Re: Introduction and internet draft proposal for HTTP response 420 Requester Impaired from Rory Hewitt on 2023-12-11 (ietf-http-wg@w3.org from October to December 2023)

From: Rory Hewitt <rory.hewitt@gmail.com>
Date: Mon, 11 Dec 2023 09:03:23 -0800
To: Richard Roda <richard_roda@hotmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAEmMwDxnosC1WbybG37Zg0cfwHa=_bN7bVfA2xf5zQT8-=DiCw@mail.gmail.com>

Hey Richard,

First off, I like this idea!

I have some concerns that it might be seen as an April Fool's joke (as was
its original genesis!) such that people won't take it seriously.

A couple of questions:

1. From a purely technical POV, how does this differ from 400 Bad Request,
which is currently used for this sort of thing - clearly it's up to the
server to make the decision that the client is 'impaired' rather than just
sending an invalid request, but how does it do that? Different servers
might consider different sorts of requests as invalid based on the request
content ("Does this sound like the request someone who's stoned out of
their gourd might make?") but that's a per-server decision, so we have a
lack of standardization.

2. I assume that the point of this is to signal to the client that it is
not making sense, and should maybe stop asking questions until it's no
longer impaired. But in Section 4 (Security Considerations) you say "If the
impaired requesters are identifiable because they have been authenticated,
their requests SHOULD be denied until they have been determined not to be
impaired.". How would a server determine that a client is no longer
impaired unless it starts accepting requests from it again, to gauge its
impairment (or lack thereof)?

Rory

On Mon, Dec 11, 2023 at 4:00 AM Richard Roda <richard_roda@hotmail.com>
wrote:

> My name is Richard Roda.  I am a Sr. Developer at USANA
> <https://www.usana.com/ux/dotcom/enu-US/home>.  I have been developing
> using HTTP long enough to remember transitioning from 1.0 to 1.1.  My most
> relevant vendor certification is Security+ ce
> <https://www.credly.com/badges/931df564-c412-4bca-bef5-f75e3a49c106/linked_in_profile>.
> My details may be found on my LinkedIn page
> <https://www.linkedin.com/in/richardroda/>.  I am proposing an HTTP
> status code for 420 as a Requester Impaired code.  The original idea for
> this was an April Fool's RFC.  420 is an available client error response
> code, and the number 420 is associated with marijuana use.   However, as I
> was writing and drafting it occurred to me that this is a legitimate need.
> With AI systems being given more operational autonomy and the fact that
> Large Language Models (LLMs) can "hallucinate" responses, non-human as
> well as human requesters can be impaired.  If impaired requestors are
> attached to something like remote-operated heavy equipment the results
> could be catastrophic.  Dedicating an HTTP response code to this will allow
> for better visibility and remediation of impaired requesters.
>
> Any feedback on this would be appreciated.  I am also on the #httpbiz
> stream on Zulip.  I might not respond immediately to messages because of my
> day job.
>
> https://datatracker.ietf.org/doc/draft-richardroda-420requesterimpaired/
> An HTTP Status Code to Report Requester Impairment
> <https://datatracker.ietf.org/doc/draft-richardroda-420requesterimpaired/>
> This document specifies a Hypertext Transfer Protocol (HTTP) status code
> for use when an operation or resource is denied due to requester impairment.
> datatracker.ietf.org
> **
>
>

-- 
Rory Hewitt

https://www.linkedin.com/in/roryhewitt

Received on Monday, 11 December 2023 17:03:42 UTC