Security Features

Yaron Goland (yarong@microsoft.com)
Thu, 29 Aug 1996 17:43:11 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Yaron Goland: "RE: Initial Dist. Auth. Requirements"
Previous message: Roy T. Fielding: "Re: Seiwald Q & A -- "GET for EDIT" cookies"

After reviewing the security related messages on the groups I have 
re-written section 3 of my document.

3. Access Control Features
When I speak of access control I mean the ability to associate a set of 
allowable actions to be performed on a resource by an entity as defined 
under a specified security protocol. Actions are HTTP methods with 
specified associated tags. Resources are a URL or a URL which references a 
group of URLs. Entities are defined by the particular security protocol 
being referenced. The versioning standard should include how to specify 
actions and resources but should only define an extension mechanism for 
defining entities. It would be prudent to include in an appendix a syntax 
for the definition of entities under commonly used HTTP authentication 
methods such as the Authentication tag. Note that a server is not required 
to accept access control suggestions. Each server has its own rules for how 
actions, resources and entities should be divided and is free to enforce 
those views. However error message should be used to inform the user of the 
server's policies.
In addition means must be provided to discover what actions, resources, and 
entities are available. However this information should also be under 
access control. It would seem logical to provide support in HTML for 
specifying access control features so that a server could provide users who 
wish to set access controls with an HTML page whose formatting will help 
the user assign access controls in a matter consistent with the server's 
policies.
As access controls are the primary means for deciding how to share 
information it is critical that we define a standard or each versioning and 
distributed authoring package will define its own. This would not be such a 
bad fate if only one or two people on a site needed to assign access 
privileges. However everyone who owns a resource needs to set the access 
privileges for that resource and if resources are to be shared across 
systems then users who use different versioning and distributed authoring 
packages need to be able to control access to resources on other systems. 
This interoperable world is only feasible if methods to define access 
controls are standardized.

							Yaron

Next message: Yaron Goland: "RE: Initial Dist. Auth. Requirements"
Previous message: Roy T. Fielding: "Re: Seiwald Q & A -- "GET for EDIT" cookies"