W3C home > Mailing lists > Public > public-appformats@w3.org > July 2007

Re: Aligning grouping of resources in POWDER and WAF Access Control.

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 17 Jul 2007 13:41:38 -0700
Message-ID: <469D2982.60508@sicking.cc>
To: Arthur Barstow <art.barstow@nokia.com>
CC: ext Phil Archer <parcher@icra.org>, public-appformats@w3.org, Public POWDER <public-powderwg@w3.org>

I think an even more urgent question is, how much of the design is 
POWDER and AC going to share. I see very little value in sharing just 
the URI-matching syntax, so we need to figure out if there are more 
things that can be shared to know if we should bother with it at all.

/ Jonas

Arthur Barstow wrote:
> Thanks for the update Phil.
> Regarding the value of the {include,exclude}UriPatter properties, one of 
> the open questions for the Read Access spec [1] is essentially "should 
> *.foo.com match foo.com?". The lastest draft says "no" thus must use one 
> rule for *.foo.com and another rule for foo.com.
> Mozilla's Jonas Sicking summarized the issue, providing a list of both 
> the Pros and Cons [2].
> We are particularly interested in your feedback on this question (e.g. 
> use cases, evidence of past precedence, etc.).
> Art
> ---
> [1] <http://www.w3.org/TR/2007/WD-access-control-20070618/>
> [2] 
> <http://lists.w3.org/Archives/Public/public-appformats/2007Jul/0002.html>
> On Jul 13, 2007, at 9:47 AM, ext Phil Archer wrote:
>> Just a quick further response to this.
>> The POWDER face to face meeting discussed the issue at our face to 
>> face meeting this week (member-only minutes at [1]) and resolved* 
>> "That we create a new RDF predicate that will support the kind of 
>> wildcard-based URI pattern matching used by the WAF Group in their 
>> Enabling Read Access document."
>> The plan is to:
>> 1. Rename the existing URI Pattern predicates to include/exclude UriRegEx
>> 2. Create a new RDF predicate of include/exclude UriPattern and use 
>> the WAF wild-card syntax. We'll extend it a little to enable control 
>> over paths as well, so that *example.com/foo* means that the path must 
>> begin with /foo on any subdomain of example.com if it's to be in the set.
>> 3. We'll add this to the XSD document we're working on. This will soon 
>> be converted into a working draft but for now can be seen, very 
>> unofficially, at [2].
>> Does this sound right to you? By all means ping me directly rather 
>> then continue on the public lists if you prefer.
>> Phil.
>> [1] http://www.w3.org/2007/07/09-powder-minutes.html (member only)
>> [2] http://www.dicom.uninsubria.it/~andrea.perego/powder/?doc=xsd
>> * As most group members are European and the meeting was in 
>> Washington, the number of people present wasn't high. Therefore, all 
>> resolutions were taken at the f2f are subject to giving the remainder 
>> of the group time to review the resolutions.
>> Phil Archer wrote:
>>> cc. POWDER public list.
>>> Hi all,
>>> I'm glad Art responded to this so quickly as the original mail was 
>>> caught in my spam filter from which I've just retrieved it.
>>> Mea culpa - I was unaware of the Enabling Read Access work. I will 
>>> make sure that the POWDER WG considers it fully and that we report 
>>> back (we have a face to face meeting on Monday so we can do this 
>>> quickly).
>>> Meanwhile, we have moved on significantly since the April blog entry 
>>> referred to. Yes, we do support Perl regular expressions but we don't 
>>> rely on them. Actually, we warn against their use for most scenarios, 
>>> precisely because of the same reasons Art cites, preferring instead 
>>> to use simple string matches against URI components. Unless something 
>>> goes horribly wrong, the member only document at [1] will be a first 
>>> public working draft on Monday and this is all set out there.
>>> It would be easy to include a wild card pattern - indeed, there's an 
>>> example of exactly that in the extension mechanism section (which 
>>> refers to Google's URL pattern format which also looks similar to the 
>>> one in the WAF document).
>>> Clearly, there should be a common approach, or at least a fully 
