Hi Jeff,
really appreciate your effort with the spec -- great stuff. Here's a few thoughts about verification.
On Friday, December 7, 2012 11:10:51 PM UTC+1, Jeff Lindsay wrote:
Why is a verification step required at all for subscribing? If the goal is to prevent spamming an unwilling participant, why not just kill a subscription after a certain number of 4xx responses? I would see this as optional good behavior on the part of the producer.
You can't guarantee that the URL they're giving is even a URL intended to handle events, so you can't assume it's going to realize it's getting hammered and then change the status code. I think in general you have a point that it should do something smart when a callback URL is returning 4xx or 5xx codes, but I'm not sure that's a solution for verification of intent.
Why does the URL wrongly given as the callback have to realize that it's getting hammered? It will either dismiss the messages it receives or do something with them. In most cases it will be the former, and such cases aren't making any problems for the server of that URL since it's just bouncing requests, right? Happens all the time on the Web. If on the other hand the callback wants to do something with the messages it didn't ask to receive (store them, process them, whatever) - then just let it, why not? Because, if the callback is not doing any verification or authorization itself for messages it receives (and expects only verified and authorized messages) - then this is a larger problem, not something this spec should try to fix, imo.
Basically, I think that servers of callback URLs can and should protect themselves in a general way (has nothing to do with HTTP subscriptions), and agree that the subscription server should also protect itself. Subscription servers can protect themselves in terms of monitoring the status of subscriptions and suspending them for whatever reason (e.g. too many 4xx/5xx responses), and by using authorization on subscription requests -- if a user created a subscription that is causing spam for someone else, then suspend both the subscription and the user.
How about requiring subscription servers to have a special "suspend subscription for callback URL" mechanism (resource) which spammed servers could use to report that they are receiving spam on a specific URL? So the subscription server would then be able to suspend subscriptions that are causing this flood? A potential risk is random people reporting false spam to suspend other people's valid subscriptions, but since callback URLs are not publicly known and may be long+random -- it's not a big issue, imo.
On the unsubscribe step, I think I see why verification is there, but I would prefer a different mechanism. If the subscribe operation returned a secret that identified the subscription (likely just an unguessable string like a GUID), then this could just be a single step with something like "Pragma: unsubscribe=<secret>." Perhaps this could just be what's returned in the Link header at the time of subscription. It wasn't clear to me whether that link was a secret. (If so, perhaps the RESTier DELETE <subscription URL> would be nice. You alluded to something similar in the spec, but maybe that should be the primary mechanism.)
Yeah, that's interesting. I'm not sure a subscription URL is a good idea to require, so I'm hesitant to make unsubscribing depend on it. And in terms of returning a secret key for unsubscribing, that's also interesting, but I think the ideal scenario avoids state as much as possible. We're already dealing with state with a callback URL and maybe a subscription URL, and the more you add the more complex it gets.
Both extra state and extra verification messages are forms of (additional) complexity. We just have to decide which is less worse for this case.
One of the things I liked about PSHB was the goal to keep complexity hidden in the PSHB server. I think that should apply to verification also. Extra state does mean extra complexity in subscription servers, but that's the kind of complexity developers are used to handling -- there are know approaches for scaling. For "small" subscription server -- this is not even an issue. For "large" subscription servers -- developers will know what they are doing. For "small" becoming "large" -- scaling is something they will be researching and handling irregardless of PSHB subscriptions.
On the other hand, extra verification messages mean extra burden for the network (+1 request/response), as well as for the server and for the subscriber since they have to manage this process internally. This means that the former (=not having a verify step) will be easier to specify in the spec and to implement by developers, while the latter (=having a verify step) will be harder in both ways and will probably make developers squeal just like PSHB verifications did. And I think that one of the goals of the spec should be simplicity, so +1 to not requiring extra verification steps and using a subscription URL + secret approach by default (or using the alternative approach you say you though of but didn't write about yet :))
+ I like the robots.txt idea, but I would just say that subscription servers must obey robots.txt rules for all requests they intend to send (and suspend subscriptions that violate these rules).
Ivan