[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (AMQP-102) Detailed descriptions for error conditions related to content
[ https://issues.oasis-open.org/browse/AMQP-102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65752#comment-65752 ]
Brian Raymor commented on AMQP-102:
-----------------------------------
Agreed. I’d note that WD3 is a minor revision of the original WD2 text:
For error conditions related to the content of the request, the status-code SHOULD contain 400 and a detailed description SHOULD NOT be provided in the status-description, in line with general best practice for security-related protocols.
//
I think that we need a list of potential error conditions for the “structurally sound” case besides expiration.
> Detailed descriptions for error conditions related to content
> -------------------------------------------------------------
>
> Key: AMQP-102
> URL: https://issues.oasis-open.org/browse/AMQP-102
> Project: OASIS Advanced Message Queuing Protocol (AMQP) TC
> Issue Type: Improvement
> Components: Claims Based Security
> Affects Versions: cbs-WD03
> Reporter: Clemens Vasters
> Assignee: Brian Raymor
> Priority: Minor
> Fix For: cbs-WD04
>
>
> For both put-token and delete-token
> For error conditions related to the content of the request, e.g., unsupported token type, malformed request etc., a detailed description SHOULD NOT be provided in the error field, in line with general best practice for security-related protocols.
> //
> That’s a bit harsh. I think it is worth differentiating between a totally botched request and a token that is structurally sound but isn’t valid for the scope or has expired. That doesn’t substantially lower the security bar, but does reduce support cost.
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]