Re: Access Control Requirements from Andy Seaborne on 2013-04-22 (public-ldp-wg@w3.org from April 2013)

From: Andy Seaborne <andy.seaborne@epimorphics.com>
Date: Mon, 22 Apr 2013 11:36:47 +0100
To: public-ldp-wg@w3.org
Message-ID: <517512BF.9040707@epimorphics.com>
On 21/04/13 20:42, Ashok Malhotra wrote:
> I added some material based on our discussion last week and mail from
> Serena and Henry.   If we agree on the direction, what more should we add
> to create the WG Note?
>
> Access Control
>
> Access Control is a mechanism to enable or deny permissions to entities
> - individuals, groups of individuals or organizations - to perform
> operations on resources. The entities have to be authenticated and
> identified and, perhaps, added to a group.
>
> In the case of LDP the resources are LDP resources but the access
> control may operate at different granularities: RDF documents, named
> graphs or individual triples. The operations are read, update, create
> and delete.
>
> For example, as discussed in http://www.w3.org/wiki/WebAccessControl
> access privileges can be requested as below:
>
> @prefix acl: <http://www.w3.org/ns/auth/acl#> .
>
> @prefix foaf: <http://xmlns.com/foaf/0.1/> .
>
> [acl:accessTo <card>; acl:mode acl:Read; acl:agentClass foaf:Agent].
>
> [acl:accessTo <card>; acl:mode acl:Read, acl:Write;acl:agent <card#i>].
>
> This means that anyone may read card, and <card#i> can write it.
>
> Typically, Access Control will be provided by the storage mechanism and
> not the LDP server itself.

I can not reconcile this "provided by the storage mechanism, not the 
server itself" with the earlier point about "perform operations on 
resources".

Could you please explain this?

 Andy

And also:
http://lists.w3.org/Archives/Public/public-ldp-wg/2013Apr/0041.html

> Thus, requests such as above will need to be
> mapped to the capabilities of the server.
> The access control mechanism isn't in the purview of the LDP standard,
> so what can we say about
> access control?  What can we ask the server to provide?
>
> 1. How are entities authenticated?   Can we require the use of WebID or
> OpenID for example?
> Can we even recommend that one of these be used?
>
> LOW BAR:  The storage system provides its own mechanism for
> authenticating and identifying entities e.g username/password
> HIGH BAR: Storage system accepts a URL which points to a set of
> credentials identifying entities.  Authorization is orthogonal.
>
> 2. What is the granularity of access control?
>
> LOW BAR:  RDF resources
> HIGH BAR: A regex that identifies individual triples
>
> OTHER REQUIREMENTS ..
>
> We can add these with a MAY or SHOULD when no countervailing security considerations apply.
>
>
> 3. If access is denied, some explanation of why it was denied. For
> example, "Could not verify one of user's principals" or "Network problem
> during authentication" or "User not authorized to update"
>
> 4. Ability to discover the access control policy as it applies to some
> set of resources.
>
>
> --
> All the best, Ashok
Received on Monday, 22 April 2013 10:37:22 UTC