W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2006

Re: Mount considerations

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Mon, 22 May 2006 16:06:35 -0400
Message-Id: <0EC3BC3D-06E4-4A21-94B4-6C709044B326@osafoundation.org>
Cc: WebDav WG <w3c-dist-auth@w3.org>
To: Julian Reschke <julian.reschke@gmx.de>


On May 18, 2006, at 1:30 AM, Julian Reschke wrote:

> Lisa Dusseault schrieb:
>
>> Thinking about the DAV mount proposal (after posting on the CalDAV
>
> <http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-04.html>
>
>> list), I started wondering if there's any real security  
>> consideration if the mount document is on a totally different  
>> server than the WebDAV collection.
>>  - Denial of service?  No different than any cross-site link to a  
>> WebDAV collection
>
> Correct.
>
>>  - Privacy? Possibly leaks username which is ordinarily not revealed.
>
> The username (optionally) is sent in the content from server to  
> client (see <http://greenbytes.de/tech/webdav/draft-reschke-webdav- 
> mount-04.html#ELEMENT_username>). In general, this is the user name  
> that was used to authenticate to the Web site in the first place,  
> so I'm not sure why sending it back to the client is any kind of  
> security risk?

It's not obvious at all to me that the username I use to download the  
mount document is the same one my client used to authenticate to get  
the document.   That implies that the document is dynamically  
generated, always.   That makes it harder to deploy in some cases.

>
>> Difficult to keep permissions synched with collection permissions.
>
> What does this have to do with the act of mounting?
>
>>  - Other?  (anyone?  what am I missing?)
>> I guess the only one of those that bears mentioning in the  
>> document is that servers would reveal information unnecessarily,  
>> and possibly irresponsibly, unless they were to apply the same ACL  
>> to the collection and to the mount document.
>
> I'm not sure what kind of information you're referring to here.  
> Please be more specific...

Given my assumption that the username could be the one the client is  
using or some *other* username, there is at least a possibility of  
information leaking here.

Lisa
Received on Monday, 22 May 2006 20:06:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:14 GMT