RE: Additional WebDAV Requirements? from Yaron Goland on 1998-07-22 (w3c-dist-auth@w3.org from July to September 1998)

From: Yaron Goland <yarong@microsoft.com>
Date: Wed, 22 Jul 1998 12:46:12 -0700
To: "'francis@netscape.com'" <francis@netscape.com>, w3c-dist-auth@w3.org
Message-ID: <3FF8121C9B6DD111812100805F31FC0D029716D7@red-msg-59.dns.microsoft.com>

The DAV standard provides that anyone may be allowed to discover the lock
token associated with a lock, there is no required security in regards to
the lock token. The security comes in terms of authentication. So I can
discover your lock token and request your lock be removed. However if my
access level on the server isn't sufficient to authorized me to remove your
lock then my request will fail. Thus, using the current WebDAV standard, an
administrator can go in, discover any lock token and request that the lock
be unlocked.

In addition the DAV ACL effort (there are two IDs out, one for requirements
and another for protocol) is defining how you can actually set those ACLs in
the first place. Today you must have an out of band mechanism to actually
set the ACL that made you into an administrator.

		Yaron

> -----Original Message-----
> From: francis@netscape.com [mailto:francis@netscape.com]
> Sent: Wednesday, July 22, 1998 11:09 AM
> To: w3c-dist-auth@w3.org
> Subject: Re: Additional WebDAV Requirements?
> 
> 
> Jeffrey E. Sussna wrote:
> 
> > The RFC states that it should be possible to remove locks.
> > It says nothing about under what circumstances, or by
> > whom. With respect to locking and reservations, it is
> > critical that a mechanism be supported to release dangling
> > locks or reservations.
> 
> Certainly this is necessary in a product; but I don't think
> it's necessary in the standard.  Generally, servers come
> with administrative UIs or utilities; those UIs could
> provide this functionality however they desire.  Come to
> that, some/many DAV servers will be built around existing
> document management systems; such servers could be
> implemented in such a way that you could just delete the
> lock in the DMS.  (It wouldn't be automatic; it would
> require the DAV server to consult with the DMS to verify the
> lock was still valid every time it was used.)
> --
> John Stracke
> Software Retrophrenologist
> Netscape Communications Corp.
> francis@netscape.com
> My opinions are my own.
> 
>

Received on Wednesday, 22 July 1998 15:45:53 UTC