メインコンテンツまでスキップ

5. Security Considerations

The security considerations of RFC 8417, RFC 8935, and RFC 8936 apply. SETs can contain sensitive information, including Personally Identifiable Information (PII). SET Transmitters and SET Recipients MUST use TLS to protect SET contents in transit.

Event Receivers MUST persist events directly or indirectly before acknowledging receipt, according to local recovery needs. Access to event recovery and forwarding MUST be limited to parties needed for recovery or SET forwarding. When the Event Publisher does not communicate directly with the Event Receiver, Event Receivers MUST verify the SET originator using JWS signatures.

Large SCIM Groups and high-change resources can generate excessive payloads. It is RECOMMENDED to use SCIM PATCH, SCIM Patch Event Notice, or aggregated PATCH events rather than large SCIM PUT payloads. Asynchronous operation-result URIs MUST be protected with HTTP Authorization or another client-authentication mechanism.