Re: WEBDAV Security from Jon Radoff on 1997-05-01 (w3c-dist-auth@w3.org from April to June 1997)

From: Jon Radoff <jradoff@novalink.com>
Date: Thu, 01 May 1997 14:42:57 -0700
To: -=jack=- <jack@twaxx.twaxx.com>
CC: "Ron Daniel, Jr." <rdaniel@lanl.gov>, w3c-dist-auth@w3.org
Message-ID: <33690E61.1AF@novalink.com>

I will put together what I've worked on and make it available via ftp
for anyone to take a look at within a day or so.

Here is the outline of the concept I had in mind:

  1.  Define an API which would exist in a shared-library type space on
      the server (or a DLL on NT).

  2.  Applications that wanted to be able to verify if a user has a
      certain permission would make API calls to do so and respond
      accordingly.

  3.  The shared-library containing API calls would be able to connect
      to compliant modules defined by the system administrator (e.g.,
      if vendor X wanted to provide a module that makes them
      compatible with the API, they'd ship this as a component -- not
      unlike how ODBC works in the database world...)
 
  4.  A basic concept of the API is to abstract the concept of
      authentication and let the application worry about this (it
      may be that we want to think of an interface specification for
      authentication data too, but it wasn't part of my original idea).
      We should discuss the pros/cons of this.

  5.  The API attempts to give the concepts around security a
      "real-world" feel.  Users own abstract, named permission
      entities as opposed to traditional read/write/execute
      permissions.  That way, applications and security management
      systems are free to define what a given named permission
      entity means.

Other items for discussion:

  a.  We should discuss whether it makes sense to include in any
      standard the ability to define new permission entities;  I was
      leaning against this because I thought if we didn't keep it
      abstract it could limit the creativity of what the "permission
      server" vendors.
 
   b. Should the abilty to assign permission entities to a content
      object be standards defined, or application defined?  I think
      we probably need a combination of (i) basic permissions which
      would exist in every DAV-compliant application and
      (ii) the ability for applications to form their own rules 
      based on permission entities they could provide.  What about
      permissions on an object that are more granular than overall
      access to the URI (such as a piece of a particular page?)

   c. Does this track make sense at all? ;)

I will let everyone know when my stuff is available...

Jon

Received on Thursday, 1 May 1997 14:42:10 UTC