>>> compatible one. I notice that Opera is in both groups. Chaals, Anne - 
>>> I hereby nominate you as coordinators!
>>> Phil.
>>> [1] http://www.w3.org/2007/powder/Group/powder-grouping/20070709.html
>>> Arthur Barstow wrote:
>>>> [[ ++ public-appformats - the mail list the WAF WG uses for its 
>>>> technical discussions ]]
>>>> Stuart - thanks for raising this issue. I have not discussed this 
>>>> issue with the WAF WG nor the WAF Public Community but here is *my* 
>>>> take on the syntax issue.
>>>> We discussed using regular expression syntax instead of just star. I 
>>>> recognize there would be some advantages to using the richer syntax 
>>>> but we decided to follow the KISS principle here, particularly given 
>>>> the negative side effects of incorrect syntax (e.g. accidentally 
>>>> giving access to a domain that should not have access). [I assume 
>>>> here the probability of incorrect syntax is higher with regular 
>>>> expressions than just star but I have no real data to back my 
>>>> assumption.]
>>>> It also appears our decision is consistent with the decision made in 
>>>> the P3P spec [1].
>>>> WAF WG & Community - please see the issue the TAG raises below.
>>>> Regards,
>>>> Art Barstow
>>>> ---
>>>> [1] <http://www.w3.org/TR/P3P/#ref_file_wildcards>
>>>> On Jul 6, 2007, at 10:16 AM, ext Williams, Stuart (HP Labs, Bristol) 
>>>> wrote:
>>>>> Art, Phil,
>>>>> In response to a request from the WAF-WG [1] to review "Enabling Read
>>>>> Access to Web Resources" [2] the TAG is concerned to ensure that there
>>>>> is good alignment between your WGs wrt the specification of resource
>>>>> sets.
>>>>> We observe that [2] involves the specification of 'allow' and 'deny'
>>>>> sets of resources (which in this case happen to be the origins of
>>>>> scripted behaviours executed by user agents). There is some resonance
>>>>> between [2] and POWDER work on grouping resource sets by address. We
>>>>> believe that there is or should be some common interest in the
>>>>> specification of such resource sets between your WGs.
>>>>> Given that web masters are the likely authors of configuration
>>>>> information for both script access controls (as in [2]) and for
>>>>> content-labeling (a POWDER application) and that both involve making
>>>>> assertions about sets of resources (allow/deny assertions v assertions
>>>>> about the nature of web content) we believe that there should be at
>>>>> least some conceptual coherence and ideally some syntactic 
>>>>> coherence in
>>>>> the way that both POWDER and WAF-WG approach the description of 
>>>>> sets of
>>>>> resource that are the subject of such assertions.
>>>>> For example, consider the scenario in which the author of a resource
>>>>> identified by http://www.sales.example.com/strategy.html wishes to 
>>>>> allow
>>>>> cross-domain access from any resource identified by an example.com 
>>>>> URI.
>>>>> Per [2], this set is specified with a pair of 'access items' as:
>>>>>     http://*.example.com
>>>>>     https://*.example.com
>>>>> Whereas using the 'PERL regexp' based approach being considered by
>>>>> POWDER (option 5 at [3]), the same set is specified as:
>>>>>    ^https?://[^:/?#]+\.)*example\.com/
>>>>> We think having two similar-but-different mechanisms to achieve the 
>>>>> same
>>>>> goal should be avoided if at all possible.
>>>>> We would be interested to hear from you whether you think there is any
>>>>> possibility of seeking considerably more alignment between the work of
>>>>> your two groups, so that where their requirements overlap there is at
>>>>> least cross-reference, and at best sharing of terminology, operational
>>>>> semantics and perhaps even syntax.
>>>>> Best regards
>>>>> Stuart Williams
>>>>> for W3C TAG
>>>>> -- 
>>>>> [1] http://lists.w3.org/Archives/Public/www-tag/2007Jun/0114.html
>>>>> [2] http://www.w3.org/TR/2007/WD-access-control-20070618/
>>>>> [3]
>>>>> http://www.w3.org/blog/powder/2007/04/27/meeting_summary_26_27_april_200 
>>>>> 7
>>>>> -- 
>>>>> Hewlett-Packard Limited registered Office: Cain Road, Bracknell, Berks
>>>>> RG12 1HN
>>>>> Registered No: 690597 England
Received on Tuesday, 17 July 2007 20:42:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:19 UTC