[Openid-specs-risc] openid/sharedsignals: New Issue opened
github at oidf.org
github at oidf.org
Thu Aug 28 12:34:29 UTC 2025
openid/sharedsignals event
Issue opened
Issue Title: Guidelines for Adding Subjects to a Stream
https://github.com/openid/sharedsignals/issues/289
According to the SSF specification, a receiver can add any subject to a stream. This means that the receiver can obtain events for any end-user, as long as the events are listed in `events_delivered`. Doesn’t this raise security and privacy concerns? If there were a rule such as “only events related to the subject associated with the access token used when creating the stream will flow into that stream,” then things would be more straightforward, and there would be no risk of infringing on the security or privacy of other users. However, the SSF specification deliberately defines an Add Subject endpoint, allowing receivers to add arbitrary subjects to a stream. It seems that, unless significant restrictions are imposed on the operation of transmitters and receivers, security and privacy issues will arise. Are there any operational or implementation guidelines to address this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250828/af6647fe/attachment.htm>
More information about the Openid-specs-risc
mailing list