Re: [Anima] Use of problem details in BRSKI (and other ANIMA) documents (rfc9457)
"Fries, Steffen" <steffen.fries@siemens.com> Fri, 08 September 2023 06:32 UTC
Return-Path: <steffen.fries@siemens.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E31DBC15198E; Thu, 7 Sep 2023 23:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qG-B_Dfc-xi; Thu, 7 Sep 2023 23:32:19 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2085.outbound.protection.outlook.com [40.107.7.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19B01C15198C; Thu, 7 Sep 2023 23:32:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QoStSB1OJd2IYZi0NFShY4c4zM9HMun/Kk8/0f3RD1aBn73qLPM1Mhs8TQsAET10AOI9zThOPg5SuRrS+4MBMQ/l9yIGbjdrv0eVazIyrljbnF3ILbGTg2u6RKCjGuyGH2XqP3Kf2DL0ooKPKeSpgJFgpOcP2UM3BNNc6ymrli72IiVkFZzIvIPOC6msn/7zLZrPb/vfEc4cEJa1uxQLirRmlOWCnnQGO51AVq0Hhpyq4gafgIdTOb/dkeFAEJemgxavurP2W9+lYdb/iiDF7WPzUSNmjoYsjVMMecy4BOM1XgOWLmI+b44WQ32L9cqEwMuOqXQR1nvLgaSXmAbklA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WZPheXeP03Qz2Q4A9QgQXtdKPJmXgrH4i7Smm6rGw/4=; b=VJTYoVSPQht6H9X0TS9vC59ieAnlscI8yqAXftR2XKvNE25CADs+TELjS9lMo3SVCmt9nOtUmY6vhxUgow11ZyINrc3JGRHzRbSxpBI4CHkeJnlyQZAXxQZeCZM01Kh0z5XA+A1NWOtHoz33/63rP5w+toKgv6/rSfFuHzbTv71wapkoUbkx/nF4NXeLEUjZwgQIXFyM2VRaXWebG85fy2w73/GYMoUXXlayt3FepQxjAMhznKiQTSHFjQ+/Lp8UrBLTabkYndVfMrgbt7O7dzHFNCf9cOkWq7awiYkfQ0AfE1c2PHsFVOe6Xl5KuNcgUu45Uz1g4BbG+7D9C9rG3Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WZPheXeP03Qz2Q4A9QgQXtdKPJmXgrH4i7Smm6rGw/4=; b=BlX8A8QC1QxQU0Kqacg4qjDYxZsFQyPBEfbpxn3AjaeX6sAwYR1U17Mp2vXydS7CJxOnC8NX9KwWcbAIHqXEeic4QZgbMrsvQrvjgEJrhr30WkjHK4w4LSwAQvIBwNZk7d9wBmj1TheyTYgL5E56FG4eV8ZMvee6qigDF1N86V/OOfFz5oYEYLG+aMY1P8Gzh/3rlt7cbAw+BT3gk5Ncv7LC5ZqT9wp7+sT2u+meqWX9uqFHZ7KDGs2/XNUhYJ76HrsNDE0B1wuS9N0nrS9Aqo6NYI3qQpd0sAwRTJ1ZNsYkTJ9cVgV+nlbJo1kOOgzHU8eVmrt6w7k/OYLw6f1q+w==
Received: from DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3c6::22) by PAVPR10MB7538.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:2f5::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.36; Fri, 8 Sep 2023 06:32:15 +0000
Received: from DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM ([fe80::2a9:4d06:3992:f4b]) by DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM ([fe80::2a9:4d06:3992:f4b%6]) with mapi id 15.20.6745.035; Fri, 8 Sep 2023 06:32:15 +0000
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: Toerless Eckert <tte@cs.fau.de>, "anima@ietf.org" <anima@ietf.org>
CC: "draft-ietf-anima-brski-prm@ietf.org" <draft-ietf-anima-brski-prm@ietf.org>
Thread-Topic: Use of problem details in BRSKI (and other ANIMA) documents (rfc9457)
Thread-Index: AQHZ4PBYuLwidv0BY0Wt0Ngx1euzTbAQeLjw
Date: Fri, 08 Sep 2023 06:32:14 +0000
Message-ID: <DB9PR10MB635492B2AFFF62B2138C67AFF3EDA@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
References: <ZPjFa++nnLOHesnx@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZPjFa++nnLOHesnx@faui48e.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=5116d6e0-2a91-4ff1-834e-0f6c89b9178b; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-09-08T06:25:45Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9PR10MB6354:EE_|PAVPR10MB7538:EE_
x-ms-office365-filtering-correlation-id: 4d8c2889-1336-4e7e-8ec6-08dbb0355772
