W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2006

Re: [Bug 226] if matching and non-existant resources

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 01 Feb 2006 14:38:06 +0100
Message-ID: <43E0B9BE.6070107@gmx.de>
To: Elias Sinderson <elias@soe.ucsc.edu>
CC: w3c-dist-auth@w3.org

Elias Sinderson wrote:
> bugzilla@soe.ucsc.edu wrote:
>> http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=226
>> ------- Additional Comments From geoffrey.clemm@us.ibm.com  2006-01-30 
>> 07:34 -------
>>> Given an unmapped URL "/x", will the condition in
>>>  If: </x> (Not <DAV:foobar>)
>>> evaluate to true or false?
>> Since "If: </x> <DAV:foobar>" would evaluate to "false", unless we 
>> adjust the definition of NOT, this has to evaluate to "true".
> Agreed.
>>> To complicate things, what's the situation for a URL that is mapped, 
>>> but for
>>> which the authenticated principal lacks access rights?
>> As above, it would just be the opposite of what "If: </x> 
>> <DAV:foobar>" would evaluate to.  But there remains the question of 
>> what "If: </x> <DAV:foobar>" would evaluate to.  The guiding priciple 
>> here is probably avoiding exposing information to unauthorized users.  
>> So an inability to see the object should probably be treated the same 
>> as the object not existing, so NOT would return "true".
> I also agree with the above -- especially wrt the security implications 
> therein.
> Is it worth mentioning this somewhere in bis?

I agree with the analysis, and I think we needs to at least clarify the 
matching for unmapped URLs.

Best regards, Julian
Received on Wednesday, 1 February 2006 13:40:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:13 GMT