W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2006

RE: rfc2518bis-14 WGLC comments (part 1)

From: John Barone <jbarone@xythos.com>
Date: Wed, 15 Mar 2006 10:12:50 -0800
To: "'Julian Reschke'" <julian.reschke@gmx.de>, "'WebDAV'" <w3c-dist-auth@w3.org>
Message-ID: <NSNOVPS00411uTT7u3C00000de9@NSNOVPS00411.nacio.xythos.com>

>>    After a successful COPY invocation, all dead properties on the source
>>    resource MUST be duplicated on the destination resource, along with
>>    all properties as appropriate.  Live properties described in this

>> -> MUST seems to be too strong, as the ability to PROPPATCH dead 
>> properties is only a SHOULD-level requirement. 


... why is MUST too strong here (your PROPPATCH argument notwithstanding)?
I don't see this as different than what the previous 2518 spec. stated, in
section 8.8.1.


>    Dead properties MUST be moved along with the resource.

> -> Again, hard to defend because there's only a SHOULD level req to 
> support them in PROPPATCH.

... also don't see this as different than what's stated in 2518

-John 


-----Original Message-----
From: w3c-dist-auth-request@w3.org [mailto:w3c-dist-auth-request@w3.org] On
Behalf Of Julian Reschke
Sent: Wednesday, March 15, 2006 7:34 AM
To: WebDAV
Subject: rfc2518bis-14 WGLC comments (part 1)


Below is a summary of problems I found with draft 14. Note that I've marked
up everything in
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-rfc2518bis-latest.htm
l>,
which may be more readable. Also note that this document contains more
changes based on issues that have been discussed before on this list; the
fact that I may not be repeating them below doesn't indicate that they
shouldn't be fixed before IESG submission as well.

Also note that the term "Section" should be uppercased everywhere when used
to refer to a specific section; otherwise the RFC Editor will have to do
that; and we want to save his/her time, right?


[Page 8]

    Properties: The ability to create, remove, and query information
    about Web pages, such as their authors, creation dates, etc.  Also,
    the ability to link pages of any media type to related pages.

-> what is the last sentence about?

    Namespace Operations: The ability to instruct the server to copy and
    move Web resources, operations which change the URL.

-> Sentence structure?

    This standard does not specify the versioning operations suggested by
    [RFC2291].  That work was done in a separate document, "Versioning
    Extensions to WebDAV" [RFC3253].

-> This document isn't a standard. Just say "this document".

    The sections below provide a detailed introduction to various WebDAV
    abstractions: resource properties (Section 4), collections of
    resources (Section 5), locks (Section 6) in general and write locks
    (Section 7) specifically.

    These abstractions are manipulated by the WebDAV-specific HTTP
    methods (Section 9) and the new HTTP headers (Section 10) used with
    WebDAV methods.

-> No mention of Section 8?


[Page 11]

    Collection - Informally, a resource that also acts as a container of
    references to child resources.  Formally, a resource that contains a
    set of mappings between path segments and resources and meets the
    requirements in Section 5.

-> "...defined in Section 5".


[Page 18]


    An HTTP URL namespace is said to be consistent if it meets the
    following conditions: for every URL in the HTTP hierarchy there
    exists a collection that contains that URL as an internal member.

-> "...internal member URL".

    The root, or top-level collection of the namespace under
    consideration is exempt from the previous rule.  The top-level

-> ^^^^^^^^^^^^^, (insert comma)

    Although implicit in [RFC2616] and [RFC3986], any resource, including
    collection resources, MAY be identified by more than one URI.  For
    example, a resource could be identified by multiple HTTP URLs.

-> Why "Although"? I think this needs to be rephrased.


    For all WebDAV compliant resources A and B, identified by URLs "U"
    and "V" respectively, such that "V" is equal to "U/SEGMENT", A MUST
    be a collection that contains a mapping from "SEGMENT" to B. So, if
    resource B with URL "http://example.com/bar/blah" is WebDAV compliant
    and if resource A with URL "http://example.com/bar/" is WebDAV
    compliant, then resource A must be a collection and must contain at
    least one mapping from "blah" to B.

