Re: Reviving discussion on error code 451 from Tim Bray on 2014-12-19 (ietf-http-wg@w3.org from October to December 2014)

From: Tim Bray <tbray@textuality.com>
Date: Thu, 18 Dec 2014 21:10:33 -0800
To: Stefan Eissing <stefan.eissing@greenbytes.de>
Cc: Willy Tarreau <w@1wt.eu>, Eliot Lear <lear@cisco.com>, Yoav Nir <ynir.ietf@gmail.com>, Mark Nottingham <mnot@mnot.net>, Niels ten Oever <lists@digitaldissidents.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAHBU6isZaF3dzi7Sm2vE=Wo2NyKxw9QE0=xMWLTAkP3_Mo96Dg@mail.gmail.com>

On Thu, Dec 18, 2014 at 3:09 AM, Stefan Eissing <
stefan.eissing@greenbytes.de> wrote:

> Proposal:
> -------------------------------------------------------------------
>  451 Unavailable For Legal Reasons
>
>   The 451 (Unavailable For Legal Reasons) status code indicates that
>   the server understood the request but is unable to fulfill it due
>   to legal reasons.

Whatever the merits of the rest of Stefan’s proposal, the sentence proposed
above won’t work; here’s why: I am not a lawyer, but earlier in the life of
the document, I did consult a lawyer, on the staff of A Former Employer,
who pointed out that phrases like “unable to fulfill it due to legal
reasons” are inappropriate because they suggest that the service provider
is in agreement that the claim being asserted has legal validity.  This is
something that nobody with good legal advice is going to do.  Thus the
current language, “denied as a consequence of legal demands”, and “for use
when a server operator has a received a legal demand to deny access to a
resource”.  It carefully doesn’t say anything about whether the demand is
legally justified; just that there has been a demand, and the provider has
decided to deny access.

As for the rest of Stefan’s proposal…

  If authentication credentials were provided in the request, the
>   server considers them insufficient to overcome the legal restrictions.
>   The client SHOULD NOT automatically repeat the request with the same
> 
>   credentials. The client MAY repeat the request with new or different
> 
>   credentials. However, a target resource might be legally restricted
> 
>   for reasons unrelated to the credentials.
>

Meh. Not opposed, but does this really add any value?   The vast majority
of real-world cases are plain old unauthenticated GET requests.

> 
>   An origin server that wishes to "hide" the current existence of a
> 
>   such a target resource (and the fact that it was legally restricted
> 
>   to serve it) MAY instead respond with a status code of 404 (Not Found).

I am strongly against saying this.  The purpose is to specify a status
code for use in a particular circumstance. Its use obviously is not
compulsory and if someone doesn’t want to use it, they should just not use
it.

Received on Friday, 19 December 2014 05:11:23 UTC