Re: RFC 3744: deny-before-grant required?

Tim Olsen schrieb:
> Section 8.1.1 
> (
> of RFC 3744 specifies that deny-before-grant is a requirement.  It
> does not follow this with a condition stating that it only applies if
> the constraint is set, as is done for grant-only and no-invert.
> Is this omission of a condition under which this preconditon holds
> intentional?  Is deny-before-grant a requirement?

I don't think it is, that is, I think you have found a bug in the spec.

So I would propose to change the description to:

"(DAV:deny-before-grant): All non-inherited deny ACEs MUST precede all 
non-inherited grant ACEs. This precondition applies only when the ACL 
restrictions of the resource include the DAV:deny-before-grant 
constraint (defined in Section 5.6.3)."

(Geoff, please confirm :-))

Best regards, Julian

Received on Saturday, 1 July 2006 08:13:48 UTC