I like the guidance we are giving in this area, but we use an example to define the specific error to return.
As an example, submitting a Signed Statement with an unsupported signature algorithm **would** return a 400 Bad Request status code and the following body:
Must it be 400 or is that a suggestion?
Originally posted by @roywill in https://github.com/ietf-wg-scitt/draft-ietf-scitt-scrapi/issues/2#issuecomment-2251099959