W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2004


From: Jason Crawford <ccjason@us.ibm.com>
Date: Wed, 28 Apr 2004 19:53:35 -0400
To: Webdav WG <nnw3c-dist-auth___at___w3c.org@smallcue.com>
Message-ID: <OF8D84B3C3.20C730AA-ON85256E84.00820E8B-85256E84.00833F85@us.ibm.com>
> > From my point of view:
> >
> > - There are no restrictions on who a server allows to UNLOCK using a
> > "stolen" lock token. It MAY restrict it to the "owner" of the lock, to
> > the owner and principals holding the DAV:unlock privilege, or not
> > restrict it at all. In particular, there's no requirement that for
> > each lock token there actually *is* an "authenticated owner" (unless
> > you count the ACL specs's "DAV:unauthenticated").
> >
> > - On the other hand, submitting the lock token in an If header (usages
> > != UNLOCK) SHOULD be restricted to whatever the server thinks the
> > "owner" of the lock is.
> >
> > Does this make sense?

I began writing this note intending to suggest that we at least encourage 
some checking of the principal, but after further reflection, I think 
simply mentioning the options as you just did should be sufficient.  It 
should be clear to the reader that there are benefits to making the checks 
without us pushing for that.

Received on Wednesday, 28 April 2004 20:07:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:31 UTC