Re: [Ppm] Httpdir early review of draft-ietf-ppm-dap-09
Tim Geoghegan <timgeog@gmail.com> Tue, 09 January 2024 22:27 UTC
Return-Path: <timgeog@gmail.com>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9B32C151098; Tue, 9 Jan 2024 14:27:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.104
X-Spam-Level:
X-Spam-Status: No, score=-1.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fM5jbTTGalPE; Tue, 9 Jan 2024 14:27:09 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3586CC151099; Tue, 9 Jan 2024 14:27:09 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-55569b59f81so4216171a12.1; Tue, 09 Jan 2024 14:27:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704839227; x=1705444027; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HbK8YTH+7U7dWd6aRwKIwS361ohMs+XQWHlgPW/1dtk=; b=KlsM6pMPKtKYL7/dG5dMcOrgjnQ5JIpsYVsWRX7IOQM1DHVxeSiAX5GibtSZZG4KGW y59YVYp/KIS/XdNJKFhhHtSkr4SEitf7wMMCtixrTF8LDd2UTSN5GyOI6K7mzmjkiDwU AEA+9KyYkEn1OgHHk3LaN2OYbLNsU1CWNXAnj9d1xXLgaj+Xd+FFe11Y3QGTpGc1nz0K aAZOu0GnqsPyvXiYQTFdraoJmWcKLHQ7KlP5bkQ1PUQZaFyzC2Hpb0l1xWUhcD/Oa/CA QFh8B/o22Z0q6UXBeQVM8mRSbsicEa2pFpBbNtBDsbBZApGI3QjSc6NZN6cuhcj2jcqV kSqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704839227; x=1705444027; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HbK8YTH+7U7dWd6aRwKIwS361ohMs+XQWHlgPW/1dtk=; b=KN5YqI9+0I0YGWEBMqQwe35DI06mSkSy3mUWS30UN/MBsTtiRQ5UMCNYzs/pp8k22M ehM5u1eBHUZrkucB32ds/vGsvINchENjnTzizbobgnl/kp5BHFbuxfBYhGEkrBMbWHDW s9AEeULfJNR3rkS5EiQGL1RJ8hSbdFegYswXdEFLzx/Zd9u9Xvlr0eYvXApIYDRQVV+H 82s+XTH163ANdhAvR5mFFsQmReetL/5jfyNKi3SCSP58OxAljTzKHEJkagC+p/1GKN8c 1b3Ll3sMCw63BH21MfKf5fsDNw2ORcZwc6m+/EW0gPcBnL/qOcxonR4ofy1b/jamQRow SyuQ==
X-Gm-Message-State: AOJu0Yx8eK3N1+fgM/oR2C6H68GluB7tRnvGWZomjdKJqmaZbN9dbPcb L2ShOWOvzhzyPgpWpii71zwEqpWmvC7ZxLbFWyO5ForAicRTbQ==
X-Google-Smtp-Source: AGHT+IGk74IfGX1VcXNgoZQ5tfZJVF99A8SP5+WYcH14BN8GrjU7t+wVw0/jp756o75WadAtL36VVuMwwqdZAymwQ3g=
X-Received: by 2002:a50:d7d7:0:b0:557:5c3f:26cd with SMTP id m23-20020a50d7d7000000b005575c3f26cdmr55225edj.4.1704839227352; Tue, 09 Jan 2024 14:27:07 -0800 (PST)
MIME-Version: 1.0
References: <170384026509.4260.5375550250978716488@ietfa.amsl.com> <CACsY-OduuUv0LjBB=0DR2Pj338MM9HUENkxOhKjxQG9AnCki9Q@mail.gmail.com> <007EBB68-5310-42E0-9DB7-AB0ED7A12AC9@mnot.net> <CACsY-Of+25c-9NPRyFwH-MHb+GP6GLRDVBowDmx0TSNZEYnNHw@mail.gmail.com>
In-Reply-To: <CACsY-Of+25c-9NPRyFwH-MHb+GP6GLRDVBowDmx0TSNZEYnNHw@mail.gmail.com>
From: Tim Geoghegan <timgeog@gmail.com>
Date: Tue, 09 Jan 2024 14:26:54 -0800
Message-ID: <CACsY-Oe+bb4DfW=ygGUk9-+gGHmT7sD4NGyg3ckDjiAui8=bkA@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, draft-ietf-ppm-dap.all@ietf.org, ppm@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008ba9f4060e8ad0ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/XsQQVQU8BRkuk5j1GMBNzqO6G9M>
Subject: Re: [Ppm] Httpdir early review of draft-ietf-ppm-dap-09
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jan 2024 22:27:13 -0000
As promised/threatened, some additional PRs that came out of this discussion: require error responses to be consistent - https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/pull/542 Hoist report ID into upload request path - https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/pull/543 Tim On Tue, Jan 9, 2024 at 8:40 AM Tim Geoghegan <timgeog+ietf@gmail.com> wrote: > Thanks again for sharing your thoughts. I am working on some further DAP > changes to implement more of your recommendations and will follow up here > with pull requests links as I post them. Just a few more comments inline, > below. > > Tim > > On Sun, Jan 7, 2024 at 4:59 PM Mark Nottingham <mnot@mnot.net> wrote: > >> On 3 Jan 2024, at 8:06 am, Tim Geoghegan <timgeog+ietf@gmail.com> wrote: >> > >> > - 'Errors can be reported in DAP both at the HTTP layer and within >> challenge >> > objects as defined in Section 8.' It should be noted that for HTTP >> software to >> > work correctly, the appropriate status code must be used; indicating an >> error >> > in the object without doing so may lead to unintended >> retries/caching/etc. >> > >> > Good point. The other problem is that I don't think the reference to a >> "challenge object" makes any sense. What we mean is that a message in the >> response body might contain error information. So we need to fix that text. >> That aside, would it suffice to amend this section to say that if the >> object in the response body indicates an error, then the HTTP status