- From: Jon Radoff <jradoff@novalink.com>
- Date: Thu, 01 May 1997 13:42:05 -0700
- To: -=jack=- <jack@twaxx.twaxx.com>
- CC: "Ron Daniel, Jr." <rdaniel@lanl.gov>, w3c-dist-auth@w3.org
Clearly, I'm outnumbered as far as putting ACL-type stuff in. But
don't take my point the wrong way -- I am not suggesting the
absence of it. I'm wary of creating a standard around it in this
context because I think people could be resistant to adopting it
as a "subcomponent." This is a component of the overall technology
that should stand on its own.
An approach that could be taken would be to specify an
interface standard that would pass authentication data (user, realm,
etc.) to a component that would be responsible for obtaining
authorization information, e.g.:
1. Application-layer: "Is 'user' allowed to do 'x'?"
2. Interface communicates with seperate component, which could
be a module which would respond appropriately yet pull its
information from whatever means of access control are in
place (native OS, Web-server control lists, passwd files, etc.)
3. Underlying component does its thing, reports back to the
interface, and the application is told by the interface whether
the user is authorized or not.
If interoperability is the goal, then the focus should be specifying
an _interface_ rather than yet another ACL methodology.
If this sort of direction seems to be of interest, I've written some
experimental API's that implement such a concept which could serve as
as a starting point. I had previously planned to probe for interest
in discussing this as its own subject but if the momentum is here,
I am happy to go with it :)
Jon
Received on Thursday, 1 May 1997 13:41:25 UTC