Hi Peter. Section 7.3.2 Publish/Subscribe describes: "Event messages could be published using Publish-Subscribe. But, even more care should be taken to log only information that can be published openly. If there's risk for sensitive information to be logged, the publish/subscribe pattern should be avoided."
If information is sensitive, the information should not be logged, as said in 7.2. Do you mean that if sensitive information is still sent using pubsub, there are more actors (pubsub server, subscribers) that might log and/or leak the sensitive information and because of that the pubsub pattern should be avoided? Would it be wise to move the second line "But, even more care should be taken to log only information that can be published openly.", e.g., to section 7.2. because it relates also to other cases than pubsub? Could the last sentence be something more like: "If there's risk for sensitive information to be logged, the publish/subscribe pattern should be avoided in systems that contain any not trusted or any uncontrolled actors." That is because we could have a setup where we have a trusted pubsub server and we log (also) sensitive information in several trusted subscribers/loggers. BR, Teemu
