Proposal: a new parameter in IIA-Get request to retrieve the IIA snapshot #108
Comments
|
I definitely vote for this. We are still considering validity due to existence of two approval versions, one on each side. |
|
We would like to propose serving last approved partner's IIA in the IIA Approval API. Wouldn't it be enough if both partner's served what exactly they approved? |
|
May you provide an example? I'm afraid that this could over complicate the IIA Approval API (and perhaps the management of the snapshot), whilst the IIA Get is the natural way to provide an IIA |
yeah it could be enough, but if someone lost for example the last partner's IIA approved? and he want to GET it? he must insert in the IIA-GET the condition hash that he wants to download. If condition hash is like the version of what is approved it is necessary to add it in the IIA-GET-REQUEST i think. |
|
Moreover it could be ambiguous: when I invoke your approval API, I only want to know if you approved my copy. |
No, you should add a snapshot of what you approve (the partner's IIA). It's needed also to prove (without the need to verify the hash) what has been approved. So there are multiple reasons to add it. As for an example, imagine an endpoint returning the exact XML as was produced by the partner the moment it was approved. |
|
so we need to add condition hash (optional) in the IIA-GET-REQUEST (probably in the IIA-CNR too) and IIA-GET-APPROVAL (probably in the IIA-CNR-APPROVAL too) . could be have sense? |
In some way this breaks the master master model: I provide my copy, you yours. |
this is not respected by many in production 😅 😅 😅 it's one of the major problem in production that we are facing unfortunately... hope it will be solved soon |
I'm wrong, or this solution may fail if you keep a more complete historical list than what I do? |
yeah you are right, depends by the new specification, the best thing is to have all the approved versions i think, but i can't decide it 😅 |
|
As I understand Michał's proposal you always answer with the latest approved version. You may keep the history, but the latest approved suffices. |
I understand that Michał propose to answer with the latest approved version, but my version, not his one. |
|
We are talking about the IIA Approval. Up to now in response to IIA Approval get we were sending just hash of the partners copy (the one we approved). We propose to add also XML of this IIA. Which means that we would always keep XML with IIA (and hash) and would send it in the response (to confirm that this is what in our opinion we approved). The version (name space) would not matter. |
do you mean in the IIA-APPROVAL-RESPONSE ? or by IIA-GET? |
|
I will try to write more details and the idea behind.
|
I don't understand: it's Michal's proposal or your?
This is outside the scope of my proposal; my proposal is to fetch your last approved version, not mine.
I don't understand: already now if we change the major number we don't have to re-approve the mutually approved version. |
We discussed it internally so I can say that it is our proposal.
I remember. This is a counter proposal, the more proper place for this discussion is probably #109 but both issues are inter-related.
I am not suggesting to get rid of namespace. |
And how you resolve the problem of Outgoing Mobility Get endpoint? |
|
Is there an issue with the approval concerning Outgoing Mobility get? |
Of course, as concern the IIA-ID inside the sending-hei the specification says: "Clients can fetch more information on this agreement from IIAs API served on the sending HEI's servers" That is, the specification refers to IIA API, not Approval API. In my opinion, your proposal is not compliant with the current specifications of Outgoing Mobility get. Could you provide an example of the IIA inside the Approval to understand how could we preserve the namespace? Anyway, your proposal doesn't solve the initial problem, because at a given time there are two versions for the same IIA-ID:
I need to know what is your last approved IIA; if you think that's enough my snapshot, I don't need to ask you. |
You will still call IIA API get to get the most current version of the IIA. Still all the changes in the IIAs will be handle by the IIA API.
Yes. we will have to upgrade the major version anyway. And I see an added value in it. It will be easier, on an organizational level, to switch the network at the same moment in time. In our opinion it is the easiest way we can solve the problem of changing the major number and not having to re-approve already mutually approved IIAs.
Michał will prepare an example on Monday
The last approved is the one returned by the IIA Approval API. The last under negotiation is the one returned by IIA API.
I agree the the hash becomes useless and we could as well get rid of it in the same round of changes. |
No, you cannot!
