SID-AUDIT-02 — Privacy-Preserving Audit Event Taxonomy
| Property | Value |
|---|---|
| Owner | platform |
| Category | technical |
| CSF Function | detect |
| Group | Audit and Monitoring Controls |
Description
Standardized audit event types emitted by backend services using structured fields that never include PII, credential content, VP tokens, or user-identifying data. Event categories: trust decisions (issuer_trust_evaluated, verifier_trust_evaluated), session lifecycle (session_created, session_destroyed), operational errors (error_occurred with error_code, not details), and credential format metadata (credential_format_accepted — format only, no content). Client-side encrypted privateData provides the user's own audit trail for credential and presentation history. Backend must NOT log: credential IDs, presentation content, user email/name, full query strings, OAuth tokens, redirect URI parameters, or IP addresses without anonymization. Includes fix for registry query string logging privacy violation.
Components
Source References
go-wallet-backend/internal/engine/oid4vci.gogo-wallet-backend/internal/engine/oid4vp.gofacetec-api/internal/apiv1/client.gowallet-frontend/src/services/WalletStateSchema.ts
Framework Requirements
FitCEM Wallet Instance: FIT-DS-03