W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2006

Re: Bindings and permissions

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 22 Jan 2006 10:46:10 +0100
Message-ID: <43D35462.5030202@gmx.de>
To: webdav <w3c-dist-auth@w3.org>
CC: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>

Geoffrey M Clemm wrote:
> 
> The issues/questions raised by Lisa are not related to the bind spec;
> they are about dynamically inherited ACL's, which is not something that
> is currently modeled in the ACL spec.  So there is nothing that can
> be changed about the bind spec to address this issue ... it is an ACL
> spec issue.  If the ACL spec were extended to model dynamically inherited
> ACL's, then it would need to deal with multiple parents, but that is no
> harder than dealing with the interaction of the ACL directly on a resource
> with the ACL's that it inherits, so multiple bindings does not introduce
> any new issues in that regard.
> 
> Cheers,
> Geoff

I fully agree with Geoff here.

RFC3744 doesn't define how a server handles inherited ACLs (if the 
inheritance isn't made explicit by specifying the resource from which 
the ACLs are inherited, as per 
<http://greenbytes.de/tech/webdav/rfc3744.html#rfc.section.5.5.4> and 
<http://greenbytes.de/tech/webdav/rfc3744.html#rfc.section.5.7>).

Lisa's question seems to be: "how does a BIND+ACL server behave with 
dynamically inherited ACLs?", and the answer clearly is: "it's 
undefined, just like with an ACL server that does not support BIND".

Now I understand that someone who wants to implement both in one server 
will ask the WG for opinion anyway, and that's fine. But, again: this is 
about a restriction in the RFC3744 ACL model and really, really doesn't 
have anything to do with BIND.

Best regards, Julian
Received on Sunday, 22 January 2006 09:48:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:13 GMT