WEBDAV Security from Judith Slein on 1997-04-10 (w3c-dist-auth@w3.org from April to June 1997)

From: Judith Slein <slein@wrc.xerox.com>
Date: Thu, 10 Apr 1997 13:02:29 PDT
To: w3c-dist-auth@w3.org
Message-Id: <2.2.32.19970410200229.0090f018@pop-server.wrc.xerox.com>

At our IETF working group meeting, a number of people pressed us to add
security issues to the WEBDAV requirements document.  There was a lot of
concern that we are greatly expanding the opportunities for attack, but
saying nothing about security.  There was a sense that we need to say
something about three separate areas:

Authentication
Access Control
Interoperability with existing security protocols

I took an action to start conversations on the mailing list on these topics,
so let me do that.

Authentication: WEBDAV should support Basic and Digest Authentication, just
as HTTP 1.1 does.  Anything beyond this?

Access Control: WEBDAV should provide a way for authors to specify access
control for resources that they create, within bounds set by the server
administrator.  A WEBDAV server should at a minimum be able to use the
access control mechanisms provided by the operating system.  It should also
allow repositories standing behind it to use their own access control
mechanisms.

Interoperability with existing security protocols:  WEBDAV should be able to
interoperate with (which protocols?) to protect both client and server from
attacks on their data, running applications, operating systems, and
hardware; and to protect the integrity and confidentiality of data in transit.

What's different about WEBDAV that it should lead to more serious or
different security problems than HTTP?

We're encouraging people to publish via WEBDAV, and to publish work-in-progress.
We're giving people new tools for organizing materials on the Web.
Links are probably the most fundamental new factor we are introducing.  Can
we (should we) provide a means to limit who can link objects together? Who
can put a link or any other metadata on a resource? Who can put a resource
into a collection?  If a resource belongs to several collections with
different access control rules, which ones apply? 

--Judy
Name:			Judith A. Slein
E-Mail:			slein@wrc.xerox.com
Internal Phone:  	8*222-5169
External Phone:		(716) 422-5169
Fax:			(716) 265-7133
MailStop:		128-29E

Received on Thursday, 10 April 1997 15:59:49 UTC