- From: Eric Sedlar <esedlar@us.oracle.com>
- Date: Wed, 5 Jan 2000 12:15:40 -0800
- To: "Slein, Judith A" <JSlein@crt.xerox.com>, "Jim Whitehead" <ejw@ics.uci.edu>, "WebDAV WG" <w3c-dist-auth@w3.org>
- Cc: "Geoffrey M. Clemm" <geoffrey.clemm@rational.com>
Responses are inlined... ----- Original Message ----- From: Slein, Judith A <JSlein@crt.xerox.com> To: 'Eric Sedlar' <esedlar@us.oracle.com>; Jim Whitehead <ejw@ics.uci.edu>; WebDAV WG <w3c-dist-auth@w3.org> Cc: Geoffrey M. Clemm <geoffrey.clemm@rational.com> Sent: Wednesday, January 05, 2000 7:05 AM Subject: RE: WG Last Call: Bindings Protocol [snip] > > We do say in Section 11: > > "A PROPFIND requesting DAV:bindings MUST return only those bindings that the > client is authorized to see." > > So your suggestion is that in addition we say that if the client is not > authorized to read the collection C in which a binding C:(S->R) appears, the > client is also not authorized to see that value of the DAV:bindings property > on the resource R. Then we could get rid of the security concern described > in 16.4. Is that right? > Right. > > * some comment to the effect that if the URL is a versioned > > resource, and > > the currently selected revision is changed, the resourceid > > will not change. > > (I'm assuming that is what you want.) So even though two > > people might see > > different data from a GET request from the same URL (because > > they would get > > a different revision selected), they would still have the > > same resourceid. > > Therefore, people should NOT use resourceid to invalidate > > caches or any > > other application that assumes a one to one correspondence between > > resourceid and data. > > I think that your conclusions are all exactly correct, but I agree with > Jason that it would be better to discuss ramifications for versioning in the > DeltaV spec. > I still think it would be useful to have a reference in the Binding spec, even if you move the discussion to the DeltaV spec. --Eric
Received on Wednesday, 5 January 2000 15:14:31 UTC