Re: Access Control Draft from howard.s.modell@boeing.com on 1997-05-19 (w3c-dist-auth@w3.org from April to June 1997)

From: <howard.s.modell@boeing.com>
Date: Mon, 19 May 1997 11:36:39 -0700
To: w3c-dist-auth@w3.org
Message-Id: <199705191836.LAA13862@warlok.ds.boeing.com>
H:From w3c-dist-auth-request@w3.org  Fri May 16 18:45:51 1997
H:Resent-Message-Id: <199705170135.VAA05148@www19.w3.org>
H:Date: Fri, 16 May 1997 15:54:28 PDT
H:From: Larry Masinter <masinter@parc.xerox.com>
H:Organization: Xerox PARC
H:To: Jim Whitehead <ejw@ics.uci.edu>
H:CC: w3c-dist-auth@w3.org
H:Subject: Re: Access Control Draft
H:X-List-URL: http://www.w3.org/pub/WWW/Archives/Public/w3c-dist-auth/
H:X-See-Also: http://www.ics.uci.edu/~ejw/authoring
H:X-Mailing-List: <w3c-dist-auth@w3.org> archive/latest/792
H:X-Loop: w3c-dist-auth@w3.org
H:
H:I actually thought that you could ignore access control completely
H:except for two things:
H:
H:1) how does an author CHANGE the access policy of a resource
H:2) how does an author SPECIFY the access policy of a new resource
H:
H:and that (2) could be defined as
H:   Inherit the default access policy and then do (1)
H:   (There's an unfortunate window when items have the wrong
H:    access policy).
H:
H:However, it should be possible to do (1) and (2) for a wide
H:range of different kinds of access policies.
H:
H:It might be that every resource has a related linked resource
H:which is its access policy, and that the access policy could
H:be retrieved as text/html (in which case you would get a form
H:that would allow you to modify it, if you were so authorized)
H:or as some other representation (which a program that was
H:knowledgable about the structure of access policies on the
H:particular server would be able to directly manipulate it).
H:
H:It might be that access policies should be linked to 'realms'
H:rather than 'resources' where a 'realm' was some well-defined
H:extension set of resources.
H:
H:I'm not sure how the discussion got off into APIs and CORBA,
H:though.
H:
H:Larry
H:--
H:http://www.parc.xerox.com/masinter
H:

I've been lurking up until now, but I think I need to inject
something relevant here.  

We've been thrashing thru "web policy"
here, particularly document format and metadata and one of the
things that comes up is that a Web document not only has a 
list of authors, but an "information owner" as well who might not
*be* an author, but *is* responsible for what goes into the document.

Thus, I can see access control information specifying not only a list
of authorized authors/editors, but the Information-owner as well (who
may need to approve changes).

Conceivably, one might even need to account for the web-server administrator
who may be the only person allowed to (re)place documents in the server's
directories (analogous to the "mailing listserver administrator").

<signed>
Howard S. Modell
________________________________________________________________________
 Adv.Computing Technologist/2         POBox 3707, m/s 4A-25, Boeing D&SG
 howard.s.modell@boeing.com           Seattle, WA 98124-2207
 http://warlok.ds.boeing.com/~howie/  (206)662-0189[v] (206)662-4018[f]
Received on Monday, 19 May 1997 14:36:58 UTC