RE: WEBDAV Security

I agree that there are certain requirements that are specific to DAV,
just as there are requirements specific to programmatic resources, file
handling, distributed resources, and every other group under the sun.
However, those needs should be addressed within the context of a working
group tasked to solve the general ACL problem. We should not try to come
up with a solution that only meets our needs and we should not presume
to dictate a solution to meet needs outside the scope of this group.

	Yaron

> -----Original Message-----
> From:	Larry Masinter [SMTP:masinter@parc.xerox.com]
> Sent:	Tuesday, April 15, 1997 11:07 PM
> To:	Yaron Goland
> Cc:	'Steve Carter'; w3c-dist-auth@w3.org; slein@wrc.xerox.com
> Subject:	Re: WEBDAV Security
> 
> Yaron Goland wrote:
> > 
> > DAV is an HTTP protocol and thus is able to take full advantage of
> all
> > generic HTTP ACL and Security work. I would recommend that the
> > requirements only identify Security in general and ACLs in
> particular,
> > as areas of concern, and then explain that they are out of scope for
> DAV
> > because they touch on areas beyond DAV's limited
> authoring/versioning
> > scope.
> > 
> > Lets not fall into the trap of trying to solve the world's problems.
> > ACLs and security are best left to groups who are grabbling with
> just
> > those issues.
> > 
> >                 Yaron
> 
> Nice try, but... Distributed Authoring has different security
> requirements
> than Document Access. A DAV server must accept data and then express
> the client's requested authorization policy in how the future web
> server authorizes requests. This is a greater requirement than has
> been addressed by HTTP security. 
> 
> I agree you should try to limit the scope of what you handle to
> be "the minimum needed to build interoperable clients", but I believe
> taht the minimum exceeds what has been done so far for DAV-less HTTP.
> 
> Regards,
> 
> Larry

Received on Wednesday, 16 April 1997 03:06:52 UTC