W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 1997

RE: Access Control Draft

From: Jim Whitehead <ejw@ics.uci.edu>
Date: Wed, 21 May 1997 11:08:56 -0700
Message-Id: <afa8e4c2070210045f50@[128.195.21.209]>
To: Dylan Barrell <dbarrell@opentext.ch>, w3c-dist-auth@w3.org
>I agree with all except I believe we should evaluate which authentication
>schemes we consider important and ensure that WebDAV can support them. I
>think X.500 with X.509 is a good candidate for evaluation. It is also my
>belief that we have an opportunity to specify HOW a web server interacts
>with a authentication server and should seize this opportunity now - it
>might never come our way again.

%broken record on

While I encourage you to develop a draft which outlines how an HTTP server
might interact with an X.500/X.509 server (are these freely available
specs?) I still feel that until we develop a set of requirements for access
control for WebDAV, we have no way of knowing whether using an X.500/X.509
solution meets our needs.  Is it overkill?  Is it insufficient?  I don't
know because we haven't yet determined our access control requirements.

Until we do, this is just a solution looking for a problem.

%broken record off

One way to start eliciting requirements is to develop some usage scenarios
for access control.  Something along the lines of:

"Mary and John are using their web distributed authoring spreadsheet,
DistCalc, to collaborate on a departmental budget.  Because the budget is
sensitive information, after creating the budget spreadsheet resource, but
before they enter any information, they change the access permissions on
the resource so only they have read and write access to the resource.  Once
the budget is complete, they add their supervisor to the list of people who
have read and write access.

When changing access permissions, they use their Web browser, WebView, to
pull up the access control page for the spreadsheet resource, which is an
HTML form.  They know where to find this resource, because they know that
on their distributed authoring server, the entry point for access control
information is located in /access/.  Once on this page, they enter the name
of the resource, press the "authenticate" button, exchange authentication
information with the server, and are then shown the access permissions page
for the resource.  They modify the access control information, then press
the "Modify" button, causing the form to be sent to the server (along with
authentication information) and processed.  When access permissions have
been changed, they return to working in DistCalc."

>Are there any representatives from the two large HTTP server providers
>(Microsoft or Netscape) participating on this listserver?

Yes.  Apache, Jigsaw, NCSA, and probably others too.

- Jim
Received on Wednesday, 21 May 1997 14:10:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:42 GMT