IETF Logo Mail Archive

Re: Last Call: <draft-sahib-451-new-protocol-elements-01.txt> (New protocol elements for HTTP Status Code 451) to Informational RFC

Shivan Kaul Sahib <shivankaulsahib@gmail.com> Wed, 04 July 2018 01:24 UTC

Return-Path: <shivankaul.1993@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF7C0130E8E; Tue, 3 Jul 2018 18:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Reatt8_84Wgu; Tue, 3 Jul 2018 18:24:54 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9559C130E8A; Tue, 3 Jul 2018 18:24:53 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id p6-v6so2981862ljc.5; Tue, 03 Jul 2018 18:24:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KeFVSqOzuBcfx8AxGsPYLHohx9zbRhK++BPBF0IiyK0=; b=QhC8N4mcKxGWVKsaTpMyJB2r7GSJ78zZTPaa8Zw2b/lrNfpZqZeNlm1R8eCTBb0/lS ltwim/v+e0S/MwpA2aH77BSwC3Qt7araBedP/w6k9xmHOm3wVnVMs7v+6ZuE3dvylBF1 SWqqa7++SfJY+PiE6me+s5SPlzfdWgVI3E2AKB8k/wQabR3POf7qFO4dEfM6CAjeWT4w WRZOjmne4qO8kJRAGT+KIYP2YrDqcLq8ehPEyc1G3vCcykJJMvuwbGRhEAbCrPntS0cs SDkwwnC0+5+oTGglrjv8oZFpfpt2/he7erO9LWxwPkuTR+qiNHE5GoJxsS3E7BgtYYnH UVFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KeFVSqOzuBcfx8AxGsPYLHohx9zbRhK++BPBF0IiyK0=; b=o0RTg9p6u4/v7AWxnaswJ4fx3yJ5RlWyJMCJKVXgTaxBPkS5bq3Gz4dmpD4s+O7tnP XFgypK7oAV5N9igFF7zEtjdxcGEF5+sk6BVeTpvITecli5pYDzgLow60F8Y+/0V2k0Zg NMQNNS03zr5t5XcwfCtfBEWH0cb3h/b/p7kCvDh0pKUVjxOA0NQkulWFOCeWIcyAz803 rNqx+TgjpN1F9m6Ubf87gu4pBsfDJmNkd6k+X1YL0YaH0Dbxjdc97kYkwTprbuTUVj8q zeh8UXe2GMG8DvHZoTzDjv0m1Aeen4JIhmdHP4jU2YMwoeiBB/hGlvIjns1DCScFTKmP yMUA==
X-Gm-Message-State: APt69E1PPqUF9F8R71ZVgPXSm6vpTSS9iH6A2N6F5Mys0eY4g1F5/YNl datUrDFDJ+ywUTzNmDIwpUXPWUEyqIPYbwJAZtQ=
X-Google-Smtp-Source: AAOMgpf9kxVlIZe3j9v+LOxZucTGI5q7/XCu7/RZnhqZCkTJImamwb/oJDI2J1nrcKy09D8nbqVAQeZ1gJKViZBG5d8=
X-Received: by 2002:a2e:4401:: with SMTP id r1-v6mr6868lja.21.1530667491715; Tue, 03 Jul 2018 18:24:51 -0700 (PDT)
MIME-Version: 1.0
References: <153054106529.16082.5456844530797164969.idtracker@ietfa.amsl.com> <CAHBU6iunrrZ6W1hQTWqx7ziEPdDMspt+mf6u0t6DVJn_rS04aQ@mail.gmail.com> <130562.1530665238@turing-police.cc.vt.edu>
In-Reply-To: <130562.1530665238@turing-police.cc.vt.edu>
From: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
Date: Tue, 03 Jul 2018 18:24:40 -0700
Message-ID: <CAG3f7MjEhq_v==1YDS2piZTG=tOw9RZpjKc3bhpbxTY9j05zRg@mail.gmail.com>
Subject: Re: Last Call: <draft-sahib-451-new-protocol-elements-01.txt> (New protocol elements for HTTP Status Code 451) to Informational RFC
To: valdis.kletnieks@vt.edu
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, IETF-Discussion Discussion <ietf@ietf.org>, Tim Bray <tbray@textuality.com>, draft-sahib-451-new-protocol-elements@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001cf0e90570224c13"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/GtKfuoEkXIv8Kn2yM-xS29fQWpA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 01:24:56 -0000

Hi,

The intention of the draft asking for resource identification in the legal
demand was *not* to say that the resource has to be named - like I said,
the Vatican example was fine.
In any case, as previously mentioned I've updated the doc to recommend only
the geographical scope and the blocking authority headers. Would love if
folks have specific feedback about the two additional headers and how they
should be served.

