RE: ACL Draft

> ----------
> From: 	Larry Masinter[SMTP:masinter@parc.xerox.com]
> Sent: 	Wednesday, October 22, 1997 2:24 PM
> To: 	Paul Leach
> Cc: 	Howard Palmer; Yaron Goland; w3c-dist-auth@w3.org
> Subject: 	Re: ACL Draft
> 
> > The traditional way of dealing with this is instead to say that the
> > "who" can contain lots of internesting info, such as where you are
> > connecting from. In other words, if it matters (for secuyrity
> purposes)
> > that "who" connecting from home and "who" connecting from work, then
> > they are different "who"s -- i.e., they are different principals.
> 
> The traditional way of dealing with this in systems that support
> ACLs doesn't match the web's way of dealing with this. In this case,
> the user trying to access information has many attributes, only
> one of which is their authenticated identity.
> 
> Now, this can get arbitrarily complex, and I'm not asking that
> it be arbitrarily complex, but at least complex enough to implement
> the *very common* authentication policy on the web: everyone
> from site *.blah.com has access, but users from any other site
> have to log in.
> 
First, with my security hat on:

Basing ACL decisions on unauthenticated information of the kind this
example implies is pretty worthless from a security standpoint, even if
it is common practice. Plaintext passwords are also common practice. We
don't have to continue either, and shouldn't.

If you have strong authentication, then you don't have to rely on hacks
based on the IP address or DNS name of the source host. Or, if we have
to for backwards compatibility, we can not include them in the ACL model
-- aren't they often at the "virtual root" level, and not on individual
files, anyway?

Second, with my ACL hat on:

I don't see your example as a counter-example. The principal is just a
pair (user, source). In your example: (*, *.blah.com) is the principal
-- any user from *.blah.com.

Paul

Received on Wednesday, 22 October 1997 20:45:01 UTC