W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2004

RFC2518 issues IF_AND_AUTH and LOCK_SEMANTICS

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 25 Apr 2004 17:00:24 +0200
Message-ID: <408BD288.8010907@gmx.de>
To: Webdav WG <w3c-dist-auth@w3c.org>

 From <http://www.webdav.org/wg/rfcdev/issues.htm>:

IF_AND_AUTH: "The fact that use of authentication credentials with 
submission of lock tokens is required should be strengthened in the 
document."

and

LOCK_SEMANTICS: "At present, the WebDAV specification is not 
excruciatingly explicit that writing to a locked resource requires the 
combination of the lock token, plus an authentication principal. At one 
point, the spec. discusses an “authorized” principal, but “authorized” 
is never explicitly defined."

I'd like to confirm that indeed authentication and the ability to use a 
given lock token MAY be orthogonal. That is, a server can

- restrict usage of the lock token to exactly the principal that was 
authenticated when the lock was obtained,

- restrict usage to the creator as above and a group of other principals 
that are allowed to "break" the lock (WebDAV ACL DAV:unlock privilege, 
see 
<http://greenbytes.de/tech/webdav/draft-ietf-webdav-acl-latest.html#PRIVILEGE_unlock>) 
or

- allow anybody who knows the lock token to use it.

I think right now there are servers implementing each of these schemes, 
and there doesn't seem to be any problem with that.

Regards, Julian

-- 
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760
Received on Sunday, 25 April 2004 11:01:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:06 GMT