-> Insert paragraph suggested by Geoff Clemm below:

'Although commonly a mapping consists of a single segment and a resource, in
general, a mapping consists of a set of segments and a resource. This allows
a server to treat a set of segments as equivalent (i.e. either all of the
segments are mapped to the same resource, or none of the segments are mapped
to a resource). For example, a server that performs case-folding on segments
will treat the segments "ab", "Ab", "aB", and "AB" as equivalent, A client
can then use any of these segments to identify the resource. Note that a
PROPFIND result will select one of these equivalent segments to identify the
mapping, so there will be one PROPFIND response element per mapping, not one
per segment in the mapping.'


[Page 19]

    A typical scenario in which mapped URLs do not appear as members of
    their parent collection is the case where a server allows links or
    redirects to non-WebDAV resources.  For instance, "/col/link" might
    not appear as a member of "/col/", although the server would respond
    with a 302 status to a GET request to "/col/link", thus the URL
    "/col/link" would indeed be mapped.  Similarly, a dynamically-
    generated page might have a URL mapping from "/col/index.html", thus
    this resource might respond with a 200 OK to a GET request yet not
    appear as a member of "/col/".

-> Please re-insert subsection title in front of this para so that it's
easier to see where normative text ends and examples start.



[Page 21]

    This section provides a concise model for how locking behaves.  Later
    sections will provide more detail on some of the concepts and refer
    back to these model statements.  Normative statements related to LOCK
    and UNLOCK handling can be found in the sections on those methods,
    whereas normative statements that cover any method are gathered here.

-> "...LOCK and UNLOCK method handling..."


[Page 22]

    However, there are times when the goal of a lock is not to exclude
    others from exercising an access right but rather to provide a
    mechanism for principals to indicate that they intend to exercise
    their access rights.  Shared locks are provided for this case.  A
    shared lock allows multiple principals to receive a lock.  Hence any
    principal with appropriate access can use the lock.

-> Avoid a potential misunderstanding: each principal will need its own 
shared lock, they will *not* share the same lock. For instance.

"However, there are times when the goal of a lock is not to exclude 
others from exercising an access right but rather to provide a mechanism 
for principals to indicate that they intend to exercise their access 
rights. Shared locks are provided for this case, allowing multiple 
principals to receive a lock."


[Page 23]

    The creator of a lock has special privileges to use the locked
    resource.  When a locked resource is modified, a server MUST check
    that the authenticated principal matches the lock creator (in
    addition to checking for valid lock token submission).  For multi-
    user shared lock cases, each authenticated principal MUST obtain its
    own shared lock.

-> Misleading. Lock creator checks only apply (as a MUST level 
requirement) to lock token submission in the If header; removing the 
lock using UNLOCK is a separate thing. Furthermore, making a special 
statement about shared locks IMHO is confusing here.


[Page 24]

    Servers MAY make lock tokens publicly readable (e.g. in the DAV:
    lockdiscovery property).  One use case for making lock tokens
    readable is so that a long-lived lock can be removed by the resource
    owner (the client that obtained the lock might have crashed or
    disconnected before cleaning up the lock).  Except for the case of
    using UNLOCK under user guidance, a client SHOULD NOT use a lock
    tokens created by another client instance.

-> s/tokens/token/


[Page 25]

    A client MUST NOT assume that just because the time-out has expired
    the lock has immediately been cleaned up.

-> s/cleaned up/removed/


[Page 27]

    An exclusive write lock will prevent parallel changes to a resource
    by any principal other than the lock creator and in any case where
    the lock token is not submitted (e.g. by a client process other than
    the one holding the lock).

-> remove "parallel"; it may lead people to believe that this has 
something to do with timing

-> furthermore, this paragraph just states things repeated in aubsequent 
paragraphs, so it's best just to remove it


    While those without a write lock may not alter a property on a
    resource it is still possible for the values of live properties to
    change, even while locked, due to the requirements of their schemas.
    Only dead properties and live properties defined to respect locks are
    guaranteed not to change while write locked.

-> The whole paragraph doesn't seem to make sense anymore, because it 
seems to say the same thing as the previous section, but uses different 
terminology.


