W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 1997

Re: WEBDAV Security

From: -=jack=- <jack@twaxx.twaxx.com>
Date: Thu, 1 May 1997 08:18:08 -0700 (PDT)
To: "Ron Daniel, Jr." <rdaniel@lanl.gov>
cc: Jon Radoff <jradoff@novalink.com>, w3c-dist-auth@w3.org
Message-ID: <Pine.SGI.3.95.970501080949.26909A-100000@twaxx.twaxx.com>
> Can you imagine the drubbing a vendor would take in the press and
> on the net if they shipped tools without any means for controlling who
> could and could not add pages to a site? Security of the authoring
> environment is a serious issue that will be addressed - if not here
> then by the implementors as they roll out DAV-compliant tools.

Or, worse, DAV-non-compliant tools.... it *will* be done, the question
is *how* and *by who*... I say we tackle it now, while there's little
contest by vendors [so far...]

> only way for the security mechanisms of those tools to stand a chance
> of interoperation is for this group to specify the mechanisms.
I agree...

> The main point of your objection seems to be that current ACL mechanisms
> are not coping with all the complexitites of the networked environment,
> therefore we should not do anything about ACLs until a mechanism is found
> that can deal with those complexities. I have some agreement with the
> premise, but disagree totally with the conclusion. If this group can do
> only as much as specify the way to indicate Read/Write/Execute permission
> for Owner/Group/World then I think we will have a 95% solution to the
> problem.
yes, I agree here also.  just don't make it the same as the system/
file system ugo and all's well [don't make sysadmins do yet more work].
I know of some code that's of dubious ownership, but was dev'ed under
govt contract and so might be available, I'd have to check, but it is
one implementation that addresses these issues, and might be helpful to
consider as this group looks at this [acl] issue.  If there's interest
I'll dig into the situation and see if I can contribute it.

More than good enough for the needs of this group. If implementors
> want to go beyond that to tackle further problems in ACLs, they can use
> that as a selling point. Interoperation is our goal.
yes, we need to set a *good* minimum req's level, and then product
competition should be able to take over from there...

> Regards,
> Ron Daniel Jr.              voice:+1 505 665 0597


(This text composed by voice)
Received on Thursday, 1 May 1997 11:16:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:10 UTC