Re: access control -- in or out of scope? from Michael Hausenblas on 2012-03-19 (public-ldp@w3.org from March 2012)

From: Michael Hausenblas <michael.hausenblas@deri.org>
Date: Mon, 19 Mar 2012 13:25:39 +0000
To: Sandro Hawke <sandro@w3.org>, Paul Tyson <phtyson@sbcglobal.net>
Cc: public-ldp@w3.org
Message-Id: <2C53653B-D135-4841-86EB-C28AB0576A5A@deri.org>

>> "The Working Group will not normatively specify solutions for access
>> control and authentication for Linked Data. However the Working Group
>> will identify, based on a set of real world use cases, requirements for
>> necessary authentication and authorization technologies."


I'm all for keeping it as it is. The main point was/is to state what is out of scope (auth/auth/ACL) but in the same moment also explain how we deal with it, as it is a necessary building block to successfully deploy any sort of app in the domain.


Cheers,
	   Michael

--
Dr. Michael Hausenblas, Research Fellow
DERI - Digital Enterprise Research Institute
NUIG - National University of Ireland, Galway
Ireland, Europe
Tel.: +353 91 495730
WebID: http://sw-app.org/mic.xhtml#i

On 19 Mar 2012, at 13:09, Sandro Hawke wrote:

> On Sun, 2012-03-18 at 16:28 -0500, Paul Tyson wrote:
>> Section 2. Scope.
>> 
>> "The Working Group will not normatively specify solutions for access
>> control and authentication for Linked Data. However the Working Group
>> will identify, based on a set of real world use cases, requirements for
>> necessary authentication and authorization technologies."
>> 
>> I understand how a strict construction of "linked data" would rule this
>> out of scope, but realistically no one will be able to champion LDP in
>> an enterprise with only a set of "requirements" for the security aspect.
>> In the enterprise, security and access control must be built in from the
>> ground up, not added as an afterthought.
>> 
>> Industry doesn't need yet another set of requirements for access
>> control. There are already several good models: XACML seems the most
>> nearly suited for LDP, but there are also RIF and RuleML (and
>> LegalRuleML recently started as an OASIS TC). The XACML TC has started
>> work on a RESTful profile for XACML.
>> 
>> Please consider upgrading this scope statement from "will
>> identify...requirements" to something like "will specify an abstract
>> interface and notional architecture by which LDP systems can
>> interoperate with RESTful authentication and authorization systems".
> 
> Personally, I agree with you, but I've heard otherwise from some folks.
> Maybe people who disagree can speak up and we can try to work this out
> here?
> 
>    -- Sandro
> 
>> Regards,
>> --Paul
>> 
>> On Sun, 2012-03-18 at 12:13 -0400, Sandro Hawke wrote:
>>> After various discussions, we've rewritten the Linked Data Platform
>>> (LDP) draft charter.  New version is here:
>>> 
>>>        http://www.w3.org/2012/ldp/charter
>>> 
>>> The diff is linked from there, but only the last few paragraphs
>>> (standard charter stuff) are the similar enough for the diff to be
>>> useful.
>>> 
>>> At this point, we're expecting to formally propose this to the W3C
>>> membership within a week or two, so please review it soon.
>>> 
>>>   -- Sandro
>>> 
>>> 
>>> 
>> 
>> 
>> 
> 
> 
>

Received on Monday, 19 March 2012 13:26:13 UTC