[Page 29]

    WebDAV provides the ability to lock an unmapped URL in order to
    reserve the name for use.  This is a simple way to avoid the lost-
    update problem on the creation of a new resource (another way is to
    use If-None-Match header specified in HTTP 1.1).  It has the side
    benefit of locking the new resource immediately for use of the
    creator.

-> s/HTTP 1.1/Section 14.26 of [RFC2616]/

-> Regarding the remainder of Section 7.3, please see 
<http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=202> and 
<http://lists.w3.org/Archives/Public/w3c-dist-auth/2006JanMar/0734.html>.


[Page 31]

    There are two kinds of collection write locks.  A "Depth 0" write
    lock on a collection protects the collection metadata plus the
    internal member URLs of that collection, while not protecting the
    content or metadata of child resources.  A "Depth: infinity" write
    lock on a collection provides the same protection on that collection
    and also protects every descendent resource as if that resource were
    itself write locked.

-> Again repeats stuff from previous sections, but in this case fails to 
say that collection content is lockable as well (if present). Why not 
just refer to "collection state"????

    Expressed otherwise, a write lock protects any request that would
    create a new resource in a write locked collection, any request that
    would remove an internal member URL of a write locked collection, and
    any request that would change the binding name of a member URL.

-> "binding name"?


[Page 32]

    In order to prevent these collisions a lock token MUST be submitted
    by an authorized principal for all locked resources that a method may
    change or the method MUST fail.  A lock token is submitted when it
    appears in an If header.  For example, if a resource is to be moved
    and both the source and destination are locked then two lock tokens
    must be submitted in the if header, one for the source and the other
    for the destination.

-> s/if/If/


[Page 34]

7.7.  Refreshing Write Locks

-> IMHO, the whole subsection is both unneeded (there simply isn't 
anything particular about refreshing *write* locks) and misleading. 
Please remove it.

    A client MUST NOT submit the same write lock request twice.  Note
    that a client is always aware it is resubmitting the same lock
    request because it must include the lock token in the If header in
    order to make the request for a resource that is already locked.

-> Repeating a LOCK request with an existing lock token in the If header 
is going to fail for an exclusive lock anway.

    However, a client may submit a LOCK method with an If header but
    without a body.  This form of LOCK MUST only be used to "refresh" a
    lock.  Meaning, at minimum, that any timers associated with the lock
    MUST be re-set.

-> Just point to the paragraph in the LOCK definition here. At a 
minimum, fix above sentence to say "request" instead of "method".


[Page 38]

    Some of these new methods do not define bodies.  Servers MUST examine
    all requests for a body, even when a body was not expected.  In cases
    where a request body is present but would be ignored by a server, the
    server MUST reject the request with 415 (Unsupported Media Type).
    This informs the client (which may have been attempting to use an
    extension) that the body could not be processed as they intended.

-> s/they//

    HTTP defines many headers that can be used in WebDAV requests and
    responses.  Not all of these are appropriate in all situations and
    some interactions may be undefined.  Note that HTTP 1.1 requires the
    Date header in all responses if possible (see section 14.18,
    [RFC2616]).

-> Not true, for instance for 100 Continue.


[Page 39]

    Because clients may be forced to prompt users or throw away changed
    content if the ETag changes, a WebDAV server SHOULD NOT change the
    ETag (or the Last-Modified time) for a resource that has an unchanged
    body and location.  The ETag represents the state of the body or
    contents of the resource.  There is no similar way to tell if
    properties have changed.

-> Language: "body or contents"?

    HTTP and WebDAV did not use the bodies of most error responses for
    machine-parsable information until DeltaV introduced a mechanism to
    include more specific information in the body of an error response
    (section 1.6 of [RFC3253]).  The error body mechanism is appropriate
    to use with any error response that may take a body but does not
    already have a body defined.  The mechanism is particularly
    appropriate when a status code can mean many things (for example, 400
    Bad Request can mean required headers are missing, headers are
    incorrectly formatted, or much more).  This error body mechanism is
    covered in Section 16

-> s/Section 16/Section 16./


[Page 41]

    A client MUST submit a Depth header with a value of "0", "1", or
    "infinity" with a PROPFIND request.  Servers MUST support "0" and "1"
    depth requests on WebDAV-compliant resources and SHOULD support
    "infinity" requests.  In practice, support for depth infinity
    requests MAY be disabled, due to the performance and security
    concerns associated with this behavior.  Since clients weren't
    required to include the Depth header in [RFC2518], servers SHOULD
    treat such a request as if a "Depth: infinity" header was included.