Could you explain? If we don't touch the Approval API, we haven't to upgrade its version.
I don't see this problem, may you explain? Indeed, when IIAs are mutually approved, they are approved forever; they have no need to be re-approved because something external is changed.
I think that you and @mkurzydlowski should clear what is your proposal, because what you're saying is something different from what Michal said: "_No, you should add a snapshot of what you approve (the partner's IIA) _"
It is useless if Approval API provides my copy of the IIA, not if Approval API provides your copy of the IIA. |
|
We must be prepared to change the version number of IIA. Better to do it now than later. The changes to the IIA that we are designing will come into force (probably) on January 1, 2024 and they are to serve us for a long time, preferably until the end of the current Erasmus+ programme. We have changes waiting to increase this number, so it's better to release them now. This is also the recommendation of DG EAC. If so, we can afford changes that are not backward compatible. It is important, however, that they are not too laborious for providers whose implementations are already active in the network. The purpose of the IIA API is to exchange information about the latest version of IIA. Sometimes it will be a mutually approved version, sometimes a terminated version, sometimes a version under negotiation. Each partner keeps its copy of IIA (live object), creates XML from it in the current format (version, namespace) on request and sends in IIA get response. On a daily basis, in a local system, mobilities are handled on the basis of the latest mutually approved version (if any). Everyone has it, you don't have to ask your partner for it (although you can). Basically, we will ask the partner when the CNR comes or when we suspect that something might have changed on the partner's side. We will also not make changes in our copy that we do not want to have and approve in the future. The IIA Approval API is a mechanism whose purpose is to obtain proof that the partner has agreed to our copy of IIA. So far, the partner has sent us this consent in the form of a hash. However, this is not enough in the face of changing versions/namespaces, because the hash changes too. Therefore, to have a complete proof, we need to keep the original XML with (embedded) hash. This XML is in the form in which we got it, it can be treated as a string. It is not intended to serve us in the ongoing service of IIAs or mobilities, it only serves as a (static) proof. Since we only care about the most recently mutually approved IIA, we only need to keep proof of that revision (of course, local systems can keep the full history). The specification states that the partner is required to keep this evidence and submit it to us upon request in the IIA Approval response. But what if he removes it? It is safe to keep it with us locally. If this XML was also signed, we would have non-repudiation. Then the hash would be redundant and it would be enough to keep this signed XML instead of other data certifying that this XML was actually sent to us by the partner. If I described something inaccurately, Michał will correct it, but only on Monday. |
|
I think that you're complicating the model without solving the real issues, your explanation is generic and no one of the listed issued seems to me a real problem. The problem you're describing for approval doesn't exist, you're simply trying to introduce the XML signing. I try to simplify:
The full copy is not a proof, no more than the actual hash code. Anyway, if this is your proposal, I think you should open a new topic on GiHub because it is out of the scope of the current thread.
it's simply a wrong vision because a system is the owner of its version of the IIA and it must be able to provide this data according to client scope. If the client needs to know the cooperation conditions of an IIA to represent a stable situation (for mobilities or whatever we may need in the future), the system must be able to provide the last approved version, not the most recent proposal. |
|
Could you provide a use-case where you need to request the last approved version from the partner? You should already have this version as an XML (partners IIA get response) that represent what you approved. A hash is not enough to have a proof if you store it without the full document. If you need to revert to the last approved version of the IIA you must do it based on a data "snapshot" (structured - not an XML) that you made before modifying your IIA. But this is your data, not something that you should be asking your partner. |
Here you are: https://github.com/erasmus-without-paper/ewp-specs-api-omobilities/blob/stable-v2/endpoints/get-response.xsd
That is, not the current IIA, but the one on which the student is being nominated/sent (for me, this means approved).
And this means that we need this information from the partner, not from the local copy.
I don't understand: is this a question for me? Or a specification?
