Re: Aligning grouping of resources in POWDER and WAF Access Control. from Jonas Sicking on 2007-07-23 (public-appformats@w3.org from July 2007)

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 23 Jul 2007 11:29:42 -0700
To: Phil Archer <parcher@icra.org>
Cc: public-appformats@w3.org, Public POWDER <public-powderwg@w3.org>
Message-ID: <46A4F396.1050803@sicking.cc>

Phil Archer wrote:
> 
> 
> Jonas Sicking wrote:
> [..]
>>
>> This sounds good to me. With that I would be more happy with saying 
>> that *.foo.com should match only www.foo.com but not foo.com. That 
>> would make it intuitive with rules like:
>>
>> allow <foo.com> exclude <*.foo.com>
>> and
>> allow <foo.com> exclude <users.foo.com>
>>
>> I'm not sure I see much use for the '?' syntax suggested. What 
>> situations would that help, and are they very common?
> 
> OK, forget the ? notation. Your examples are very clear and we seem in 
> full alignment that <foo.com> includes sub domains but <*.foo.com> 
> wouldn't include foo.com itself.

Sounds great. What do other people think of switching to this syntax? 
The difference from the current spec would be to change

Otherwise, apply these set of steps to the next list item of both origin 
list and item list. If either of them has no next list item there is no 
match (terminate the overall algorithm.) If both no longer have a next 
list item go to the next step in the overall set of steps.

to

Otherwise, apply these set of steps to the next list item of both origin 
list and item list. If the origin list has no next list item there is no 
match (terminate the overall algorithm.) If the item list no longer have 
a next list item go to the next step in the overall set of steps.

> The short answer is that I doubt it, simply because the work required to 
> make it so is unlikely to be justified by the use cases. In theory, yes, 
> a Resource Set, in the sense POWDER means, could be useful in access 
> control. So one might have a Resource Set like:
> 
> <wdr:ResourceSet rdf:ID="RS1">
>   <wdr:includeHosts>example.org example.com</wdr:includeHosts.
>   <wdr:excludePathStartsWith>/sandbox</wdr:excludePathStartsWith>
> </wdr:ResourceSet>
> 
> 
> Linking to this RS in an access control header would grant access to 
> requests from anywhere on example.org and .net except where the path of 
> the requesting URI began with /sandbox. But you can't (sensibly) put all 
> that in an HTTP Header, you'd have to put the URI of the Resource Set 
> from which access was allowed exactly where right now an Access Control 
> Header has actual data, so we'd have something very much like an HTTP 
> Link Header:
> 
> Content-Access-Control: allow 
> <http://www.example.net/resourceset.rdf#RS1> type="application/rdf+xml"
> 
> which is well outside what WAF has in mind.

Yeah, I think this is much more complicated than what the current spec 
does, without really providing much extra value.

/ Jonas

Received on Monday, 23 July 2007 18:30:51 UTC