-> IMHO doesn't make sense. If servers SHOULD accept requests without 
depth header, there's no point in having a MUST-level requirement for 
clients to send it. Please keep changes compared to RFC2518 at a minimum.

    o  Request particular property values, by naming the properties
       desired within the 'prop' element (the ordering of properties in
       here MAY be ignored by server),

-> That implies that ordering could be relevant somehow, which it isn't. 



[Page 42]

    If there is an error retrieving a property then a proper error result
    MUST be included in the response.  A request to retrieve the value of
    a property which does not exist is an error and MUST be noted, if the
    response uses a 'multistatus' XML element, with a 'response' XML
    element which contains a 404 (Not Found) status value.

-> Is there a case where the response isn't a multistatus element???

    Consequently, the 'multistatus' XML element for a collection resource
    with member URLs MUST include a 'response' XML element for each
    member URL of the collection, to whatever depth was requested.  It
    SHOULD NOT include any 'response' elements for resources that are not
    WebDAV-compliant.  Each 'response' element MUST contain an 'href'
    element that contains the URL of the resource on which the properties
    in the prop XML element are defined.  Results for a PROPFIND on a
    collection resource with internal member URLs are returned as a flat
    list whose order of entries is not significant.  Note that a resource
    may have only one value for a property of a given name, so the
    property may only show up once in PROPFIND responses.

-> In this paragraph, please remove "with member URLs" and "with 
internal member URLs". The semantics of PROPFIND is indepedant of 
whether the collection has members or not.

    403 Forbidden - A server MAY reject PROPFIND requests on collections
    with depth header of "Infinity", in which case it SHOULD use this
    error with the precondition code 'propfind-finite-depth' inside the
    error body.

-> s/on collections// (it's irrelevant whether it's a collection or not)


[Page 43]

9.1.2.  Status codes for use with 207 (Multi-Status)

    The following are examples of response codes one would expect to be
    used in a 207 (Multi-Status) response for this method.  Note,
    however, that unless explicitly prohibited any 2/3/4/5xx series
    response code may be used in a 207 (Multi-Status) response.

-> Replace by:

9.1.2.  Status Codes for use in 'propstat' Element

In PROPFIND responses, information about individual properties is 
returned inside 'propstat' elements (see Section 14.22), each containing 
an individual 'status' element containing information about the 
properties appearing in it. The list below summarizes the most common 
status codes used inside 'propstat', however clients should be prepared 
to handle other 2/3/4/5xx series status codes as well.

(see <http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=177>).


[Page 45]

9.1.4.  Example - Retrieving Named and Dead Properties

-> Remove whole subsection and replace with correct one (see 
<http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=188>):


9.1.4 Example - Retrieving (almost) all properties plus selected live 
properties

 >>Request

   PROPFIND /mycol/changes HTTP/1.1
   Host: www.example.com
   Depth: 0
   Content-Type: application/xml; charset="utf-8"
   Content-Length: xxxx

   <?xml version="1.0" encoding="utf-8" ?>
   <D:propfind xmlns:D="DAV:">
     <D:allprop/>
     <D:include>
       <D:checked-in/>
       <D:checked-out/>
     </D:include>
   </D:propfind>


In this example, PROPFIND is executed on the resource 
http://www.example.com/mycol/changes. The client requests the values of 
all properties defined in this specification, plus the two live 
properties DAV:checked-in and DAV:checked-out defined in [RFC3253].


[Page 49]

    The last four properties are WebDAV-specific, defined in Section 15.
    Since GET is not supported on this resource, the get* properties
    (e.g., DAV:getcontentlength) are not defined on this resource.  The

-> Strike the 2nd "on this resource".


