Re: #461, was: p4: editorial suggestions

Mark Nottingham <> Mon, 06 May 2013 02:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8CC0121F854E for <>; Sun, 5 May 2013 19:31:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=4.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jTc2iF8yzTST for <>; Sun, 5 May 2013 19:31:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 94FF121F86B2 for <>; Sun, 5 May 2013 19:31:32 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1UZBBF-0001cR-VY for; Mon, 06 May 2013 02:29:33 +0000
Resent-Date: Mon, 06 May 2013 02:29:33 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UZBAx-0001bZ-Lj for; Mon, 06 May 2013 02:29:15 +0000
Received: from ([]) by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1UZBAx-0001QO-0y for; Mon, 06 May 2013 02:29:15 +0000
Received: from [] (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 338F722E255; Sun, 5 May 2013 22:28:51 -0400 (EDT)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Mon, 6 May 2013 12:28:49 +1000
Cc: Ken Murchison <>,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Julian Reschke <>
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-2.442, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1UZBAx-0001QO-0y 5bc101b06ca6922dcb8c67a2cf3fbeab
Subject: Re: #461, was: p4: editorial suggestions
Archived-At: <>
X-Mailing-List: <> archive/latest/17842
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 02/05/2013, at 5:05 PM, Julian Reschke <> wrote:

> On 2013-05-01 01:26, Mark Nottingham wrote:
>> On 01/05/2013, at 12:46 AM, Ken Murchison <> wrote:
>>> On Tue, 30 Apr 2013 15:07:49 +0200, Julian Reschke wrote:
>>>> On 2013-04-23 05:47, Mark Nottingham wrote:
>>>>> * 3.1 "...instead they MUST respond with the 412 (Precondition Failed) status code."  This is too strong; e.g., what if authentication is needed? Suggest an "unless..." clause allowing other error status codes.
>>> The first paragraph of Section 5 seems to address the case of 401 and any other errors:
>>> "For each conditional request, a server must evaluate the request preconditions after it has successfully performed its normal request checks (i.e., just before it would perform the action associated with the request method). Preconditions are ignored if the server determines that an error or redirect response applies before they are evaluated. Otherwise, the evaluation depends on both the method semantics and the choice of conditional."
>>> The second sentence in Section 3 references Section 5 as far as when preconditions are applied.  This seems sufficient to me, but perhaps that is because I have read the document several times and know what it says in its entirety.
>> Unfortunately, some (many) people will read the MUST and just stop.
> Not convinced. We could move the text into each status code description, but I don't think it makes things much clearer.
>> Also, everywhere else we suggest the most sensible status code to use in a situation, barring exceptions (which is essentially what we're doing here), it's SHOULD; the MUST here seems sorely out of place.
> Why?

Here's a small sample of similar requirements in p2 (there are many, many more):

* When a request method is received that is unrecognized or not implemented by an origin server, the origin server SHOULD respond with the 501 (Not Implemented) status code.

* When a request method is received that is known by an origin server but not allowed for the target resource, the origin server SHOULD respond with the 405 (Method Not Allowed) status code.

* If one or more resources has been created on the origin server as a result of successfully processing a POST request, the origin server SHOULD send a 201 (Created) response containing a Location header field that provides an identifier for the primary resource created (Section 7.1.2) and a representation that describes the status of the request while referring to the new resource(s).

* 4.3.4 "If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then either a 200 (OK) or 204 (No Content) response SHOULD be sent to indicate successful completion of the request."

What makes this one a MUST but the rest SHOULDs? Or are we just using these terms completely arbitrarily?

Mark Nottingham