RE: WEBDAV Security

DAV is an HTTP protocol and thus is able to take full advantage of all
generic HTTP ACL and Security work. I would recommend that the
requirements only identify Security in general and ACLs in particular,
as areas of concern, and then explain that they are out of scope for DAV
because they touch on areas beyond DAV's limited authoring/versioning
scope.

Lets not fall into the trap of trying to solve the world's problems.
ACLs and security are best left to groups who are grabbling with just
those issues.

		Yaron

> -----Original Message-----
> From:	Steve Carter [SMTP:SRCarter@novell.com]
> Sent:	Thursday, April 10, 1997 2:25 PM
> To:	w3c-dist-auth@w3.org; slein@wrc.xerox.com
> Subject:	Re: WEBDAV Security
> 
> Authentication is probably the biggest issue facing us. Without the
> ability to determine the identy of the connection we will not see
> corporations willing to deploy document repositories or versioning
> systems
> via WebDAV. Similarly, ACLs can not be properly implemented and
> administered without being able to determine the identity. All of
> this, of course,
> over an unsecured network - - the Internet.
> 
> I would suggest that the requirements document require that identity
> authentication be a requirement. ACLs are probably a part of the
> repository access model and will be based in the proven identity. As
> far as interaoperability with exisiting security protocols, we need to
> spell
> out which ones and what interoperability will be expected. To just say
> "Interoperable with existing seciruty protocols" is to broad.
> 
> -src
> 
> >>> Judith Slein <slein@wrc.xerox.com> 04/10/97 02:00PM >>>
> At our IETF working group meeting, a number of people pressed us to
> add
> security issues to the WEBDAV requirements document.  There was a lot
> of
> concern that we are greatly expanding the opportunities for attack,
> but
> saying nothing about security.  There was a sense that we need to say
> something about three separate areas:
> 
> Authentication
> Access Control
> Interoperability with existing security protocols
> 
> I took an action to start conversations on the mailing list on these
> topics,
> so let me do that.
> 
> Authentication: WEBDAV should support Basic and Digest Authentication,
> just
> as HTTP 1.1 does.  Anything beyond this?
> 
> Access Control: WEBDAV should provide a way for authors to specify
> access
> control for resources that they create, within bounds set by the
> server
> administrator.  A WEBDAV server should at a minimum be able to use the
> access control mechanisms provided by the operating system.  It should
> also
> allow repositories standing behind it to use their own access control
> mechanisms.
> 
> Interoperability with existing security protocols:  WEBDAV should be
> able to
> interoperate with (which protocols?) to protect both client and server
> from
> attacks on their data, running applications, operating systems, and
> hardware; and to protect the integrity and confidentiality of data in
> transit.
> 
> What's different about WEBDAV that it should lead to more serious or
> different security problems than HTTP?
> 
> We're encouraging people to publish via WEBDAV, and to publish
> work-in-progress.
> We're giving people new tools for organizing materials on the Web.
> Links are probably the most fundamental new factor we are introducing.
> Can
> we (should we) provide a means to limit who can link objects together?
> Who
> can put a link or any other metadata on a resource? Who can put a
> resource
> into a collection?  If a resource belongs to several collections with
> different access control rules, which ones apply? 
> 
> --Judy
> Name:   Judith A. Slein
> E-Mail:   slein@wrc.xerox.com 
> Internal Phone:   8*222-5169
> External Phone:  (716) 422-5169
> Fax:   (716) 265-7133
> MailStop:  128-29E
> 
> 
> !
>    !
> 
> !
>    !
> 
> !
>    !
> 
> 

Received on Wednesday, 16 April 1997 00:20:39 UTC