W3C home > Mailing lists > Public > public-appformats@w3.org > March 2006

Some comments about the access-control note

From: Jose Kahan <jose.kahan@w3.org>
Date: Thu, 2 Mar 2006 11:58:03 +0100
To: public-appformats@w3.org
Message-ID: <20060302105803.GB27588@rakahanga.inrialpes.fr>

(resending to public list. Apologies for multiple postings)

Hi,

Some brief comments on things you may want to consider:

1. Access control vocabulary

   It may be useful to look at the vocabulary currently used by
   TCP wrapper "ACCEPT, DENY, EXCEPT, PARANOID, UNNKOWN, LOCAL, ALL:.

   In particular, it's interesting to be able to define a security
   policy such as "deny all access except for ..." or the opposite
   way.

2. HTTP methods?

   You may want to add some web methods too (entity B can only read
   this data, but should not do a post or put with it...) I'm not
   sure if this is interesting for your use cases.

3. What happens when a document is stored is cached or accessed behind
   a proxy?

4. What happens when an application is denied access to part of a
   document. How this is going to be reported to the user? Will this
   application still be able to access a well-formed XML document?

5. Prior art that may be interesting:

    - University of Milan work on access control rules for documents
     (server side)... it's the group of Elisa Bertino. Mail me if
     you need more references.

    - TCP wrapper, mentioned above

    - There was an internet-draft by Dave Ragget about cross-domain
      authentication, to avoid having to type the same password.
      What is interesting here is the vocabulary used to specify
      which domains were authorized / constrained.

Hope this helps. Looking forward to review a new version of the draft with
more use cases.

-jose
Received on Thursday, 2 March 2006 10:58:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:19 GMT