- From: Clemm, Geoff <gclemm@rational.com>
- Date: Tue, 22 Jan 2002 08:08:52 -0500
- To: w3c-dist-auth@w3c.org
The ACL spec does not associate a principal URL with an authenticated user, and therefore a principal URL is not in general available. The ACL spec only assumes that the server can "match" a users credentials against the principals identified in the ACL of a resource, but it does not assume that the server can pick one of these principals as "being" the user (several can match). In addition, it is a security hole to require a server to provide more identification about a user than that user's client wishes to provide. Because of these reasons, I strongly object to the introduction of a server defined principal field. Cheers, Geoff -----Original Message----- From: Lisa Dusseault [mailto:lisa@xythos.com] Sent: Tuesday, January 22, 2002 12:21 AM To: Clemm, Geoff; w3c-dist-auth@w3c.org Subject: RE: HOW_TO_IDENTIFY_LOCK_OWNER What I would find most useful would be a lock owner field with a value defined by the server. Since the server is likely to have authenticated the user, they presumably know how to identify the user. Existing support for the ACLs spec would mean that a Principal URL could be available. Allowing the server to set this value means that the information is more reliable. Lisa > -----Original Message----- > From: w3c-dist-auth-request@w3.org > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Clemm, Geoff > Sent: Friday, January 18, 2002 11:28 AM > To: w3c-dist-auth@w3c.org > Subject: RE: HOW_TO_IDENTIFY_LOCK_OWNER > > > I would describe our conclusion as: > > We need to define a new field, say DAV:lockowner, that is specified > in a LOCK request, and that takes an XML value. We will define > some standard elements for that value. > > We should then deprecate the use of the DAV:owner field, as a field > that contains non-interoperable data about the lock owner. > > Cheers, > Geoff > > -----Original Message----- > From: Jason Crawford [mailto:ccjason@us.ibm.com] > Sent: Friday, January 18, 2002 1:35 PM > To: Daniel Brotsky; w3c-dist-auth@w3c.org; Lisa Dusseault > Subject: RE: HOW_TO_IDENTIFY_LOCK_OWNER > > > > It sounds like we've concluded that we can't reuse the lockowner field > because we've already specified that it's free text. > > Do we still have the requirement mentioned at... > > http://lists.w3.org/Archives/Public/w3c-dist-auth/2001JulSep/0218.html > says... > > regarding identifying the owner of a lock? If so, now that we've had some > discussion on this topic, can someone provide an improved > definition of the > requirement? And a proposal? Dan? Lisa? Geoff? Julian? > > J. > > ------------------------------------------ > Phone: 914-784-7569, ccjason@us.ibm.com >
Received on Tuesday, 22 January 2002 08:10:26 UTC