Re: Access Control Preliminary Draft

At 09:19 AM 7/3/97 PDT, Jon Radoff wrote:

>As I understood it, implementation via HTTP is a requirement of
>the WebDAV charter and the general consensus.  This can be eliminated
>if it is felt that this shouldn't be true for access control.

You are right.  The only thing I was concerned about was stating that access
control would be implemented by new HTTP methods, as opposed to, say, new
headers for existing methods.
 
>> 3. [Notification to applications -- I share Jim's skepticism about this.]
>> 
>
>A stated WebDAV requirement appears to be that any resource on
>any medium could be controlled.  If we don't include applications,
>then I don't believe we meet this goal.  We should make a decision
>as to whether WebDAV access control will apply only to static
>document-based resources or any type of resource.
>
It's one thing to define access permissions for the application itself.
(User U1 is allowed to execute the application, user U2 is not.) So one
question we can ask is whether this is in scope for WebDAV.

I thought you were talking about something else.  Maybe we have an
application that generates several different kinds of HTML pages on the fly.
Some of these it wants to make available to everyone, but some it wants to
restrict to members only.  A request to change a page from members only to
public would just be a request to the WebDAV server that it would pass on
via CGI or something else to the application, which would do whatever it
liked with the request.  It doesn't seem as if there needs to be any special
attention from WebDAV to the mechanism for passing the request on from the
server to the application.
 
> 
>> Section 5.5: It sounds as if you want to require every WebdAV-compliant
>> server to support all the categories of access control in this section.  In
>> the general requirements draft, we agreed to avoid talking about compliance,
>> leaving compliance issues to the WebDAV spec. In any case, I'm not sure we
>> should require WebDAV servers to provide access control at all, much less
>> this particular list of categories.  I guess I think of a set of categories
>> like the one you propose as similar to metadata schemas.  There could be
>> lots of different access control schemas, each defined in a resource
>> somewhere, and servers could make it known which schema(s) they support.
>
>There are two items here:
>
>  1) Whether access control will be a WebDAV requirement.  Thus far,
>     general consensus has been that it should.

I guess I was assuming that we had decided that WebDAV should define an
access control extension to HTTP, but without deciding whether we would
require every WebDAV-compliant server to implement it.
> 
>  2) The objective was to define required categories of access
>     control that would be "understood" by all WebDAV servers, not
>     that it necessarilly implement each category.  In fact, the
>     proposed requirements document states that it would be up to
>     the WebDAV server to determine how it would interpret the
>     meaning of a particular access control attribute.
>
OK, that makes sense.

--Judy
Name:			Judith A. Slein
E-Mail:			slein@wrc.xerox.com
Internal Phone:  	8*222-5169
External Phone:		(716) 422-5169
Fax:			(716) 265-7133
MailStop:		128-29E

Received on Monday, 7 July 1997 19:24:04 UTC