W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 1999

Comments on ACL Protocol

From: Jim Whitehead <ejw@ics.uci.edu>
Date: Thu, 7 Jan 1999 16:13:34 -0800
To: WEBDAV WG <w3c-dist-auth@w3.org>
Cc: Yaron Goland <yarong@microsoft.com>, Paul Leach <paulle@microsoft.com>
Message-ID: <004101be3a9b$bb5c8fe0$d115c380@galileo.ics.uci.edu>
Here are my comments on the WebDAV ACL Protocol,

Like the access control goals document, I found this document to be a good
starting point for discussions on creating an access control protocol for
WebDAV.  It too could benefit from review by the mailing list, but it is in
very good shape for an initial draft.


 - There are several "standard" sections which are missing from this draft,
such as:
   * Notational conventions
   * Terminology (the definitions should be the same as in the goals
   * Security considerations
   * Internationalization considerations


- Somewhere, this document needs to have a section describing the problem of
mapping the rights in the access control protocol into rights supported by
the underlying repository.

 - Since this document is really a Web access control protocol, the title
should reflect this.  I prefer the title, "Web Access Control Protocol"


 - The introduction should, before leaping into a discussion of mechanism,
give a brief overview of the problem, and the need for a protocol.

 - The introduction states that "individual properties can be given their
own ACL", yet this is different from my reading of the goals document.

Principal Identifiers:

 - The goals document states that groups are out of scope, yet a compound
principal sounds very much like a group.  Furthermore, compound principals
are underspecified -- this document has a brief definition, and no associate
protocol elements.

 - Human readability of principal identifiers is going to be a problem,
since presumably they will be exposed in the user interface at some point in

Granting and Denying Rights:

- The first paragraph needs some work.  First, my understanding is that it
is an ACE, not an ACL which does the actual granting and denying of rights.
An ACL is just a collection of ACEs.  Second, the need for having both grant
and deny capability comes from many sources, not just from compound
principals.  In particular, I had thought that groups could be modeled by
sets of ACEs, and hence the compound principal notion isn't strictly needed.
Plus, if the protocol is going to have compound principals, then the goals
need to allow them, rather than disallowing them.

- In the third paragraph it states, "Rights MAY only be granted to a
principal by an explicit listing of that principal in a 'grant' section of
an ACL."  First, I think the "ACL" should be an "ACE".  Second, the MAY
isn't really right -- this is really a MUST requirement phrased in a odd

- The rules for resolution of access control conflicts have a few
definitional problems:
  * The conflict resolution rules use the term "parent" and "child", which
need to be defined.
  * This definition could be difficult, since a resource may be accessible
via multiple collections.  I'm assuming that ACLs are associated with a
resource, rather than associated with a URL, in which case "parent" and
"child" relationships aren't 1:1.  It also raises tough questions like, how
should inheritance occur when a resource is accessible via multiple URIs
which exist in mutiple collections. Having ACLs associated with URLs might
not be a bad approach here.

Section 3.1, "Examples"

 - The examples need to carefully use the defined terms in the protocol.
So, for example, Section 3.1.1 should read:

"An ACE in the ACL defined on a resource specifies that the principal whose
opaque identifier as provided by the authentication service is 'A'..."

Section 4, "ACL Inheritance"

 - The inheritance model needs to consider non 1:1 containment relationships

 - There is some discussion here about the "owner value" being set upon
resource creation.  Ownership is important enough that it deserves its own
section, which discusses how the owner is set, read, etc.

 - "Inheritance can either be static or dynamic." -- The specification needs
to be a little more detailed here.  If inheritance can go either way, can a
client specify this when they MKCOL?  Or is this an inherent characteristic
of the repository?  Is it discoverable?  Personally, I think mandating
static inheritance, and having no dynamic inheritance is the best choice

Section 5, Properties and ACLs

 - Do we want properties to have per-property access rights?

Section 6, Rights definitions

 - All the namespaces need to be "DAV:"

Section 6.5, createchild

 - The "ADDREF" reference should be changed to "MKREF"
 - MKCOL needs to be added

Section 6.6

 - The reference to "DELREF" goes away.

Section 6.9

 - The definition should be restated in terms of the ACL method, not
modifying the ACL property

There also nede to be some new rights:

 - read body
 - read properties
 - a right that controls POST (?)
 - a right that controls LOCK/UNLOCK (?)
 - a right that controls HEAD, OPTIONS (?)

Section 7.2 - "allauthprincipals XML element"

 - what is the scope of "all authenticated principals"?  Per connection? Per

Section 8.2

 - I think it would be appropriate to start specifying the error reporting.

End of section 8:

 - There needs to be a DTD section which captures all of the properties and
elements into one DTD.


In the "Status of this Memo" section, ds.internic.net is no longer active.
This section should also add the standard WebDAV draft boilerplate on the
DAV mailing list, and DAV archives location.

In the header for all pages except the first, WebDAV is miscapitalized as
"WEBDav" rather than "WebDAV".  Although, this should really just be the
"Web Access Control Protocol".

The section "Principals Identifiers" should either be "Principal's
Identifiers" or better yet, "Principal Identifiers"

6.2, "read Right"

- There is a reference to the INDEX method in here.

Section 9:

- need to use new XML namespaces syntax

- Jim
Received on Thursday, 7 January 1999 19:16:45 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:19 UTC