MUST >> indicate either a client or server error? >> >> That's one way to do it, yes -- although that might be too constraining >> (e.g. when it's an error that doesn't have impact on / significance to HTTP >> components). >> > > I understand the distinction you're making between the HTTP/transport > layer and the DAP/application layer, but personally I dislike APIs that > indicate success at the transport layer but then an error in the message, > because inevitably clients only look at the HTTP status. For instance the > infamous AWS S3 CompleteMultipartUpload, which will give you a 200 OK but > then only in the response body will tell you that your object was not > actually committed to storage ( > https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html). > This has burnt pretty much everyone who uses the S3 HTTP API. The official > AWS SDKs do the right thing for you, but if you're using those, I'd argue > you're not really interacting with the HTTP API but rather a > Python/Java/Go/whatever abstraction over it, with its own error > representation and handling concepts. But I digress... > > >> > - In section 4.3, it might be good to reference RFC 6570. >> > >> > Speaking as the individual who wrote the current text: I deliberately >> avoided using RFC 6570 here because its feature set is much, much richer >> than what DAP needs, and so I opted for the weaker, simpler templates that >> we have now. >> > >> > Speaking as a document editor/WG member: I have no doubt that the >> templates and expansions DAP uses can be expressed in RFC 6570 syntax, and >> will switch over to it if the WG consensus is to do so, but personally I >> don't see a compelling reason to go that way (I'm open to hearing arguments >> about this of course). >> >> AIUI these are just an editorial convention / explanatory device, so I >> don't feel strongly about this, but 6570 does designate "level 1" for such >> simple cases. >> > > Oh, that's neat, I hadn't realized it offered different feature sets. I'll > give RFC 6570 another read and see what adopting it for our URL templates > would look like. > > > - Section 4.4.1 and afterwards use static paths for subresources, >> hindering >> > flexibility and violating at least the spirit of BCP 190. If the >> configuration >> > were to allow specification of URI templates, it would be much more >> flexible. >> > >> > We tried to write the text to allow serving of the API relative to any >> prefix. So in a template like "{aggregator}/hpke_config" (4.4.1), >> "{aggregator}" can have arbitrary path components in it relative to the >> hostname. Did we express this incorrectly? >> > >> > Past that, are you objecting to DAP spelling out templates like >> "{aggregator}/hpke_config" or >> "{helper}/tasks/{task-id}/aggregation_jobs/{aggregation-job-id}"? Are you >> suggesting that a deployment should be able to use a template like >> "{helper}/foo/{task-id}/bar/{aggregation-job-id}" if it so wishes? >> >> Using prefixes is better than static URLs. Ideally, the client would >> fetch something that contains the links (or templates for them) to allow >> complete flexibility, much as HTML does for the Web. Have you considered >> that approach? >> > > I assume you're talking about something like the ACME directory ( > https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1)? Yes, the > DAP authors are aware of that design. Personally I don't think it's right > for DAP. I may be revealing my inexperience as an API designer and server > operator but I don't see how the flexibility in request path layout is > worth the additional complexity of a directory endpoint. Additionally, in a > protocol like DAP, which will see far, far greater volume of traffic than > ACME, forcing an extra HTTP round trip for some report uploads -- to check > where HPKE configs are and where uploads should go -- seems wasteful. > > But of course that's my opinion as an individual WG member. If someone in > the WG wants to champion the idea of a directory and builds rough consensus > around the idea, then I'd support it. > > >> > - 4.4.2 uses PUT to create a report, but doesn't seem to make the >> uploaded >> > report available for later GETs at the same URL. If this stays the same >> (i.e., >> > if the server is going to manage the URL of the report), it should be >> POST. It >> > should only be PUT if the client is effectively deciding what the URL >> should be >> > (by PUTting to a URL it can later GET). Also, if