- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 29 Oct 2005 10:43:39 +0200
- To: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
- CC: Lisa Dusseault <lisa@osafoundation.org>, w3c-dist-auth@w3.org
Geoffrey M Clemm wrote: > > The last sentence is incorrect. A lock token appears in a PROPFIND > lockdiscovery only if the server wishes to expose it. I have argued > in the past that a sensible server should never expose a lock token in a > PROPFIND lockdiscovery, since it just allows a client of a user > to incorrectly re-use a lock token still in use by another client > of that user. So if we say anything, it should "A server SHOULD NOT > include a lock token in a PROPFIND lockdiscovery, since it introduces > the possibility of two clients of a given user overwriting each others > changes". Here I'll disagree with Geoff :-) "lock stealing" is further controlled (or can be controlled) by checking the principal as well. I *do* agree that it makes sense to have one coherent section that gives advice on how not to reveal lock tokens. For instance, servers are allowed to report the locks, but not to disclose the lock tokens (see <http://greenbytes.de/tech/webdav/rfc2518.html#rfc.section.12.1>). Best regards, Julian
Received on Saturday, 29 October 2005 08:44:09 UTC