Incorrect HTTP Response Status Code for Unauthorized Access

[hqarawlus]

Hello,

I noticed an incorrect HTTP Response Status code being returned on the specification definition pages of Contract Negotiation and Transfer Process. The specifications define a return code 404 (Not Found) in case of Unauthorized Access. I am curious to why this code was chosen instead of the widely known and used 401 (Unauthorized Access)?

Here are the snippets where I found the use of 404.

Thanks in advance!

ids-specification/negotiation/contract.negotiation.binding.https.md

Lines 80 to 82 in 3696060

	#### 1.2.3 Unauthorized Access
	If the client is not authorized, the [Consumer](../model/terminology.md#consumer) or [Provider](../model/terminology.md#provider) must return an HTTP 404 (Not Found) response.

ids-specification/transfer/transfer.process.binding.https.md

Lines 45 to 47 in 3696060

	#### 1.2.3 Unauthorized Access
	If the client is not authorized, the [Consumer](../model/terminology.md#consumer) or [Provider](../model/terminology.md#provider) must return an HTTP 404 (Not Found) response.

[juliapampus]

We've discussed that in the group some weeks ago. For security reasons, it is common practice to return a 404 instead of a 401 or 403 to avoid drawing conclusions about the existence or non-existence of a resource (negotiation, transfer).

[hqarawlus]

Thanks for the response. I believe however 404 is being misused here, since it is designed to specifically indicate that an endpoint does not exist. In this scenario, a more generic code (400 - Bad Request) should be returned whenver a certain criteria is not fulfilled in order to maintain the security level.
Nevertheless, since the IDSA is working outside the defined HTTP standard codes here, it would be helpful to mention in the documentation that the standard is not being followed.