authcontext suggests putting sensitive data in event attributes

[sasha-tkachev]

From the authid definition

This might, for example, be a unique ID in an identity database (userID), an email of a platform user or service account, or the label for an API key.

Emails are considered as PII therefore sensitive data. May cause issues with compliance such as GDPR.

The spec says that we SHOULD NOT put sensitive data into extension attributes

I suggest removing this suggestion from the spec, or suggesting to put the hash of the email or something

[github-actions]

This issue is stale because it has been open for 30 days with no
activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

[duglin]

@inlined any thoughts on this one?

[github-actions]

This issue is stale because it has been open for 30 days with no
activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

[duglin]

@inlined any comments on this one?

[github-actions]

This issue is stale because it has been open for 30 days with no
activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.