Re: Working Group Last Call for draft-ietf-httpbis-legally-restricted-status from Alex Rousskov on 2015-10-01 (ietf-http-wg@w3.org from October to December 2015)

From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Wed, 30 Sep 2015 18:37:09 -0600
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>
Message-ID: <560C8035.5010209@measurement-factory.com>

On 09/29/2015 09:29 PM, Mark Nottingham wrote:
> 
> So, this is the announcement of WGLC for: 
>  https://tools.ietf.org/html/draft-ietf-httpbis-legally-restricted-status-02

>   [RFC4924] discusses the forces working against transparent operation
>    of the Internet; these clearly include legal interventions to
>    restrict access to content.  As that document notes, and as Section 4
>    of [RFC4084] states, such restrictions should be made explicit.

The above paragraph may be interpreted as a skilful attempt to justify
dedicating a special status code to denials based on "legal demands".
Neither of the two RFCs mentioned in the quoted paragraph require or
even suggest that "legal demands" require such a special treatment.

Those RFCs say that restrictions should be disclosed. Using that to
justify a new HTTP status code dedicated to a particular type of a
restriction is quite a stretch IMHO. HTTP already provides means to
satisfy those two RFCs by allowing error responses with arbitrary
content that may include all sorts of disclosures.

Please note that the above is not an argument against adding a special
status code for "legal demand" denials. It is an argument against using
those two innocent RFCs as a justification for doing so. I think that
paragraph should be deleted.

If that paragraph is removed, the only justification offered for the new
status code is:

> This status code can be used to provide transparency in circumstances
> where issues of law or public policy affect server operations.  This
> transparency may be beneficial both to these operators and to end
> users.

Since the existing HTTP error mechanisms can already be used to do all
of the above, that justification is insufficient at best.

I failed to find any other explanation why a new code dedicated to
"blocked by legal demands" responses is needed.

Moreover, the term "legal demand" is itself undefined. Could it mean a
verbal demand from XYZ legal department? A written request by a law
enforcement officer lacking jurisdiction? Does responding with this
status code constitute the responder's agreement that the demand to
block was legal??

IMHO, the draft should be revised to remove the words "legal" and
"demand". It should specify a generic mechanism to point to the blocking
entity (i.e., Section 4). Such a generic mechanism can then be used by
those who block because of "legal demands" (using their own definition
of that term) and by those who block for other reasons.

Alternatively, some serious effort should be made to define "legal
demands" and explain why they deserve a special HTTP status code.

Thank you,

Alex.

Received on Thursday, 1 October 2015 00:38:02 UTC