it can't be GET later, >> the >> > response status code should be 200, not 201. If it can and POST is >> used, it >> > should be 201 + a Location header pointing to where it was created. >> > >> > First, there is a unique identifier for a report that does get chosen >> by the client, but it only appears inside the request body (this is >> `Report.report_metadata.report_id`). We could hoist it up to the request >> path, yielding a template `{leader}/tasks/{task-id}/reports/{report-id}`, >> and then you'd have a unique URI for each report. I'm inclined to do this >> much no matter what, for consistency with the aggregation job and >> collection job resource paths. >> >> If you do that, PUT makes sense. >> >> > That said, I'm not sure if it makes sense for that to be a GETtable >> resource. DAP doesn't need GET on reports to function and more importantly, >> I worry about the implementation burden for servers. In many cases, the >> initial uploaded form of a report isn't useful after the first round of >> preparation. Servers may wish to discard per-report information >> aggressively to limit the growth of their databases, which makes it >> difficult to serve up anything meaningful in response to a GET request. So >> I'm reluctant to add a requirement or a MUST about GET on this resource. >> >> Understood, but I wonder how much of a burden it really is for a server >> to return some state that it has sitting there already. >> >> > I really like having this be a PUT request because of the implied >> idempotency semantics. What if we leave it as a PUT and change the path >> template to incorporate the unique report ID, but then don't say anything >> about GET requests (or at most put in a MAY)? I think then implementations >> would be free to either respond to GET requests with HTTP 200 and a `struct >> Report`, or with HTTP 204 or 410 if they happen to have chucked out the >> relevant database row. >> >> Yes, if the resource isn't available any more, 404 or 410 is entirely >> appropriate. PUT isn't a guarantee that the same bytes will always be >> returned -- or even returned on the next request. However, it should make >> sense, from a systemic view. >> >> > If that's inappropriate, then I think we can switch to a POST as you >> recommend, but what about idempotency? Would we just have to state in DAP >> that this particular POST is safe to retry? >> >> Well, this is under development and should ship soon: < >> https://datatracker.ietf.org/doc/draft-ietf-httpapi-idempotency-key-header/ >> > >> > > In our case, we don't need a synthetic idempotency key because we already > have a natural one: the unique report ID. I meant that by switching to > POST, we'd lose the inherent implication that the request is safe to retry, > and I was asking how protocols should make it clear that a POST request is > idempotent. In any case I think this is moot, because we'll stick with PUT > for this request and move the unique identifier into the request path. > > >> > - Use of 201 in 4.6.1 seems incorrect if I understand correctly. >> > >> > The request in question is PUT >> {leader}/tasks/{task-id}/collection_jobs/{collection-job-id}, which is >> intended to create a collection job resource with the specified ID, in the >> specified task. RFC 9110 9.3.4 ( >> https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.4-2) states: >> > >> > If the target resource does not have a current representation and the >> PUT successfully creates one, then the origin server MUST inform the user >> agent by sending a 201 (Created) response. >> > So 201 seems correct: on success, the collection job gets created. The >> same paragraph in 9110 discusses using 200 or 204 when successfully >> mutating an existing resource, but DAP explicitly forbids that in this >> request. >> >> Ah, sorry, I misread that. >> >> Cheers, >> >> -- >> Mark Nottingham https://www.mnot.net/ >> >>
- [Ppm] Httpdir early review of draft-ietf-ppm-dap-… Mark Nottingham via Datatracker
- Re: [Ppm] Httpdir early review of draft-ietf-ppm-… Darrel Miller
- Re: [Ppm] Httpdir early review of draft-ietf-ppm-… Tim Geoghegan
- Re: [Ppm] Httpdir early review of draft-ietf-ppm-… Mark Nottingham
- Re: [Ppm] Httpdir early review of draft-ietf-ppm-… Tim Geoghegan
- Re: [Ppm] Httpdir early review of draft-ietf-ppm-… Tim Geoghegan
- Re: [Ppm] Httpdir early review of draft-ietf-ppm-… Simon Friedberger
- Re: [Ppm] Httpdir early review of draft-ietf-ppm-… Mark Nottingham