This page has questions from implementers about specific aspects of the specification. These Q&A are to be used to come to consensus about implementation details of the spec.

Must the Consent receipt always (in the end) be in the form of JWT? Might it be in JSON form and not signed or in JSON and signed, bot not coded as JWT ... What are the possible variants the CR Viewer has to be able to read? It says in the spec that JWT (JWE and JWS are also mentioned, but these seem to be a part of JWT) should be used (not must be used).

When is the consentTimestamp field set - when generating JWT, by the server generating the JWT?

The publicKey is public part of the key used for signing the JWT? always from the PII controller?

If the onBehalf field is meant to be used by the PII Processor, is it implied, that the PII Processor will issue another CR, when he receives some PII from the controller? Or what is the flow like (probably not relevant for the functioning of the generator/viewer)?

the purposeCategory codelist has some purposes, that are not consent based - I assume that Consent receipts are meant to be used in a general way, not only for data the PII principal has consented to being used, but for other data/purpose as well?

Is it the case that when the primaryPurpose field (boolean) is TRUE (when purpose is a core purpose) - than it does not need consent (and in theory, consent cannot be revoked for that purpose)?

More of a comment: revocations of consents (although out of scope of this spec) on the part of PII Principal would have to be done on parts of consent receipt and should be impossible to do for data, that is needed, for example, for legal purposes.