On Sep 9, 2013, at 8:10 AM, Josh Howlett <josh.howl...@ja.net> wrote:
>>> >>> - User account credentials incorrect >>> - User account credentials change required >> >> [Joe] I am concerned that these error messages reveal too much >> information to an attacker. > > I agree there are risks if used inappropriately, but nonetheless there are > reasonable uses for these (for example, switching it on temporarily when > debugging) as these are very common error conditions. I suggest that these > be optional to implement and use, and that we have security considerations > text that highlights the issue. Happy to propose some text. > [Joe] I'm not really in favor of including things in standards that should not be used. I am concerned that this could delay the document. If you provide some sample text and no-one objects then I will include this in the document. > Josh. > > > > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a > not-for-profit company which is registered in England under No. 2881024 > and whose Registered Office is at Lumen House, Library Avenue, > Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu