Re: [access-control] non-GET threat model and authorization choreography from Thomas Roessler on 2007-10-09 (public-appformats@w3.org from October 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 9 Oct 2007 14:02:47 +0200
To: Anne van Kesteren <annevk@opera.com>
Cc: Henri Sivonen <hsivonen@iki.fi>, Jonas Sicking <jonas@sicking.cc>, public-appformats@w3.org
Message-ID: <20071009120247.GO10874@raktajino.does-not-exist.org>

On 2007-10-09 13:59:55 +0200, Anne van Kesteren wrote:

>   4. Store the result of an access request check in a table along
>      with a timeout time from a dedicated HTTP header. Invalidate
>      this result after the timeout time has been reached. If
>      there is no timeout time do not store the result.

> I don't think 1 is really an option. I can't really judge the feasability of 
> 2. 3 seems annoying for debugging. 4 seems relatively easy to specify and 
> can work on top of the existing HTTP cache for the URI.

How is 4 any different from saying "use HTTP caching"?  (I might
missing the point here...)

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 9 October 2007 12:02:57 UTC