W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2000

RE: WebDAV Bindings - Issue Yaron.ApplePie3

From: Slein, Judith A <JSlein@crt.xerox.com>
Date: Tue, 18 Jan 2000 10:36:03 -0500
Message-ID: <8E3CFBC709A8D21191A400805F15E0DBD24568@crte147.wc.eso.mc.xerox.com>
To: "'Yaron Goland'" <yarong@Exchange.Microsoft.com>, w3c-dist-auth@w3.org
Comments in <js> </js> below.
 -----Original Message-----
From: Yaron Goland [mailto:yarong@Exchange.Microsoft.com]
Sent: Sunday, January 16, 2000 8:26 PM
To: w3c-dist-auth@w3.org
Subject: WebDAV Bindings - Issue Yaron.ApplePie3

Section 11 of the BIND spec states: "A PROPFIND requesting DAV:bindings MUST
return only those bindings that the client is authorized to see."

This brings up a couple of questions. The first question is "How do I ever
know if I have the definitive list of bindings?" I suspect the answer is
"you don't" since there may be bindings you aren't authorized to see. 

<js> Right. </js>

This then brings us to another sentence in section 11 which reads "If the
DAV:bindings property exists on a given resource, it MUST contain a complete
list of all bindings to that resource."

However this means that the dav:bindings property must always return a
complete list of bindings which the sentence following it (given at the
start of this letter) contradicts. 

<js> I don't see this as contradictory.  The value of the property on the
resource is the complete list of bindings.  What gets returned in response
to any particular PROPFIND request is some subset of that value. </js> 

One should never have two MUST level requirements that are in direct
contradiction. The reason for the contradiction is that we have raised the
bar too high on the contents of the dav:bindings property value. We have
already specified that due to security concerns it is absolutely impossible
for you to ever be sure that you necessarily have the complete list of
bindings. Therefore requiring that the complete list be returned, even as
the default in the absence of security concerns, is self defeating.

Therefore I move that the language in section 11 be changed to read that the
dav:bindings property may contain zero or more of the bindings available on
a resource rather than the definitive set since it is impossible to
meaningfully require that the definitive set be returned.
Received on Tuesday, 18 January 2000 10:36:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:21 UTC