- From: Marc Silbey <marcsil@windows.microsoft.com>
- Date: Fri, 23 Feb 2007 18:08:00 -0800
- To: <public-appformats@w3.org>
Forwarding onto the public mail list since this is technical discussion -----Original Message----- From: Marc Silbey Sent: Friday, February 23, 2007 5:44 PM To: 'member-appformats@w3.org' Subject: Couple of notes on Access Control Hi all, I want to give you a quick update on our review of the Access Control recommendation. We've reviewed some of the recommendation and it looks good. I've included a few comments below. That said we want to take a little more time next week to wrap up before sending out detailed comments. Here are a few comments and questions on Section 2 1. Why are we limiting this to HEAD and GET requests? Maybe it should also include POST and other verbs that are as safe as HEAD and GET. It makes sense that this can't be a generic mechanism for all verbs including future ones since we don't know the security model for future verbs 2. RE: "When a resource is said to be in error access to that resource MUST be denied". It may help the reader if we define "in error" or just replace this with "is prohibited" and then say that User agents should take care that the denial of access does not indicate existence or non-existence of resource. This helps prevent fingerprint attacks. 3. RE: "except ruleset" This is a minor nitpick, but I'll add it hear because we've discussed terminology a lot internally here. Maybe we should use "deny ruleset" instead of "except ruleset". Also it may help the reader if we explicitly state that deny rules always trump allow rules I'll send more comments and questions next week as we review more I hope everyone has a good weekend! Regards, Marc
Received on Saturday, 24 February 2007 18:03:52 UTC