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mR1mDo4gYodfz6UT/IG6zrNYVxZwmCvuwB5ABYOKmtN6O4X4WaVI6QZq3d8iw4xOZTt7d+NSgpItXV8h2LbLxIAjPGippE3I0xb0BTYXq/OQqRjcX82WyBOhd85JLaY32sWRk3BeE4LNBPmL03Ambo0HC+3giOEQVyijnzBbLnpE0uJFZ7bUQSgi+mW5kVEkr51qD6ppkeUbSVh8bh1aU5y+JhK9i5aO7jSTD4rryCumqp2Jspphr77BpJfRq4O2Sy1ZFCbGSH+2HBNxdCF7XFmgYA1uvHD4lYXA8BTH2w1T7ViUgpbcIoZfOjQIasTmd7ehVN4DGuK+vmRve/bcMc67eOSwo+B4lkVON1lOyz8US5AwaSjkCc0MuCcYbIECzoSbvRcoxLVvP6YfhDHSdl0EClT/u1X3TBe1mT2b6lcg3buAGCsROQrEvdqXHOT+Gv3hkDvqZJvMO3gGbFXOHQeDcq6z3P4bjQ82DyQS9dlRhsjhtPCfYv255t2VuxxFxLl0VGFY7RhMp45uqA/AAmtWQVQgJTKXLxdlJ2o4oNUHefYsBfcSBr6FckppA70fZ1yFJSRRrSoiC3NRSxOZ6TWJt3CgYwVG789O+n3wXHI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376002)(366004)(136003)(346002)(39860400002)(396003)(186009)(1800799009)(451199024)(122000001)(82960400001)(38100700002)(38070700005)(55016003)(86362001)(33656002)(45080400002)(966005)(2906002)(9686003)(110136005)(53546011)(71200400001)(76116006)(7696005)(6506007)(8676002)(4326008)(8936002)(5660300002)(52536014)(66556008)(66476007)(64756008)(316002)(66946007)(66446008)(41300700001)(478600001)(83380400001)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: fQr/nSRLOmGakRW+MxXFbw66sLQbhbP6+MElrHHu7jTRaYiRUFWgGuzmquu8zMpYrfNwzhB4bKckci+FfzyKRSKC8pVZ8JAEVDihluo8Lc6yyrkpawZveXYcCS6MgTKUlErDd/3fX7cZLPzrtspqKy37Ilwfq7feQO1fW1Ju0vllPA0C9k62ua1B3/jbgyR4A1n33AC55XLdzGIt+8c+L7l/U0shQBDnFAgggZM2/dDbX7I7kBPYbIH2sC63bDW2EXPgQUacHImhc6zkE07q0zeoLak8ruHiosKEspoLxeuAsBm6JkbYXkZEOmUqRCIsSMC6sxqeDFnd+/d+JV3H9Ltj0g6N+SKFB9NVQx7eN01oq6oDMJ2CLpywkkP0DRhHe6W0xTcwf0FfB4K4+bSA0T1gys7GVEW1xoGFPngA0R+BBY3n0unX2gkOt8DP+KY5KZT4V2QV/tWIYbEaO2pVLZVQl0zc1FdFPC3eGc1Swel+sgkTeRlj57wSo7Dtg5YtEdnBRqvLGsQ9SbP4dIPzHjcoptNnsaMAAKNT8wUrM5DKy5IbOPYAkUg9DW9TIPrfafZ5UbKp905KacnA2t1CoIBztUMaERh98dBLf/DqARbj7nysQ0nm7NH+qkgRvy3oheKfQy+JELk/GrZWaheRL4OQgaDOpZayyeOwypwYLVsSRfB9JdlxKYPd4mjvPdi7DI1GgIlySTYTEzsmGitrV9Lz7dh86z78yAeeqwPU4Vb9DX9i0nbthKuITSRYlraSmygOwU/4/6mVY2+irePAGLYEzxvuEDUv+aof5SNt+z9HDbXjf8OC5iQbYKxz2gmuhAlDS8Kl/Zf7XRR7Gb/aVMl6hLKnf0+AMlXcCiEWeyTaKdN37alFf6jxXz5xsbDSg9TH9LJHXJesiAnlMBk3XajN13WNyCdTGpMR0EST4wWaGSX0BqShtARhWCHfX6cq+/Kidxl1T9aUadbJCmzRmAxYlnAghJ5VW/bf03V7dICLwMOXFJbypHa0KViMdCge0BcDDPmPAtvmYuqKEwdAqmlFd2OAMbwAzJyW4pedj0c598wPwRnyOfyouJjLj8qw/m5QmYhJC2rtpXaGdawrWPYwXLwV9GrVCGOqcYg41dHTXjxde0iCGggy+JokrYjd8Eww/pLW7pLwmzwNkeiI/d05UbySPGGvCLYKWQ0Dkehqs1y61zAxnCrN4f4NYqzFGv58bp25M/oC34zvIatRqIPc05sTWYfd5w3ikJ5MgjusUTY+Lpy0FoeBr1t/nDPEI0e7c1PKyWv8ohObM/DxWqoxi+TwakpBGhnesGCG/tua4MFh0vEpN/dYnsX96hsK1Tgu2f0N/wa2Pjhjp76YGfa7TOX5HWmA0lH7f71kRhWxP2PZ1jhmxj2+APAwTdUOmJAgHDB5IDwFG+Mo6QQGhpgX3EXn8wpyUEridLaut4NZoH75e1R2MRkij7ZaiGs8S65sasoj/57C/qQdvcMB71RMvnclOWASdlaS4IwZUqXfitdP30VM8290m7V68IuffNT4TA93S10m6cZCFVF3dbMYLswddgwP1QvR6++MbaIwiq07Y8E5wFnj+P84NHZOuadQ+eis2Cun48eR6yT6fQ==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d8c2889-1336-4e7e-8ec6-08dbb0355772
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2023 06:32:14.9439 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DYNzSU+96X98xqqR1+a1kVr/Tq+wQoj+OJo/vdwef+je0AD0FpCNWlDIbaBZQ+pHFLM0jn8Xpp54QPbhSrjDgUcqZpBO653dyBSl0CqSmio=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAVPR10MB7538
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/v_0AfGfB8tAgg6g0sX-8PBJupzw>
Subject: Re: [Anima] Use of problem details in BRSKI (and other ANIMA) documents (rfc9457)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 06:32:24 -0000
