Re: [AC] Access Control Algorithm

On 2007-05-21 16:27:20 -0700, Jonas Sicking wrote:

> I agree that you could make the server go through all the public
> files on the filesystem and modify them to add excludes as
> appropriate, or filter each request on the fly. However that
> system is significantly more complicated and I doubt that anyone
> would have that ready to go once the problem hits. It also does
> not allow the content author to override a server set AC header.

All I can say is that I'm not convinced.

My main objective is to keep the language's expressivity as it would
appear to a policy author (or human reader) in line with the
expressivity that it will really have.  A broad "deny" statement in
the language that doesn't really have any effect because the policy
is only evaluated in certain conditions is somethig else, and lends
itself to scope creep of the language.

I wonder if anybody else here wants to chime in on this.
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 25 May 2007 13:09:20 UTC