Re: Access control requirements from Arthur Barstow on 2008-01-17 (public-appformats@w3.org from January 2008)

From: Arthur Barstow <art.barstow@nokia.com>
Date: Thu, 17 Jan 2008 12:30:11 -0500
To: ext Jonas Sicking <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-Id: <506BCFA4-B426-462E-92F3-EED3A2D59683@nokia.com>

Jonas, All,

Thanks for this input.

I think we should add all of them to section 3. of the UC+Reqs doc in  
[1] and delete 3.3, 3.4 and 3.6 since they are covered your proposed  
requirements #1, #2 and #3

Do you consider 3.5 covered by your #7 or some other requirement in  
your proposal? If yes, then 3.5 should also be deleted.

Regards, Art Barstow
---

[1] <http://dev.w3.org/cvsweb/2006/waf/access-control/>


On Jan 17, 2008, at 1:56 AM, ext Jonas Sicking wrote:

>
> Here are the first round of requirements that I had. Looking  
> forward to input.
>
> 1.
> Must not require content authors or site maintainers to implement  
> new or
> additional security protections to preserve their existing level of
> security protection. (Stolen from Brad Porter)
>
> 2.
> Must be deployable to existing, commonly used, servers without  
> requiring actions by the server administrator in a typical  
> configuration.
>
> 3.
> Must able to easily deploy support for cross site GET requests.  
> This includes not having to use server side scripting (such as PHP,  
> ASP, or CGI) in a typical server configuration.
>
> 4.
> It should be possible to put the resource that is made available cross
> site in its normal format on the server. It should be possible
> to use normal development tools to interact with the resource directly
> on the server. I.e. it should not be needed to repackage or  
> reformat the resource just to make it possible to load from other  
> servers.
>
> 5.
> Content of any type should be possible to distribute. I.e. we  
> should not
> limit ourselves to content of a particular type.
>
> 6.
> It should be possible to allow only specific servers, or sets of  
> servers
> to fetch the resource.
>
> 7.
> It should be possible for the administrator of the server to disable
> requests to any resource of the server. This should be easily  
> doable on
> servers currently deployed using currently existing tools.
>
> 8.
> It should be possible to use resources on other servers using the  
> same methods currently used to load resources. For example the  
> following examples should be possible:
>
> <?xml-stylesheet type="text/xsl" href="http://other.server/file.xsl"?>
>
> <?xbl href="http://other.server/xbl.xml"?>
>
> xhr = new XMLHttpRequest;
> xhr.open("GET", "http://other.server/data.text");
> xhr.send();
>
> 9.
> It should be possible to issue methods other than GET to the  
> server, such as POST and DELETE.
>
> 10.
> Should be possible to use normal authentication mechanisms on the  
> server where the resource is located. I.e. on an IIS server where  
> authentication and session management is generally done by the  
> server before ASP pages execute this should be doable also for  
> requests coming from other servers. Same thing applies to PHP on  
> apache.
>
> / Jonas
>

Received on Thursday, 17 January 2008 17:31:03 UTC