W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2006

Re: Mount considerations

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 18 May 2006 07:30:34 +0200
Message-ID: <446C067A.90707@gmx.de>
To: Lisa Dusseault <lisa@osafoundation.org>
CC: WebDav WG <w3c-dist-auth@w3.org>

Lisa Dusseault schrieb:

> Thinking about the DAV mount proposal (after posting on the CalDAV 

<http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-04.html>

> list), I started wondering if there's any real security consideration if 
> the mount document is on a totally different server than the WebDAV 
> collection.
>  - Denial of service?  No different than any cross-site link to a WebDAV 
> collection

Correct.

>  - Privacy? Possibly leaks username which is ordinarily not revealed.  

The username (optionally) is sent in the content from server to client 
(see 
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-04.html#ELEMENT_username>). 
In general, this is the user name that was used to authenticate to the 
Web site in the first place, so I'm not sure why sending it back to the 
client is any kind of security risk?

> Difficult to keep permissions synched with collection permissions.

What does this have to do with the act of mounting?

>  - Other?  (anyone?  what am I missing?)
> 
> I guess the only one of those that bears mentioning in the document is 
> that servers would reveal information unnecessarily, and possibly 
> irresponsibly, unless they were to apply the same ACL to the collection 
> and to the mount document.

I'm not sure what kind of information you're referring to here. Please 
be more specific...

Best regards, Julian
Received on Thursday, 18 May 2006 05:30:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:14 GMT