W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2002


From: Clemm, Geoff <gclemm@rational.com>
Date: Tue, 22 Jan 2002 08:08:52 -0500
Message-ID: <3906C56A7BD1F54593344C05BD1374B10585E44F@SUS-MA1IT01>
To: w3c-dist-auth@w3c.org
The ACL spec does not associate a principal URL with an authenticated
user, and therefore a principal URL is not in general available.  The ACL
only assumes that the server can "match" a users credentials against
the principals identified in the ACL of a resource, but it does not assume
that the server can pick one of these principals as "being" the user
(several can match).

In addition, it is a security hole to require a server to provide more
identification about a user than that user's client wishes to provide.

Because of these reasons, I strongly object to the introduction of a
server defined principal field.


-----Original Message-----
From: Lisa Dusseault [mailto:lisa@xythos.com]
Sent: Tuesday, January 22, 2002 12:21 AM
To: Clemm, Geoff; w3c-dist-auth@w3c.org

What I would find most useful would be a lock owner field with a value
defined by the server.  Since the server is likely to have authenticated the
user, they presumably know how to identify the user.  Existing support for
the ACLs spec would mean that a Principal URL could be available.  Allowing
the server to set this value means that the information is more reliable.


> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Clemm, Geoff
> Sent: Friday, January 18, 2002 11:28 AM
> To: w3c-dist-auth@w3c.org
> I would describe our conclusion as:
> We need to define a new field, say DAV:lockowner, that is specified
> in a LOCK request, and that takes an XML value.  We will define
> some standard elements for that value.
> We should then deprecate the use of the DAV:owner field, as a field
> that contains non-interoperable data about the lock owner.
> Cheers,
> Geoff
> -----Original Message-----
> From: Jason Crawford [mailto:ccjason@us.ibm.com]
> Sent: Friday, January 18, 2002 1:35 PM
> To: Daniel Brotsky; w3c-dist-auth@w3c.org; Lisa Dusseault
> It sounds like we've concluded that we can't reuse the lockowner field
> because we've already specified that it's free text.
> Do we still have the requirement mentioned at...
>   http://lists.w3.org/Archives/Public/w3c-dist-auth/2001JulSep/0218.html
> says...
> regarding identifying the owner of a lock?  If so, now that we've had some
> discussion on this topic, can someone provide an improved
> definition of the
> requirement?    And a proposal?  Dan?  Lisa? Geoff?  Julian?
> J.
> ------------------------------------------
> Phone: 914-784-7569,   ccjason@us.ibm.com
Received on Tuesday, 22 January 2002 08:10:26 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:24 UTC