Unfortunately, can't upload the updated doc until later this month.

On Tue, Jul 3, 2018 at 5:47 PM <valdis.kletnieks@vt.edu> wrote:

> On Mon, 02 Jul 2018 22:17:01 -0700, Tim Bray said:
> >    4. Section 4, 1st bullet point: “HTTP 451 SHOULD NOT be used by an
> >    operator to deny access to a resource on the basis of a legal demand
> that
> >    is not specific to the requested resource.†  Why is this a good
> idea?  If I
> >    decide to respect a legal demand that I not give access to any
> resources
> >    that mention the existence of a certain person, or which are sourced
> from a
> >    subdomain of example.com, or from a server whose geographic location
> >    within the Vatican City, why should I not be able to use 451?
>
> Amen to that.  If anything, it's *vastly* more likely that the legal demand
> won't be specific to just that one object, but will cover a large number of
> objects (possibly into the thousands or millions).  There's no sense in
> allocating a return code for the presumably rare "a request was made to
> block
> exactly one object" case, and not allocate one for "a request was made to
> block
> every object of type FOO".  For example, I've never seen Google reply with
> "exactly one response was filtered" - if there's *any* hits, there's
> usually
> *multiple* hits.
>
> Perhaps "on the basis of a legal demand that is not directly applicable to
> the specific requested resource" would be better?  Or other wording that
> makes
> it clearer that 451 can be used for any case where you have an object that
> you
> can't serve up?
>
> On Tue, 03 Jul 2018 10:23:23 -0700, Shivan Kaul Sahib said:
> > HTTP 451 is being used to block users who reside in the European Union by
> > websites that are not GDPR-compliant. There is no real "legal demand to
> > deny access" to the resource.
>
> If they can't provide access to a EU resident because they aren't GDPR
> compliant (and thus have an actual legal exposure to penalties if they
> provide access anyhow), they have two choices:
>
> 1) Deny access
> 2) Face the legal exposure.
>
> You're going to have a really hard time explaining how a "Deny access to
> this
> copyrighted information or face legal consequences" takedown notice is a
> legal
> demand, and "Don't allow access that involves non-GDPR compliant data or
> face
> legal consequences" isn't a legal demand.  Maybe a lawyer understands the
> difference, but it's a strong bet that the person who has to actually
> maintain
> the list of 451-blocked objects won't.
>
> > them to use it. If we think that the status code should be used for
> > compliance with *any law whatsoever*, even if the law doesn't actually
> > demand that the resource be taken down, then perhaps making that clear
> > would be helpful for people seeking to use the status code.
>
> I'll note that "demand that the resource be taken down" is subtly different
> from "demand that the resource not be available" (in particular, if it's
> being
> made *conditionally* unavailable to some users, but potentially still
> accessible
> to other users).
>
> This part of the draft is problematic as well:
>
>       demand.  Note that while the introduction of [RFC7725] mentions
>       that the legal demand for denial of access should be related to
>       the resource being requested, the RFC's description does not make
>       it clear that the resource being denied access to must be directly
>       mentioned in the legal demand.
>
> That's because in most countries, when the legal document arrives, it quite
> likely *won't* itemize 48,374 separate URLs to fulfill a "directly
> mentioned"
> requirement. It will have terms like "any and all documents concerning
> <specific definition of documents involved>".  And that's because if the
> legal
> document says:
>
> "Block access to https://www.example.com/this_data_is_banned.txt"
>
> all they have to do is rename it to 'this-data-is-banned.txt", fix links
> to it,
> and we're playing whack-a-mole.  And it's guaranteed they can rename the
> file
> and fix the links faster than you can go back to the judge and get a new
> order
> signed.  Especially the 7th or 8th time in a 48 hour time span.  So the
> legal
> order will often *not* "directly mention" the resource, but will instead
> give a
> *description* of the object sufficiently specific to allow identification
> of
> same.
>
> Overall, I'm having a *really* hard time seeing how redefining 451 to only
> apply to resources that have been directly identified in the legal demand
> improves the situation over RFC7725.
>

v2.23.0 | Report a Bug | By Email