[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (AMQP-102) Detailed descriptions for error conditions related to content
[ https://issues.oasis-open.org/browse/AMQP-102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65752#comment-65752 ] Brian Raymor commented on AMQP-102: ----------------------------------- Agreed. I’d note that WD3 is a minor revision of the original WD2 text: For error conditions related to the content of the request, the status-code SHOULD contain 400 and a detailed description SHOULD NOT be provided in the status-description, in line with general best practice for security-related protocols. // I think that we need a list of potential error conditions for the “structurally sound” case besides expiration. > Detailed descriptions for error conditions related to content > ------------------------------------------------------------- > > Key: AMQP-102 > URL: https://issues.oasis-open.org/browse/AMQP-102 > Project: OASIS Advanced Message Queuing Protocol (AMQP) TC > Issue Type: Improvement > Components: Claims Based Security > Affects Versions: cbs-WD03 > Reporter: Clemens Vasters > Assignee: Brian Raymor > Priority: Minor > Fix For: cbs-WD04 > > > For both put-token and delete-token > For error conditions related to the content of the request, e.g., unsupported token type, malformed request etc., a detailed description SHOULD NOT be provided in the error field, in line with general best practice for security-related protocols. > // > That’s a bit harsh. I think it is worth differentiating between a totally botched request and a token that is structurally sound but isn’t valid for the scope or has expired. That doesn’t substantially lower the security bar, but does reduce support cost. -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]