Just giving this thread a bump in honor of the mention of sensitive things in logs in the cryptography unconference session.
I'm not partisan about any of the particular syntax examples I gave earlier, but it seems like there were two key ingredients: 1. In what is sent from the client to the server, certain parameters are marked as sensitive in ways that are obvious early at parse time, before having to look up or analyze anything. 2. But those markings are later compared to the actual declarations of things, once those are resolved. It is an error either to send as 'sensitive' a parameter that isn't so declared, or to forget to send as 'sensitive' one that is. The first error is to prevent evildoers using the facility to hide values from the logs arbitrarily in the queries they are sending. The second error is to catch mistakes during app development. It's possible that a query sent by an app under development won't have the right things marked 'sensitive' yet, and it's possible those queries get exposed in the logs because the early parse-time indication that they shouldn't be is missing. But at that stage of development, the values being sent shouldn't really be sensitive ones, and making such a query an error ensures such omissions are caught and fixed. Regards, -Chap