WebDAV Bindings - Issue Yaron.ApplePie3

Section 11 of the BIND spec states: "A PROPFIND requesting DAV:bindings MUST
return only those bindings that the client is authorized to see."

This brings up a couple of questions. The first question is "How do I ever
know if I have the definitive list of bindings?" I suspect the answer is
"you don't" since there may be bindings you aren't authorized to see.

This then brings us to another sentence in section 11 which reads "If the
DAV:bindings property exists on a given resource, it MUST contain a complete
list of all bindings to that resource."

However this means that the dav:bindings property must always return a
complete list of bindings which the sentence following it (given at the
start of this letter) contradicts.

One should never have two MUST level requirements that are in direct
contradiction. The reason for the contradiction is that we have raised the
bar too high on the contents of the dav:bindings property value. We have
already specified that due to security concerns it is absolutely impossible
for you to ever be sure that you necessarily have the complete list of
bindings. Therefore requiring that the complete list be returned, even as
the default in the absence of security concerns, is self defeating.

Therefore I move that the language in section 11 be changed to read that the
dav:bindings property may contain zero or more of the bindings available on
a resource rather than the definitive set since it is impossible to
meaningfully require that the definitive set be returned.

Received on Sunday, 16 January 2000 20:26:29 UTC