RE: [access-control] Forms WG comments on Access Control WD

This draft looks more implementable in XForms but I'd like to have
feedback from implementors in the WG before responding.
 
Here are some issues.
1. Although it mentions other specifications, it still does not offer
any concrete suggestions or even informative references to XForms.
2. There is no provision for user agent configuration on a per-user
basis to override (+/-) the header- or PI-specified permissions.
   Mozilla XForms for example allows the user to specify Load and Save
permissions for resources, and this allows the end user to specially
enable "mashup" type application.
   See next point.
3. Perhaps I'm wrong, but it looks to me like services need to take
special care to offer their resources, and if they do not, they are by
default closed, with no recourse, even that of asking the user.  
Similarly, there is no indication that a UA can be configured to use or
not to use these rules. 
4. Why not use HEAD instead of GET on the resource?  Is it because of
the PI?
5. The PI and headers are said to be allowed together, but it doesn't
say how they combine (PI wins?  They add?)
6. In section 4.3, are multiple PIs allowed?  If not, how can one
combine allow and deny semantics?
7.  Allow and Deny semantics can be combined quite clearly, along with
resource identification, as is done in INETD (xinetd) TCPWrappers, which
allow combinations of Allow and Deny directives along with the names of
local resources.    http://en.wikipedia.org/wiki/Xinetd
This model is quite widely deployed, and allows servers to grant access
to their resources based on resource (in this case, process name and
port), and client IP address.
I would suggest that the WG look at this mechanism and make sure that
the lessons learned here are applied.
 
Leigh.
 
________________________________

From: John Boyer [mailto:boyerj@ca.ibm.com] 
Sent: Tuesday, December 11, 2007 10:12 AM
To: Klotz, Leigh
Cc: Forms WG (new)
Subject: Re: [access-control] Forms WG comments on Access Control WD



Hi Leigh, 

Would you please submit something to the group today to help guide the
discussion of this issue, which can be on tomorrow's agenda.  Of course
someone else can do minutes while you are talking... 

Thanks, 
John M. Boyer, Ph.D.
Senior Technical Staff Member
Lotus Forms Architect and Researcher
Chair, W3C Forms Working Group
Workplace, Portal and Collaboration Software
IBM Victoria Software Lab
E-Mail: boyerj@ca.ibm.com  

Blog: http://www.ibm.com/developerworks/blogs/page/JohnBoyer
<http://www.ibm.com/developerworks/blogs/page/JohnBoyer> 
Blog RSS feed:
http://www.ibm.com/developerworks/blogs/rss/JohnBoyer?flavor=rssdw
<http://www.ibm.com/developerworks/blogs/rss/JohnBoyer?flavor=rssdw> 





"Anne van Kesteren" <annevk@opera.com> 
Sent by: public-forms-request@w3.org 

12/11/2007 08:43 AM 

To
"Klotz, Leigh" <Leigh.Klotz@xerox.com>, public-appformats@w3.org 
cc
"Forms WG" <public-forms@w3.org> 
Subject
Re: [access-control] Forms WG comments on Access Control WD

	





Hi,

On Thu, 11 Oct 2007 22:59:59 +0200, Klotz, Leigh <Leigh.Klotz@xerox.com>

wrote:
> The Forms WG is interested in providing comments on the "Enabling Read
> Access for Web Resources" working draft [1].

We recently published a new Working Draft on TR/ and the latest editor's

is a little bit further ahead (editorial changes):

  http://www.w3.org/TR/2007/WD-access-control-20071126/
<http://www.w3.org/TR/2007/WD-access-control-20071126/> 
  http://dev.w3.org/2006/waf/access-control/
<http://dev.w3.org/2006/waf/access-control/> 

If you're going to provide feedback it would be good if you base it on  
those drafts.


> [1] http://www.w3.org/TR/2007/WD-access-control-20071001/
<http://www.w3.org/TR/2007/WD-access-control-20071001/> 

Kind regards,


-- 
Anne van Kesteren
<http://annevankesteren.nl/ <http://annevankesteren.nl/> >
<http://www.opera.com/ <http://www.opera.com/> >

Received on Tuesday, 11 December 2007 18:35:10 UTC