diff --git a/spec/VISSv2_Core.html b/spec/VISSv2_Core.html index 6dbfebf..e63233e 100644 --- a/spec/VISSv2_Core.html +++ b/spec/VISSv2_Core.html @@ -1738,9 +1738,7 @@

Consent support

Consent architecture.
The ECF is responsible for the lifetime management of the consent status for all data that is managed by the server, which may involve initialization, - expiry update, event based update, consent status removal. - The consent status that the ECF provides to the server is associated with an expiry time, which when reached leads to that the status shall be treated as NOT_SET, - which must be enforced by the server.
+ event based update, consent status removal.
The consent status can be set to any of the following values:
- Regardless of the value of the consent status, if the associated expiry time is exceeded, the server shall treat the consent status as if it had the value NOT_SET. It shall be possible for the ECF to cancel a valid consent, which shall lead to the consent status being set to NOT_SET. - Any consequences to the data provided to the client prior to the cancelling is out of scope. - The expiry time shall have the timestamp format defined in chapter 5.3 Timestamps.
+ Any consequences to the data provided to the client prior to the cancelling is out of scope.
In the case of a client request requiring a consent for data to be returned, it is the responsibility of the access token server to obtain it from the ECF during the dialogue with a client requesting an access token. This is done by issuing a request to the ECF which shall contain the following information: @@ -1764,10 +1760,10 @@

Consent support

The response from the ECF shall contain: If the received consent status is set to NO or NOT_SET, then the access token server must not provide a valid access token to the requesting client. - The server must store the consent status that it receives from the ECF, together with the data from the request, for the duration set by the expiry time.
+ The server must store the consent status that it receives from the ECF, together with the data from the request for the duration of the associated service, + or until a consent cancellation is received.
Whether a server shall take action to obtain a consent or not shall be signalled in the VSS tree. This is done by tagging appropriate nodes in the VSS tree extending the model used for access control selection. The key-value pair used for tagging of access control is suffixed with "+consent" as shown in the example below: @@ -1785,12 +1781,9 @@

External Consent Framework Interface

The request shall contain the data from the list in the previous chapter. - The response shall contain the following data: - - This communication shall be carried out using a secure channel (e.g. TLS). + The response shall contain the data shown in the table above. + + This communication shall be carried out using a secure channel (e.g. TLS).