Re: Thoughts on relation to WebDAV from Julian Reschke on 2008-05-24 (w3c-dist-auth@w3.org from April to June 2008)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 24 May 2008 18:38:52 +0200
To: Helge Hess <helge.hess@opengroupware.org>
CC: WebDAV <w3c-dist-auth@w3.org>
Message-ID: <4838449C.805@gmx.de>

Helge Hess wrote:
> Just for completeness, I think 501 just says that the collection MKCOL 
> was called on does not support MKCOL. Other collections on the same 
> server might support that method.

Yes. So would that collection be "WebDAV compliant"?

> I think Werner's point is that 403 has specific semantics and I would 
> agree. To me 403 implies that the user could potentially create 
> collections with better credentials. While 501 signals that the server 
> really can't support MKCOL.

Yes.

> That _is_ relevant for the error message reported by the client.

So it's better to say 501 than 403. But are you allowed to say 501 and 
be compliant to RFC2518 at the same time?

> IMHO the confusion started when Julian suggested that a server should 
> return 403 if its a "read-only CardDAV implementation". Note the 
> 'read-only _implementation_'. I think returning 403 would be quite wrong 
> in this case, it should definitely return 501.

What I tried to say is that the "MUST support MKCOL" requirement may 
lead an implementor to return 403 instead of 501, which has zero value 
to a client which is trying to figure out why the request failed.

> As mentioned, practial consequences which immediatly come to mind are:
> - misleading error message towards the user
> - pointless retries with other (higher level) credentials
> 
> 
> As far as I can see levels are just a really minor optimization on the 
> operations a client might attempt (never attempt to LOCK if we already 
> know its not level2, but then we have the method info in OPTIONS 
> anyways?!).
> Maybe the spec puts too much emphasis on levels.

Yes.

Levels are problematic.

+ Clients can rely (sometimes) on specific feature sets (for instance, 
with DeltaV's compliance levels)

+ It's easier to communicate what a server can do

- When clients refuse to do something because the right compliance level 
is missing, server implementors may be tempted to lie (as far as I 
recall, the MS Webfolder client never will try PROPFIND unless OPTIONS 
says level 1 is reported -- so you can't enhance a "simple" HTTP server 
with just PROPFIND support for browsing).

In general I would advise clients to pay attention to the OPTIONS Allow 
response header and to status codes, not compliance levels (and, for 
modern servers, to DAV:supported-live-property-set and 
DAV:supported-method-set).

BR, Julian

Received on Sunday, 25 May 2008 15:40:15 UTC