt internal bits of the token so that only the workload authorized can decrypt them. I agree that how this data is handled is jurisdiction dependent.

Is something like this better?

Transaction tokens claims may be considered personal information (PI) or personally identifying information (PII) in some jurisdictions and if so their values need to be protected accordingly. For example, requester IP address (req_ip) is often considered personal information and in that case an obsfucation method (e.g. salted SHA256) may suffice to meet jurisdictional requirements.