No, I don't need the last approved version for this. I add a point, that is underlying my vision, that I realized today not to be completely true: If we add as a new specification that in case of performing an IIA-GET with the new last-approved-version set to true, the partner's server doesn't return the last approved IIA building it from its structured data, but serving the XML it has stored when it received the approval (ignoring the current API version), we resolve the great approval problem that we have whenever we have a namespace version upgrade. When we fetch the XML saved by the partner (and not built from structured data) we may read the version number and know the API version to use to parse it (we should already have that version, we used it to approve...). What is not completely true in my vision? That presently EWP doesn't allow even this little document management without a digital signature. Do we really want to approve again every IIA when we have a namespace version upgrade? |
The ID is the same.
True but that still doesn't mean that we the partner shouldn't just server the current version - even if not yet approved.
Saving it seems to currently be the only way to have a proof without relying on the partner.
You mustn't rely on your partner - you really should store the object you approve. The "copy" has validity - that's why we introduced the hash.
How is taking this data from the partner going to solve misunderstandings? That's too vague. It's everyone's obligation to be able to revert to their last approved version (that they stored locally). Don't complicate this by relying on one another's GET response.
That vision is exactly why we suggest to serve the exact XML in the IIA approval. The only difference that you see this data as something that should be sent in IIA get and by the other party. |
You skipped some important steps: the first sentence I quoted, but you in some way have ignored, explains that the partner shouldn't serve the current version: "_Optional ID of the Institutional Agreement based on which the student is being nominated/sent. _
If this is the official interpretation, then it should be specified officially. Instead, the official flow chart states something different: "and store the partner hash as the proof"
Really? Do you think that a copy has validity because it has a well formed hash code?
For example, I can see if your IIA, the one you consider approved, is the same I saved as approved.
But I think that your approach doesn't solve the problem: the IIA approval API is to approve, you may provide me MY copy of the IIA, the one you've stored as approved. And then? Are you that have to decide if you have to send me a new Approval CNR. This is a scenario after the namespace upgrade: If I can get your "last approved version" as a snapshot of the XML (old namespace), I could see that the last approved version is still valid (the hash code is the same I saved). How can your solution avoid approving again all the IIAs? (doing so we'll soon discover that at some point I have approved your N-version whilst until you will not approve my N-version, you still stuck with my N-1 version: the same IIA-ID is mutually approved, but no more the same IIA: data are different) |
|
But which approved IIA version should a mobility be linked to? There is no way of knowing if it changed after the mobility has been created. The most we can do is link it by IIA id, as it is currently. Adding the ability to ask the partner for his last approved version doesn't change things. The hash is a proof as one can verify that it corresponds to the IIA XML that is kept with it.
I don't understand your objections. There is no need to resend the Approval CNR. Storing the IIA XML enables us to be independent of any IIA version changes. The benefit of storing the IIA XML in the approval is that we are one step from signing such IIA and getting rid of hash if people ever decide to go that way. |
You shouldn't be taking action if you didn't receive an IIA CNR and you shouldn't receive one after version update. But if you do ask IIA GET without receiving a CNR then you should not compare the hash with anything you might have saved locally if IIA version changed. |
Really? You should know it...
Any approved version is good, because the mobility is linked to that, since it cannot be changed after the applications and nomination started. And if it was too late, a partner can deny the approval of changes anyway.
Again, really?
May be, but we are far away from that moment and at this point I'm afraid of where could lead us a global digital signing.
Again: really?
And therefore it is a new IIA for me and I have to approve it again. Do you realize this? I think that after years you should inspect how other providers have implemented the EWP logic, because I suspect that our implementation, needs and controls are not as you imagine. |
If someone asks for IIA by himself (for example when he believes that an IIA CNR might be lost) and notices a change in the IIA version then he should indeed compare the IIA with what he has stored. No need to approve it if we don't detect a change. I don't see how your solution might make this less painful.
If you made a change while upgrading then it will be detected in that comparison. |
So you're telling me that I have to compare the IIA with what I have stored? Anyway, the hash code was introduced right to detect a change in the IIA:
I hope that the solutions you propose be compliant to the specifications you wrote |
If the IIA version changed then there is no other way to tell the difference. Why would the partner change the order of cooperation conditions? If he did then he should theoretically also send an IIA CNR. But how does this impact this discussion?
