Re: Reviving discussion on error code 451 from Stefan Eissing on 2014-12-18 (ietf-http-wg@w3.org from October to December 2014)

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Thu, 18 Dec 2014 12:09:25 +0100
To: Willy Tarreau <w@1wt.eu>
Cc: Eliot Lear <lear@cisco.com>, Bray Tim <tbray@textuality.com>, Yoav Nir <ynir.ietf@gmail.com>, Mark Nottingham <mnot@mnot.net>, Niels ten Oever <lists@digitaldissidents.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <527B1B33-5C76-46AA-BAEA-F712EB69404E@greenbytes.de>

Proposal:
-------------------------------------------------------------------
 451 Unavailable For Legal Reasons

  The 451 (Unavailable For Legal Reasons) status code indicates that
  the server understood the request but is unable to fulfill it due
  to legal reasons. Responses using this status code SHOULD include 
  an explanation, in the response body, of the details of the legal 
  restriction; which legal authority is imposing it, and what class 
  of resources it applies to. For example:

  (example response from draft)

  If authentication credentials were provided in the request, the
  server considers them insufficient to overcome the legal restrictions. 
  The client SHOULD NOT automatically repeat the request with the same
  credentials. The client MAY repeat the request with new or different
  credentials. However, a target resource might be legally restricted 
  for reasons unrelated to the credentials.

  An origin server that wishes to "hide" the current existence of a
  such a target resource (and the fact that it was legally restricted 
  to serve it) MAY instead respond with a status code of 404 (Not Found).

  The use of the 451 status code does not imply that the server could
  successfully answer the request once the legal restrictions have
  been removed. Not the least because the answering server might not
  be an origin server, but an ISP legally bound to make resources
  unavailable for a region based on URI patterns or other generic
  criteria. Such a server is under no obligation to check the 
  existence of the target resource before replying with a 451.
--------------------------------------------------------------------

And further:
> Am 18.12.2014 um 11:20 schrieb Willy Tarreau <w@1wt.eu>:
[...]
>  - how does the client know when/why these contents were marked illegal,
>    and how long may it cache that information if appropriate
By default, usual HTTP cache mechanisms apply, as for other status codes.

>  - how does the client know that the legal issue is for the server or
>    the client (which will tell it whether it may retry somewhere else
>    or not).
Seems similar to asking on a 403: what credentials would work?

>  - how does the client know whether it is the body it's being uploaded
>    or the what it tries to retrieve which is tagged illegal.
I hope the description above makes it more clear that 451 would apply to retrievals. E.g. the first 2 of the 3 situations you describe. As with 403, I see no need to have differentiate situations 1+2.

As to situation 3, something like 451 for uploads could be useful for sites 
like youtube or soundcloud, but I have not heard of any such expressed
interest. My understanding how they operate is limited, but they seem
to take in content and then post-process the upload by their content bots
afterwards. 

Anyway, before proposing something without any clear use case, I would
rather leave it out.

> 
> I'm seeing at least 3 situations which deserve emitting a code, possibly
> different :
>  - client tries to fetch data that a server is not allowed to deliver
>    because that content was tagged illegal after the URL was published,
>    and the server wants to stipulate that (eg: stolen documents). The
>    client knows that maybe that content is illegal only where the server
>    resides and the same content might legally be fetched somewhere else.
>    This can be true for crypto code or books for example.
> 
>  - client tries to fetch data that is not legal to have in the country
>    where he resides. Typically adult contents when the age of the human
>    in front of the computer is known. Not all countries have the same
>    rules about this, and servers might refuse to deliver certain contents
>    to certain people. The client then knows it's inappropriate to look
>    for the same contents somewhere else.
> 
>  - client tries to upload some illegal contents to a file sharing site,
>    for example a document, a movie or whatever that is not permitted by
>    law where the server resides. It should be clearly mentionned as well.
> 
> All these 3 cases are very different and all fall under the same vague
> terms of the current draft. These need to be clarified.
> 
> For now the draft only looks like the work of someone wanting to have fun,
> and not anything with any technical merit at all. And I already got that
> feeling back then in 2012 when the discussions started.
> 
> Regards,
> Willy
> 

<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782

Received on Thursday, 18 December 2014 11:09:48 UTC