W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 1997

Re: WEBDAV Security

From: Jon Radoff <jradoff@novalink.com>
Date: Thu, 01 May 1997 13:42:05 -0700
Message-ID: <3369001D.23E1@novalink.com>
To: -=jack=- <jack@twaxx.twaxx.com>
CC: "Ron Daniel, Jr." <rdaniel@lanl.gov>, w3c-dist-auth@w3.org
Clearly, I'm outnumbered as far as putting ACL-type stuff in.  But
don't take my point the wrong way -- I am not suggesting the
absence of it.  I'm wary of creating a standard around it in this
context because I think people could be resistant to adopting it
as a "subcomponent."  This is a component of the overall technology
that should stand on its own.

An approach that could be taken would be to specify an
interface standard that would pass authentication data (user, realm,
etc.) to a component that would be responsible for obtaining
authorization information, e.g.:

  1.  Application-layer:  "Is 'user' allowed to do 'x'?"

  2.  Interface communicates with seperate component, which could
      be a module which would respond appropriately yet pull its
      information from whatever means of access control are in
      place (native OS, Web-server control lists, passwd files, etc.)
 
  3.  Underlying component does its thing, reports back to the
      interface, and the application is told by the interface whether
      the user is authorized or not.

If interoperability is the goal, then the focus should be specifying
an _interface_ rather than yet another ACL methodology.

If this sort of direction seems to be of interest, I've written some
experimental API's that implement such a concept which could serve as
as a starting point.  I had previously planned to probe for interest
in discussing this as its own subject but if the momentum is here,
I am happy to go with it :)

Jon
Received on Thursday, 1 May 1997 13:41:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:42 GMT