W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2005

Re: [Bug 71] Clarify what servers may and may not do with privileges when BIND is used

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 11 May 2005 23:54:17 +0200
Message-ID: <42827F09.4090807@gmx.de>
To: Lisa Dusseault <lisa@osafoundation.org>
CC: Elias Sinderson <elias@cse.ucsc.edu>, webdav WG <w3c-dist-auth@w3.org>

Lisa Dusseault wrote:
> 
> Elias, I guess you didn't see my recent mail about being on a 
> several-week vacation?  I was gone the whole time of the conversations 
> that you wanted a timely response for.  It was a long absence, but I 
> promise I won't have frequent honeymoons.

So what about Joe? I would have assumed that one of the benefits having 
two WG chairs is to reduce the amount of time where no chair is 
available to run the working group?

> As for managing the Bugzilla bug status, I had kind of assumed that was 
> a failed experiment.  Until you responded, Julian and I were the only 
> ones who had used the system.  Without any usage, it certainly wasn't 

Plus Jim. Plus Geoff. Plus Elias.

> working as expected.  I appreciate you trying to use it as intended but 
> it still might be a broken process.

This I agree with.

> With respect to this particular bug, I don't agree this should be 
> closed.  The specification doesn't say what permissions changes might be 
> applied when BIND or REBIND methods are successful at creating new 
> bindings.  I had a strawman proposal and I'd like to see some feedback 
> on it:
> 
> "When a client uses BIND or REBIND to create/modify a binding to an 
> existing
> resource, the server has three options: treat this as a new resource and
> overwrite the resource ACL with the permissions that would be inherited 
> in the
> location of the new binding, treat this as an existing resource and do 
> no ACL
> inheritance, or take a middle path and use ACL inheritance in the new 
> location
> by adding the permissions granted to the ACLs already on the resource.  
> A server
> SHOULD follow the last approach, as being the approach assumed to be 
> closest to
> the user's desired model, where a resource bound to multiple URLs ought 
> to be
> available to principals who would be able to access that URL had it been 
> bound
> using PUT."

So, no, it's not the BIND spec which should define this.

Also not that Joe *did* follow up on this in the thread starting at 
<http://lists.w3.org/Archives/Public/w3c-dist-auth/2005JanMar/0165.html>, 
and that as a consequence the following change was made in the spec: 
(<http://greenbytes.de/tech/webdav/draft-ietf-webdav-bind-11.html#rfc.change.9_ns_op_and_acl.1>):

"BIND and REBIND behave the same as MOVE with respect to the DAV:acl 
property (see [RFC3744], section 7.3)."

As far as I can tell, you even agreed to this resolution in 
<http://lists.w3.org/Archives/Public/w3c-dist-auth/2005JanMar/0175.html>:

"This is fine with me for BIND, and I think the same is also true of 
REBIND and UNBIND."

So it is really really unclear to me how you can reasonably claim that 
the issue hasn't been resolved.

> With respect to other bugs, I'll try to get to my issues but I'm still 
> catching up at work too.

Well, we've been waiting for over three months now, so it wasn't 
unreasonable for Elias to go ahead and assume that there'll be no new 
feedback. And, as far as bug #71 is concerned, I think he was indeed 
correct in assuming so.


Best regards, Julian
Received on Wednesday, 11 May 2005 21:54:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:08 GMT