Hi Toerless, Providing errors with more detailed information is certainly helpful. My gut feeling would be to have this as SHOULD and not as MUST. Reasoning is that for instance in BRSKI-PRM, we have different error codes for different states in the verification as discussed in the design Team meetings (see https://github.com/anima-wg/anima-brski-prm/issues/103). This allows to easily deduce in which state the pledge currently is and allows appropriate reaction in that specific state. Having more detailed information may lead to a more specific handling in that state. Based that the current approach allows for proper reaction, I would consider it as optional. Best regards Steffen > -----Original Message----- > From: Toerless Eckert <tte@cs.fau.de> > Sent: Wednesday, September 6, 2023 8:31 PM > To: anima@ietf.org > Cc: draft-ietf-anima-brski-prm@ietf.org > Subject: Use of problem details in BRSKI (and other ANIMA) documents (rfc9457) > > Dear ANIMA-WG > > In the weekly BRSKI calls we did discuss on and off the issue of limited HTTP error > codes returned when calling BRSKI endpoint URIs. Especially the point that it's > difficult to map all error conditions to unique HTTP status codes. > > So, i would hereby like to suggest that we revisit error codes returned by new > BRSKI work to follow what the IETF has specified and follow what seems to be > like a very simple way to apply that method, as found in ACME (which is kinda > related to our BRSKI work). > > -- Reference: > > RFC7807 defines how to signal problem details for HTTP APIs. It was superceeded > by RFC9457, but of course, there are more RFC already using/referencing > RFC7807 than RFC9457. > > --- Simple example: > > ACME, RFC9115 seems like a good, minimum complexity way to apply this > problem report method. It specifies for example: > > ... MUST return an error response with status code 403 > (Forbidden), providing a problem document [RFC7807] with type > "urn:ietf:params:acme:error:unknownDelegation". > > And then there is an IANA section asking to register this "unknownDelegation". > Aka: minimum text work. > > --- Longer example reference: > > Of course, one of our RFC, maybe rfc8366bis needs to ask for creation of a registry > for "urn:ietf:params:brski", and the error registry, but that's easily written, > especially when it follows the ACME approach. > > RFC8555 , the main ACME does of course introduce a long list of error codes, > They can also all be found in the registry: > > https://www.iana/. > org%2Fassignments%2Facme%2Facme.xhtml%23acme-error- > types&data=05%7C01%7Csteffen.fries%40siemens.com%7C96d0c9691fa94b1c6 > 62e08dbaf0779f0%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638 > 296218869389810%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ > QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata= > aFb8goeUiPdCq2xCiZ5bRJPiZhtzmu6ws4jGuGUczBk%3D&reserved=0 > > --- Example of how to apply: > > Lets take an example with BRSKI-PRM, which currently specifies: > > 400 Bad Request: if the pledge detected an error in the format > of the request or detected invalid JSON even though the PER media type was set > to application/json. > > Instead of just returning 400, we could change this to MUST/SHOULD also > indicate an appropriate problem report. > > --- How to apply to BRSKI: > > Technically, the eror transaction would look like this > > GET /.well-known/brski/tpvr HTTP/1.1 > Host: brski-registrar.example.com > Content-Type: application/json > Accept: application/json, application/problem+json { > ... existing BRSKI PRM PVR data > } > > Aka: in the request, the initiator would indicate that it supports problem+json > > HTTP/1.1 400 Bad Request > Content-Type: application/problem+json > Content-Language: en > > { > "type": "urn:ietf:params:brski:error:ErrorNameNNN", > "title": "...", > "detail": "...", > "blablabla": "...", > } > > In the reply, we would be able to have a combination of specific ErrorNameNNN > and other fields. > > I think the logic of applying ErrorNameNNN and the other fields would be based > on the following considerations: > > Whenever an initiator should or could have two different reactions to two > different errors, such as different retries, then there MUST be two different > ErrorNameNNN. Aka: automated reactions must be possible by only examining > the ErrorNameNNN. > > Whenever it is easy to distinguish two different Errors by name, then we should > also introduce those different ErrorNameNNN. The list of ACME error codes > might be a good help. > > Whenever there must be a human in the loop anyhow to resolve the issue, it is > sufficient to describe the problem differences in the "detail" and potentially other > fields, which can be custom, such as indicated via "blablabla". > > So, for the example of this "Bad Request", the problem of course is that some > plege or agent developer (or even worse customer/operator) needs to figure out > what the registrar did not like. > > --- Bad ? Example what to do: > > What i have seen in other protocols, and what is quite ugly, but the minimum, is, > translated to this registrar example, that the developer of the code that is parsing > the request message/data-structure simply emits a different numeric error code > on every code line where an error is encountered. > > This would translate to: > > { > "type": "urn:ietf:params:brski:error:CrypticVendorError", > "detail": "ExampleCorpMegaRegistrar, v0.97b, code: 0x10057" > } > > Aka: some crap where the operator needs to call support of that Registrar, but at > least then it just needs to tell the software version v0.97b and the code 0x10057 > and then 3rd level support may be able to tell the operator whats "wrong" on the > othrer side (agent/pledge). > > But - this is least amount of spec effort on our side (as in: we don't specify > anything beyond CrypticVendorError. > > And of course, this is not what ACME did, they tried to break down the errors > more by analyzing what errors could exist and come up with better Error codes for > them. > Which of course is more work. > > Cheers > toerless > > ============== > > https://www.rfc-/ > editor.org%2Frfc%2Frfc8075.txt&data=05%7C01%7Csteffen.fries%40siemens.co > m%7C96d0c9691fa94b1c662e08dbaf0779f0%7C38ae3bcd95794fd4addab42e14 > 95d55a%7C1%7C0%7C638296218869389810%7CUnknown%7CTWFpbGZsb3d8e > yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7 > C3000%7C%7C%7C&sdata=37o%2Fj9xAL9Mtf3lazwZogLGAGJ1Bzo60E%2BuSXBx > rX5k%3D&reserved=0 > section 5.5.1 > -- > --- > tte@cs.fau.de
- [Anima] Use of problem details in BRSKI (and othe… Toerless Eckert
- Re: [Anima] Use of problem details in BRSKI (and … Michael Richardson
- Re: [Anima] Use of problem details in BRSKI (and … Fries, Steffen