Specify logic regarding Clear-Site-Data.

Question

Specify logic regarding Clear-Site-Data.

dvorak42 opened this issue a year ago · 2 comments

Answer 1 · 2024-01-16T05:39:49.000Z

Will PST have a functionality similar to Sec-Trust-Token-Clear-Data in Trust tokens?
I don't see any such functionality in the PST API. If not, is there a way for issuer to clear tokens for a client?

Answer 2 · 2024-01-16T15:28:34.000Z

For Sec-Trust-Token-Clear-Data, we ended up removing it as part of #130 due to some of the potential attacks/privacy challenges with the feature and the fact that a malicious actor could just ignore the Clear-Data header, which makes it difficult to provide any guarantees on how it is used in the ecosystem. Issuers are encouraged to issue smaller batches of tokens .

This issue is for the Clear-Site-Data behavior when the user/client deletes all site data from a site (which for an issuer would delete the tokens/records stored there).