- From: Jim Whitehead <ejw@ics.uci.edu>
- Date: Wed, 21 May 1997 11:08:56 -0700
- To: Dylan Barrell <dbarrell@opentext.ch>, w3c-dist-auth@w3.org
>I agree with all except I believe we should evaluate which authentication >schemes we consider important and ensure that WebDAV can support them. I >think X.500 with X.509 is a good candidate for evaluation. It is also my >belief that we have an opportunity to specify HOW a web server interacts >with a authentication server and should seize this opportunity now - it >might never come our way again. %broken record on While I encourage you to develop a draft which outlines how an HTTP server might interact with an X.500/X.509 server (are these freely available specs?) I still feel that until we develop a set of requirements for access control for WebDAV, we have no way of knowing whether using an X.500/X.509 solution meets our needs. Is it overkill? Is it insufficient? I don't know because we haven't yet determined our access control requirements. Until we do, this is just a solution looking for a problem. %broken record off One way to start eliciting requirements is to develop some usage scenarios for access control. Something along the lines of: "Mary and John are using their web distributed authoring spreadsheet, DistCalc, to collaborate on a departmental budget. Because the budget is sensitive information, after creating the budget spreadsheet resource, but before they enter any information, they change the access permissions on the resource so only they have read and write access to the resource. Once the budget is complete, they add their supervisor to the list of people who have read and write access. When changing access permissions, they use their Web browser, WebView, to pull up the access control page for the spreadsheet resource, which is an HTML form. They know where to find this resource, because they know that on their distributed authoring server, the entry point for access control information is located in /access/. Once on this page, they enter the name of the resource, press the "authenticate" button, exchange authentication information with the server, and are then shown the access permissions page for the resource. They modify the access control information, then press the "Modify" button, causing the form to be sent to the server (along with authentication information) and processed. When access permissions have been changed, they return to working in DistCalc." >Are there any representatives from the two large HTTP server providers >(Microsoft or Netscape) participating on this listserver? Yes. Apache, Jigsaw, NCSA, and probably others too. - Jim
Received on Wednesday, 21 May 1997 14:10:36 UTC