- From: Yaron Goland <yarong@Exchange.Microsoft.com>
- Date: Sun, 16 Jan 2000 17:25:35 -0800
- To: w3c-dist-auth@w3.org
- Message-ID: <7DE119D3D0E15543874F7561EECBDBED02619E1F@BEG.platinum.corp.microsoft.com>
Section 11 of the BIND spec states: "A PROPFIND requesting DAV:bindings MUST return only those bindings that the client is authorized to see." This brings up a couple of questions. The first question is "How do I ever know if I have the definitive list of bindings?" I suspect the answer is "you don't" since there may be bindings you aren't authorized to see. This then brings us to another sentence in section 11 which reads "If the DAV:bindings property exists on a given resource, it MUST contain a complete list of all bindings to that resource." However this means that the dav:bindings property must always return a complete list of bindings which the sentence following it (given at the start of this letter) contradicts. One should never have two MUST level requirements that are in direct contradiction. The reason for the contradiction is that we have raised the bar too high on the contents of the dav:bindings property value. We have already specified that due to security concerns it is absolutely impossible for you to ever be sure that you necessarily have the complete list of bindings. Therefore requiring that the complete list be returned, even as the default in the absence of security concerns, is self defeating. Therefore I move that the language in section 11 be changed to read that the dav:bindings property may contain zero or more of the bindings available on a resource rather than the definitive set since it is impossible to meaningfully require that the definitive set be returned.
Received on Sunday, 16 January 2000 20:26:29 UTC