I am recently testing the JSON-API. When I use a wrong Ledger ID in the JWT, the error message contains the correct Ledger ID. Is there a way to turn it off? It is a concern in security. Here is a sample
"Endpoints.ParticipantServerError: NOT_FOUND: LEDGER_ID_MISMATCH(11,0): Ledger ID 'MyLedger' not found. Actual Ledger ID is 'participant1'."
You will also get this error if you communicate directly over gRPC; JSON API is passing through.
Someone else can fill in the blanks here, but I believe this is not a problem because knowing the ledger ID does not mean you can craft a replacement JWT token (in a context where they are actually validated) that updates the ledger ID field. i.e. the ledger ID is never considered secret.
While I agree having the LedgerID doesn’t mean that one can break into the system, from security perspective, less information being disclosed is always better than more. Rather I’m thinking what the purpose is when telling the external world of the true LedgerID, provided that only the system owner will and should have interests in this.
Just my 2 cents.
The purpose with which the ledger identifier came about was not security but to act as a failsafe mechanism to prevent people from talking to a production ledger when they were in fact talking to a staging ledger. This explains why the error message includes the actual ledger identifier as part of the message.