RE: [ACL] Conference call notes, Mar. 31 from jamsden@us.ibm.com on 2000-04-03 (w3c-dist-auth@w3.org from April to June 2000)

From: <jamsden@us.ibm.com>
Date: Mon, 3 Apr 2000 13:50:06 -0400
To: w3c-dist-auth@w3c.org
Message-ID: <852568B6.00620752.00@d54mta03.raleigh.ibm.com>

All, upon further thought, I don't feel that  authentication should ever
come into the realm of ACLs, since (I'd hope) any  authentication is
performed at the HTTP/WebDAV level before any ACL is  examinedand that the
ACL "engine" should trust the identity performing  operations. In other
words, any principal information in the ACL should  be compared against the
principal information for the request (which should  already have been
authenticated as a valid principal or re-assigned as an  invalid one)
without trying to communicate to an owning "domain server" of that
principal's  domain.
<jra>
I agree with this.
</jra>

Received on Monday, 3 April 2000 14:00:26 UTC