Re: Aligning grouping of resources in POWDER and WAF Access Control.

cc. POWDER public list.

Hi all,

I'm glad Art responded to this so quickly as the original mail was 
caught in my spam filter from which I've just retrieved it.

Mea culpa - I was unaware of the Enabling Read Access work. I will make 
sure that the POWDER WG considers it fully and that we report back (we 
have a face to face meeting on Monday so we can do this quickly).

Meanwhile, we have moved on significantly since the April blog entry 
referred to. Yes, we do support Perl regular expressions but we don't 
rely on them. Actually, we warn against their use for most scenarios, 
precisely because of the same reasons Art cites, preferring instead to 
use simple string matches against URI components. Unless something goes 
horribly wrong, the member only document at [1] will be a first public 
working draft on Monday and this is all set out there.

It would be easy to include a wild card pattern - indeed, there's an 
example of exactly that in the extension mechanism section (which refers 
to Google's URL pattern format which also looks similar to the one in 
the WAF document).

Clearly, there should be a common approach, or at least a fully 
compatible one. I notice that Opera is in both groups. Chaals, Anne - I 
hereby nominate you as coordinators!



Arthur Barstow wrote:
> [[ ++ public-appformats - the mail list the WAF WG uses for its 
> technical discussions ]]
> Stuart - thanks for raising this issue. I have not discussed this issue 
> with the WAF WG nor the WAF Public Community but here is *my* take on 
> the syntax issue.
> We discussed using regular expression syntax instead of just star. I 
> recognize there would be some advantages to using the richer syntax but 
> we decided to follow the KISS principle here, particularly given the 
> negative side effects of incorrect syntax (e.g. accidentally giving 
> access to a domain that should not have access). [I assume here the 
> probability of incorrect syntax is higher with regular expressions than 
> just star but I have no real data to back my assumption.]
> It also appears our decision is consistent with the decision made in the 
> P3P spec [1].
> WAF WG & Community - please see the issue the TAG raises below.
> Regards,
> Art Barstow
> ---
> [1] <>
> On Jul 6, 2007, at 10:16 AM, ext Williams, Stuart (HP Labs, Bristol) wrote:
>> Art, Phil,
>> In response to a request from the WAF-WG [1] to review "Enabling Read
>> Access to Web Resources" [2] the TAG is concerned to ensure that there
>> is good alignment between your WGs wrt the specification of resource
>> sets.
>> We observe that [2] involves the specification of 'allow' and 'deny'
>> sets of resources (which in this case happen to be the origins of
>> scripted behaviours executed by user agents). There is some resonance
>> between [2] and POWDER work on grouping resource sets by address. We
>> believe that there is or should be some common interest in the
>> specification of such resource sets between your WGs.
>> Given that web masters are the likely authors of configuration
>> information for both script access controls (as in [2]) and for
>> content-labeling (a POWDER application) and that both involve making
>> assertions about sets of resources (allow/deny assertions v assertions
>> about the nature of web content) we believe that there should be at
>> least some conceptual coherence and ideally some syntactic coherence in
>> the way that both POWDER and WAF-WG approach the description of sets of
>> resource that are the subject of such assertions.
>> For example, consider the scenario in which the author of a resource
>> identified by wishes to allow
>> cross-domain access from any resource identified by an URI.
>> Per [2], this set is specified with a pair of 'access items' as:
>>     http://*
>>     https://*
>> Whereas using the 'PERL regexp' based approach being considered by
>> POWDER (option 5 at [3]), the same set is specified as:
>>    ^https?://[^:/?#]+\.)*example\.com/
>> We think having two similar-but-different mechanisms to achieve the same
>> goal should be avoided if at all possible.
>> We would be interested to hear from you whether you think there is any
>> possibility of seeking considerably more alignment between the work of
>> your two groups, so that where their requirements overlap there is at
>> least cross-reference, and at best sharing of terminology, operational
>> semantics and perhaps even syntax.
>> Best regards
>> Stuart Williams
>> for W3C TAG
>> -- 
>> [1]
>> [2]
>> [3]
>> 7
>> -- 
>> Hewlett-Packard Limited registered Office: Cain Road, Bracknell, Berks
>> RG12 1HN
>> Registered No: 690597 England

Phil Archer
Chief Technical Officer,
Family Online Safety Institute

Already labelled with ICRA? It's time to raise the bar on child 
protection standards by ensuring your site is ICRAchecked.
See for more info.

Received on Friday, 6 July 2007 15:27:24 UTC