From a76771e4bfecd26f3ad21ed3fb0acc440186bb6a Mon Sep 17 00:00:00 2001
From: Aaron Coburn <aaronc@inrupt.com>
Date: Thu, 18 Dec 2025 16:17:53 -0600
Subject: [PATCH 1/2] Consolidate privacy considerations

---
 lws10-core/Privacy-Considerations.html | 57 ++++++++++----------------
 lws10-core/index.html                  |  2 +-
 2 files changed, 22 insertions(+), 37 deletions(-)

diff --git a/lws10-core/Privacy-Considerations.html b/lws10-core/Privacy-Considerations.html
index 66bced5..ea2445c 100644
--- a/lws10-core/Privacy-Considerations.html
+++ b/lws10-core/Privacy-Considerations.html
@@ -1,37 +1,22 @@
-<section id="privacy-authentication">
-  <h3>Authentication Privacy</h3>
-
-  <p>
-    End-user credentials carry information about users. While digital signatures can protect end-user credentials against tampering, it is possible for clients or other third parties to read the values inside an unencrypted credential.
-  </p>
-
-  <p>
-    As a result, issuers should create end-user credentials that contain only the information necessary for authentication. Avoid including sensitive attributes unless required.
-  </p>
-
-  <p>
-    Implementations should not log the full contents of an end-user credential. If logging is necessary, tokens should be truncated or hashed.
-  </p>
-</section>
-
-<section id="privacy-authorization">
-  <h3>Authorization Privacy</h3>
-
-  <p>
-    Minimal Disclosure: Authorization servers should issue tokens containing only information necessary for
-    authorization. Avoid including sensitive subject attributes unless required.
-  </p>
-
-  <p>
-    Logging: Implementations should not log full token contents. If logging is necessary, tokens should be truncated or hashed.
-  </p>
-
-  <p>
-    When using pseudonymous identifiers in JWTs, client applications should request a batch issuance of JWTs and each JWT should be used only one
-    time against the storage server. This makes it harder for a storage server to use pseudonymous identifiers to correlate requests.
-    This does not prevent the storage server from using other information such as similarities in JWT content or originating IP address
-    to correlate requests. When using pseudonymous identifiers, the authorization server should not issue the same pseudonymous identifier
-    more than once.
-  </p>
-</section>
+<p>
+  Credentials carry information about users and agents. While digital signatures can protect against tampering,
+  it is possible for clients or third parties to read the values inside an unencrypted credential.
+</p>
+
+<p>
+  As a result, credential issuers are encouraged to create tokens that contain only the information necessary for
+  authentication or authorization. Avoid including sensitive attributes unless required.
+</p>
+
+<p>
+  In general, it is an anti-pattern to write unencrypted credential data to a log. In cases where this is necessary,
+  implementations can truncate or hash a credential to preserve the privacy of the credential subject.
+</p>
+
+<p>
+  When using pseudonymous identifiers in JWTs, a storage server may still be able to correlate requests from the same agent over time.
+  In order to preserve user privacy in this case, a client applications can request a batch issuance of JWTs where each JWT is used only one time.
+  This does not prevent the storage server from using other information such as similarities in JWT content or originating IP address
+  to correlate requests. When using pseudonymous identifiers, the authorization server will need to be careful not to issue the same identifier more than once.
+</p>
 
diff --git a/lws10-core/index.html b/lws10-core/index.html
index 3ca2069..1a5dd67 100644
--- a/lws10-core/index.html
+++ b/lws10-core/index.html
@@ -343,7 +343,7 @@ <h2>Security Considerations</h2>
       <div data-include="Security-Considerations.html" data-include-replace="true"></div>
     </section>
 
-    <section id="privacy-considerations">
+    <section id="privacy-considerations" class="informative">
       <h2>Privacy Considerations</h2>
       <p>
         <span class="TODO">Privacy implications of the LWS Protocol, including data minimization, user consent, and privacy-preserving implementation patterns.</span>

From 620a063acfded2dfd690239cd5945a33fc5d06e1 Mon Sep 17 00:00:00 2001
From: Aaron Coburn <aaronc@inrupt.com>
Date: Thu, 18 Dec 2025 20:18:19 -0600
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
---
 lws10-core/Privacy-Considerations.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lws10-core/Privacy-Considerations.html b/lws10-core/Privacy-Considerations.html
index ea2445c..3103423 100644
--- a/lws10-core/Privacy-Considerations.html
+++ b/lws10-core/Privacy-Considerations.html
@@ -5,7 +5,7 @@
 
 <p>
   As a result, credential issuers are encouraged to create tokens that contain only the information necessary for
-  authentication or authorization. Avoid including sensitive attributes unless required.
+  authentication or authorization, and to avoid including sensitive attributes unless required.
 </p>
 
 <p>
@@ -15,7 +15,7 @@
 
 <p>
   When using pseudonymous identifiers in JWTs, a storage server may still be able to correlate requests from the same agent over time.
-  In order to preserve user privacy in this case, a client applications can request a batch issuance of JWTs where each JWT is used only one time.
+  To preserve user privacy in this case, a client application can request a batch issuance of JWTs where each JWT is used only one time.
   This does not prevent the storage server from using other information such as similarities in JWT content or originating IP address
   to correlate requests. When using pseudonymous identifiers, the authorization server will need to be careful not to issue the same identifier more than once.
 </p>