It was introduced to enable IIA approval with a proof. It can also be used to detect change as stated but this is limited to a single IIA version. |
Do you think?
Simply because it can, being that is not forbidden by the specifications.
In the sense that the actual XML structure and specifications cannot allow you to compare a saved version with a fresh one with the possibility to be 100% sure that there is a real change.
Yes, we are realizing that this is true, but it is not written anywhere. I'm still waiting a suggestion on how implementing a comparison from two XML of different version and being sure that they are the same and there is no need for a new approval. |
|
I agree that this issue is about the extra parameter for the IIA get, to obtain the last approved version. I do not see any strong support for this idea from the other providers. The issue is open and anybody can contribute. Saying that I come back to #109 for the more important discussion on how to make sure that nobody will have a problem with the change of the name space and nobody will trigger re-approvals due to such a technical change. |
|
Does it means we have to keep 2 versions of the IIA. one draft and on last approved? |
This question is rather business than technically oriented. @pleys @kamil-olszewski-uw please comment. I personally think that the mobility process can not stop, that changes are most probably related to the future academic years. |
|
If there a need of the latest approved copy all the time, then there is no other way but to keep 2 versions. |
What you call 'draft' is a version under negotiation and it should not be hidden. You want/should to show it to the partner. It wouldn't be hidden it it would be the first version. This is the consequence of the decision that once approved version can be modified. |
|
@janinamincer-daszkiewicz this is not new. Approved versions were always allowed to be modified. So let's not try to portray this as something new. |
It would be best if @pleys answered us, but it seems obvious to me that whatever decision is made here, related workflows and technical aspects must not interfere with business matters in the form of a temporary stop of the mobility process. |
How can you start a new mobility, if your contract is under re-negotiation? |
You may change only the mobilities after a given date, the previous should remain still valid (the cooperation conditions may change exceptionally at any moment only it there is a mutual agreement).
This is why I think it could be useful:
|
|
From the presentation for the IF meeting on the coming Wednesday: "If the partners do not reach the conclusion they should revert back to the last mutually approved version" Otherwise: how long they must wait before reverting back to the last mutually approved version? |
During the last IF @janinamincer-daszkiewicz told me that she doesn't see the necessity do add a new option in IIA-Get to fetch the last approved version instead of the current one, that may be under review (we were talking about the modification of a mutual approved IIA).
And she told me to open a GitHub issue if this point is important for me.
So this is what I'm doing and I'm sorry that she doesn't see such a necessity.
There are several reasons to justify the need to fetch from the partner the last IIA version we have approved, getting it straightly from the partner's system and not from our one.
But to be short, the main reason is contained in Outgoing Mobility Get endpoint.
https://github.com/erasmus-without-paper/ewp-specs-api-omobilities/blob/stable-v2/endpoints/get-response.xsd
In the response of Outgoing Mobility Get endpoint we have the sending and receiving IIA-IDs; the get-response.xsd says: "clients can fetch more information on this agreement from IIAs API served on the sending (or receiving) HEI's servers".
What do you think to provides when these clients call the IIA-Get API?
The last approved IIA or the under review IIA?
I think that only an approved IIA can rule a mobility, and this involves that IIA-Get must provide the way to ask for the approved version by means of an optional new parameter.
Therefore, again, I strongly suggest to modify IIA-Get adding the optional request parameter
last_approved_versionwith the following explanation:Boolean, default false. The value false means, that the client is not interested in receiving last approved version of the agreements specified with iia_id or iia_code parameters. Therefore, if the parameter is set to false or not provided at all, the partner returns the most update version of the requested IIAs. If the parameter is provided and set to true, the response will contain the IIAs' snapshots taken when they have been approved (if they have been ever approved). If an IIA has never been approved, the relative IIA-ID is ignored and no value is returned.
Am I the only that feels the necessity to provide the current IIA or the last approved IIA depending on the client or the use?
The text was updated successfully, but these errors were encountered: