Re: review of http://dev.w3.org/2006/waf/access-control/#requirements

On Tue, 5 Feb 2008, Mark Nottingham wrote:
> 
> * "Must be deployable to IIS and Apache without requiring actions by the 
> server administrator in a configuration where the user can upload static 
> files, run serverside scripts (such as PHP, ASP, and CGI), control HTTP 
> headers, and control authorization, but only do this for URIs under a 
> given set of subdirectories on the server." This is incredibly specific; 
> neither p3p.xml nor robots.txt supports the last condition, and yet that 
> hasn't stopped their deployment. This also isn't motivated by any of the 
> use cases. I dispute that this is a real requirement.

Both p3p.xml and robots.txt are a pain for large sites, and both have 
decentralised alternatives. We really need a solution that fits this 
requirement. (Ironically, this is a requirement that is important for both 
large sites, as noted here, and small users on sites they don't control. 
It's not as big a deal on mid-level sites like, say, my own, where one 
person controls everything.)


> * "It should be possible to issue methods other than GET to the server, 
> such as POST and DELETE." Add to this: "The solution must not unduly 
> penalise use of methods other than GET, e.g., with performance 
> degradation. Likewise, it must not penalise use of a particular style of 
> URI, or the use of a large number of URIs."

I don't particularly agree. If we can optimise GET even more than the 
others, then good, but we shouldn't cripple our design for GET just 
because we can't get the other methods to be as efficient.

In conclusion, I am strongly opposed to removing the first requirement 
above, and strongly against changing the second requirement above.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 6 February 2008 03:16:39 UTC