User agent request validation and errors

[marcoscaceres]

The prepare steps originally stated that:

In addition to protocol-defined requirements, a [=user agent=] might apply additional validation criteria based on local policy, configuration, or evolving security considerations. For example, a [=user agent=] might reject a request that (a) seeks particular credential attributes, (b) uses or requires cryptographic algorithms the [=user agent=] is configured not to accept (e.g., as part of algorithm agility or a transition to post-quantum schemes), or (c) relies on certificates or trust anchors that are not accepted by the [=user agent=]'s configured trust decisions.

It would be good to expand on these.

[timcappalli]

I think there needs to be a different error returned for cases where the user agent has decided to restrict the request vs when there's actual issues with the request from the protocol standpoint.

[marcoscaceres]

Discussed with @leecam, @jschanck, and other folks during the call today. We think this might be enough, IIUC:

In addition to protocol-defined requirements, a [=user agent=] might apply additional validation criteria based on local policy, configuration, or evolving privacy and security considerations.

[marcoscaceres]

@bc-pi, this was the User Agent TAG document I was talking about during the meeting: https://www.w3.org/TR/web-user-agents/

[marcoscaceres]

And agree about the error distinction, but they could be obscured. Like privacy: NotAllowedError, security: SecurityError, TypeError for validation, and OperationError as a catch all.