On Thu, Aug 12, 2021 at 05:05:03PM -0600, Brian Campbell wrote:
> Indeed but this case would be only distinguishing between which of the two
> things (token & proof) the client sent was invalid. It seems like a
> reasonable amount of information to disclose that might be helpful in
> troubleshootin
Indeed but this case would be only distinguishing between which of the two
things (token & proof) the client sent was invalid. It seems like a
reasonable amount of information to disclose that might be helpful in
troubleshooting while not giving actionable info to would-be attackers.
On Thu, Aug 1
It's not immediately obvious to me that making the distinction is good (but
I'm also basically devoid of the context in which this exchange will
occur).
With security protocols there can be risks from overly descriptive errors,
which might (e.g.) leak information that "this is a valid token" vs "t
On Thu, Aug 12, 2021 at 02:17:24PM -0600, Brian Campbell wrote:
> It might be worth a mention but I'm always a little hesitant about
> potentially repeating content from other specs (and maybe even getting it
> wrong!). Maybe a very brief mention along with a pointer to that section in
> RFC 7235 w
It might be worth a mention but I'm always a little hesitant about
potentially repeating content from other specs (and maybe even getting it
wrong!). Maybe a very brief mention along with a pointer to that section in
RFC 7235 would be appropriate? I'm curious what other WG folk think about
this tho
