Hi, My last comment (https://externals.io/message/130290#130377) was not addressed, and I still have two major issues with the RFC as is: - It is clearly aiming for default of 1 and unreasonably expects all codebases to be (meticulously) updated with SensitiveParameter attribute - that is "opt-in security" and not secure by default - While a "risk of untagged PII in logs" is mentioned, it is done so with language that severely downplays the issue
Given these, and that the word "security" isn't even mentioned in the RFC, I don't believe that the security impact is taken seriously at all. Cheers, Andrey.