[Page 50]

9.2.  PROPPATCH Method

    The request message body of a PROPPATCH method MUST contain the
    propertyupdate XML element.  Clients SHOULD NOT alter the same
    property more than once in a single PROPPATCH request.

-> Huh? Why not?

-> Also I note that we never normatively define the response body for 
PROPPATCH, will make proposal in a separate mail.

9.2.1.  Status Codes for use in 207 (Multi-Status)

    The following are examples of response codes one would expect to be
    used in a 207 (Multi-Status) response for this method.  Note,
    however, that unless explicitly prohibited any 2/3/4/5xx series
    response code may be used in a 207 (Multi-Status) response.

-> Replace by (see 
<http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=177>:

9.2.1. Status Codes for use in 'propstat' Element

In PROPPATCH responses, information about individual properties is 
returned inside 'propstat' elements (see Section 14.22), each containing 
an individual 'status' element containing information about the 
properties appearing in it. The list below summarizes the most common 
status codes used inside 'propstat', however clients should be prepared 
to handle other 2/3/4/5xx series status codes as well.

    403 (Forbidden): The client has attempted to set a read-only
    property, such as DAV:getetag.  If returning this error, the server
    SHOULD use the precondition code 'cannot-modify-protected-property'
    inside the response body.

-> Replace by:

"403 (Forbidden) (with the condition code 
'cannot-modify-protected-property' defined in Section 16) - The client 
has attempted to set a protected property, such as DAV:getetag."


[Page 52]

    The MKCOL method is used to create a new collection.  All WebDAV
    compliant resources MUST support the MKCOL method.

-> Nit: So does an unmapped URI (the thing you address the MKCOL to) 
identify a WebDAV compliant resource? Otherwise this requirement isn't 
really helpful...


[Page 53]

    403 (Forbidden) - This indicates at least one of two conditions: 1)
    the server does not allow the creation of collections at the given
    location in its URL namespace, or 2) the parent collection of the
    Request-URI exists but cannot accept members.

-> Language? I think it can indicate lots of other things.


[Page 54]

    Since by definition the actual function performed by POST is
    determined by the server and often depends on the particular
    resource, the behavior of POST when applied to collections cannot be
    meaningfully modified because it is largely undefined.  Thus the
    semantics of POST are unmodified when applied to a collection.

-> Nit: the fact that it's undefined in RF2616 really wouldn't stop us 
to define it, I think.

    A server processing a successful DELETE request:

       MUST destroy locks rooted on the deleted resource

       MUST remove the mapping from the Request-URI to any resource.

-> Nit: list style?


[Page 56]

    A PUT request is the only way a client has to indicate to the server
    what Content-Type a resource should have, and whether it should
    change if the resource is overwritten.  Thus, a client SHOULD provide
    a Content-Type for a new resource if any is known.  If the client
    does not provide a Content-Type for a new resource, the server MAY
    create a resource with no Content-Type assigned, or it MAY attempt to
    assign a reasonable and legal Content-Type.

-> (1) So then why do we also say that DAV:getcontenttype will be 
writeable unless "prefers to assign content types on its own"? (2) 
Please rephrase or remove "reasonable and legal". "reasonable" doesn't 
have any place in normative text, and "legal" doesn't make sense either.


[Page 58]

    After a successful COPY invocation, all dead properties on the source
    resource MUST be duplicated on the destination resource, along with
    all properties as appropriate.  Live properties described in this

-> MUST seems to be too strong, as the ability to PROPPATCH dead 
properties is only a SHOULD-level requirement.

    A COPY operation creates a new resource, much like a PUT operation
    does.  Live properties which are related to resource creation (such
    as DAV:creationdate) should have their values set accordingly.

-> "A COPY operation applied to an unmapped URL creates a new resource..."


