W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 1997

RE: WEBDAV Security

From: Ron Daniel, Jr. <rdaniel@lanl.gov>
Date: Wed, 16 Apr 1997 10:27:29 -0600
Message-Id: <3.0.32.19970416102723.009ae830@cic-mail.lanl.gov>
To: Yaron Goland <yarong@microsoft.com>, "'Larry Masinter'" <masinter@parc.xerox.com>
Cc: w3c-dist-auth@w3.org
At 12:03 AM 4/16/97 -0700, Yaron Goland wrote:
>[Larry Masinter wrote]
>> I agree you should try to limit the scope of what you handle to
>> be "the minimum needed to build interoperable clients", but I believe
>> taht the minimum exceeds what has been done so far for DAV-less HTTP.
>
>I agree that there are certain requirements that are specific to DAV,
[...]
>However, those needs should be addressed within the context of a working
>group tasked to solve the general ACL problem.

Sorry, I agree with Larry. First, there is no group presently constituted
to solve the "general ACL problem". I doubt there will be or that it would
achieve results in time for this group to use them. Second, I have a hard
time understanding why "requirements specific to DAV" should be dealt with
in some other group. 

>We should not try to come
>up with a solution that only meets our needs and we should not presume
>to dictate a solution to meet needs outside the scope of this group.

We should not try to develop an entire security architecture that meets
only our needs. However, I think that our needs can be met with already
existing mechanisms, such as DIGEST authentication, SSL, etc. All servers
I know of already have mechanisms for governing access. What we have to
do is specify a way for clients to read and write that sort of info in
a server-independent fashion. The servers will have the job of converting
between the server-independent protocol and their particular access
control mechanisms.

Security concerns were one of the issues raised at the Memphis meeting.
At least some of the questions that people wanted answered were:
  1) How does an author get permission to modify a document?
  2) How does an author establish the permissions on a new document?
  3) How does an author or administrator change the permissions on a
     document?
    
These are all reasonable questions that an interoperable protocol for
DAV has to answer. Furthermore, I don't think you can declare them
"out of scope" since several people at the meeting were concerned about
this problem. IMHO, this is MANDATORY functionality and the only way
it will interoperate is if we specify it. Any draft DAV spec with such a
glaring ommission will be pummeled mercilessly during last call. (And I
will be one of the people doing the pummeling. :-)

Finally, I think we can achieve a solution to those questions without
too much grief. For example, here is one possible solution, off the top
of my head.

  1) How does an author get permission to modify a document?

     To edit a resource, the author does a GET on the URI of the source
     of the resource. Existing HTTP authentication mechanisms may be used
     to limit access to the resource. To check the resource in, existing
     mechanisms can be used to restrict access to the PUT method. If an
     author does not have permission to GET and/or PUT a resource, see
     question 3.  (Use of BASIC authentication is strongly discouraged,
     the spec should say that clients and servers MUST support digest
     authentication if they are to claim DAV-compliance. This is because
     of the IAB's explicit repudiation of clear passwords in future
     protocols).
     
  2) How does an author establish the permissions on a new document?

     By default, PUTs to a new URI inherit the permissions already on
     the server for that portion of the namespace. (e.g. a PUT to
      http://www.foo.com/papers/1997/bar.html might use the permissions
     set in the papers/1997/.htaccess file). If the author wishes
     special permissions to be established for their resource, those
     permissions MUST be established before the resource is PUT to the
     server. See question 3 for how those permissions are established.
     
  3) How does an author or administrator change the permissions on a
     document?

     There are two means for administering the ACL for a resource - local
     and remote. Local administration is outside the scope of the DAV spec.
     It is specific to a particular brand of server, but might be as simple
     as "edit the .htaccess file". One means for an author to get the
     permissions on a resource changed or established is for them to use
     out-of-band means to contact their server administrator and let it be
     done locally.

     More useful, but more difficult to secure, is remote editing of the
     permissions. The most straightforward way to do this would be to
     define a new media type that contains a URI and some specification
     of the permissions for various groups and users. Use POST to a
     well-known URI to have that media type processed by the server and
     the permissions set. (People who represent vendors that don't use
     NCSA-style .htaccess files should comment on the difficulty of
     processing that syntax to meet their needs). DIGEST authentication
     must be used for such an operation, and it would be best if the
     permission info was encrypted during transfer.

I make no claims that these are great approaches to the problem, but its
a starting point for further discussion on this topic. I do claim that
this topic must be handled in this group. 

Cheers,

Ron Daniel Jr.              voice:+1 505 665 0597
Advanced Computing Lab        fax:+1 505 665 4939
MS B287                     email:rdaniel@lanl.gov
Los Alamos National Lab      http://www.acl.lanl.gov/~rdaniel
Los Alamos, NM, USA, 87545  
Received on Wednesday, 16 April 1997 12:29:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:42 GMT