W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

Re: Last Call: Access Control Protocol

From: Roy T. Fielding <fielding@ebuilt.com>
Date: Fri, 9 Nov 2001 18:45:43 -0800
To: Jim Whitehead <ejw@cse.ucsc.edu>
Cc: WebDAV <w3c-dist-auth@w3.org>
Message-ID: <20011109184543.B935@waka.ebuilt.net>
Some general comments:

 1) Why does every example use xmlns:D="DAV:"?  That seems to be a pointless
    exercise in indirection that will ultimately lead to clients that
    parse on D:whatever instead of the actual spec.  Besides, DAV itself
    is an xmlns that needs to be defined somewhere.  If the goal is to
    simply show that it is possible, then only one or two of the examples
    should use the shorter short name.

 2) This protocol has departed from the Web interface of access control being
    set on a per-method basis.  The effect of this change is that access
    control will now have to be governed by both the Web server and whatever
    handler within the Web server is interpreting WebDAV methods, resulting
    in a pointless duplication of code (and effort, if the resource
    requires both forms be active).  Eventually, someone will have to
    define an HTTP access control protocol.

 3) The protocol does not differentiate between writing to a resource (PUT)
    and appending to a resource (POST), and thus cannot be used to control
    shared access for things like guest-books, log files, or collection-like
    bulletin-board resources.

The first is a matter of editorial choice.  The second prevents this protocol
from being generally useful outside webdav.  The third leads from the second.
I don't think any of them would necessarily prevent it from becoming a
proposed standard for WebDAV, but I wouldn't call it access control for
the Web.

....Roy
Received on Friday, 9 November 2001 21:49:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:59 GMT