[Page 62]

    >>Response

      HTTP/1.1 207 Multi-Status
      Content-Type: application/xml; charset="utf-8"
      Content-Length: xxxx

      <?xml version="1.0" encoding="utf-8" ?>

      <d:multistatus xmlns:d="DAV:">
        <d:response>
          <d:href>http://www.example.com/othercontainer/R2/</d:href>
          <d:status>HTTP/1.1 423 Locked</d:status>
        </d:response>
      </d:multistatus>

-> d:error missing in example

    The MOVE operation on a non-collection resource is the logical
    equivalent of a copy (COPY), followed by consistency maintenance
    processing, followed by a delete of the source, where all three
    actions are performed atomically.  The consistency maintenance step

-> Replace "atomically" by "in a single operation" (to prevent confusion 
about the best-effort semantics).


[Page 63]

    MOVE is frequently used by clients to rename a file without changing
    its parent collection, so it's not appropriate to reset all live
    properties which are set at resource creation.  For example, the DAV:
    creationdate property value SHOULD remain the same after a MOVE.

-> well, unless it needs to be modified. See Section 8.8.

    Dead properties MUST be moved along with the resource.

-> Again, hard to defend because there's only a SHOULD level req to 
support them in PROPPATCH.


[Page 65]

    412 (Precondition Failed) - A condition header failed.  Specific to
    MOVE, this could mean that the Overwrite header is "F" and the state
    of the destination URL is already mapped to a resource.

-> s/the state of//


[Page 66]

    >>Response

      HTTP/1.1 207 Multi-Status
      Content-Type: application/xml; charset="utf-8"
      Content-Length: xxxx

      <?xml version="1.0" encoding="utf-8" ?>
      <d:multistatus xmlns:d='DAV:'>
        <d:response>
          <d:href>http://www.example.com/othercontainer/C2/</d:href>
          <d:status>HTTP/1.1 423 Locked</d:status>
        </d:response>
      </d:multistatus>

-> d:error missing


[Page 67]

    A LOCK request to an existing resource will create a lock on the
    resource identified by the Request-URI, provided the resource is not
    already locked with a conflicting lock.  The resource identified in
    the Request-URI becomes the root of the lock.  Lock method requests

-> No, the URL is the root.

    to create a new lock MUST have a XML request body.  The server MUST
    preserve the information provided by the client in the 'owner' field
    in the request body when the lock information is requested.  The LOCK

-> "when the lock information is requested"???


9.10.2.  Refreshing Locks

-> Issue: Lock refresh now is incompatible with RFC2518, causing 
required changes both in servers and clients for little gain; I don't 
think anybody wants to implement this. See 
<http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=143>.


[Page 68]

    If the Depth header is set to infinity then the resource specified in
    the Request-URI along with all its internal members, all the way down
    the hierarchy, are to be locked.  A successful result MUST return a
    single lock token which represents all the resources that have been
    locked.

-> No, it doesn't represent the resources. If represents the lock.

    If an UNLOCK is successfully executed on this token, all
    associated resources are unlocked.

-> The preceding sentence seems to be misplaced; probably it needs to be 
moved at the end of the paragraph.

    Hence, partial success is not an
    option.  Either the entire hierarchy is locked or no resources are
    locked.


    A successful LOCK method MUST result in the creation of an empty
    resource which is locked (and which is not a collection), when a
    resource did not previously exist at that URL.  Later on, the lock
    may go away but the empty resource remains.  Empty resources MUST
    then appear in PROPFIND responses including that URL in the response
    scope.  A server MUST respond successfully to a GET request to an
    empty resource, either by using a 204 No Content response, or by
    using 200 OK with a Content-Length header indicating zero length

-> This repeats stuff from Section 7, but in an inconsistent way. 
According to this version, LNRs are not compliant; and it also applies 
to any kind of lock while Section 7 specifically talks about write locks.

[Page 75]

    In this example, the lock identified by the lock token
    "urn:uuid:a515cfa4-5da4-22e1-f5b5-00a0451e6bf7" is successfully
    removed from the resource
    http://example.com/workspace/webdav/info.doc.  If this lock included
    more than just one resource, the lock is removed from all resources
    included in the lock.  The 204 (No Content) status code is used
    instead of 200 (OK) because there is no response entity body.

-> Preceding sentence just duplicates text from above.
Received on Wednesday, 15 March 2006 18:13:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:14 GMT