[Search] [txt|pdf|bibtex] [Tracker] [WG] [Email] [Nits]

Versions: 00                                                            
WEBDAV Working Group                                 H. Palmer, Netscape
INTERNET-DRAFT                                       November 17, 1997
<draft-ietf-webdav-acreq-00.txt>

Expires May 17, 1998

     Requirements for Access Control within Distributed Authoring
         and Versioning Environments on the World Wide Web


Status of this Memo

This document is an Internet draft. Internet drafts are working
documents of the Internet Engineering Task Force (IETF), its areas and
its working groups. Note that other groups may also distribute working
information as Internet drafts.

Internet Drafts are draft documents valid for a maximum of six months
and can be updated, replaced or obsoleted by other documents at any
time. It is inappropriate to use Internet drafts as reference material
or to cite them as other than as "work in progress".

To learn the current status of any Internet draft please check the
"lid-abstracts.txt" listing contained in the Internet drafts shadow
directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East coast) or
ftp.isi.edu (US West coast). Further information about the IETF can be
found at URL: http://www.ietf.org/

Distribution of this document is unlimited. Please send comments to the
WWW Distributed Authoring and Versioning (WebDAV) mailing list,
<w3c-dist-auth@w3.org>, which may be joined by sending a message with
subject "subscribe" to <w3c-dist-auth-request@w3.org>. Discussions are
archived at URL:

    http://www.w3.org/pub/WWW/Archives/Public/w3c-dist-auth/.

Abstract

To provide a robust model for modifying documents and data within a
distributed World Wide Web authoring environment, it is necessary to
furnish a methodology which controls access to objects.  Access control
may include the ability to read an object, modify an object, or perform
other more advanced functions upon an object.  Access control is
necessary to prevent unauthorized access or modification of objects
within the authoring environment which could lead to unintended loss,
damage or disclosure of data.

This document proposes requirements for the support of access control
within a Web Distributed Authoring and Versioning (WebDAV) environment.
It describes a model for the representation and interpretation of access
control policies, and a set of operations needed to manage policies in
that form.  It is intended that these requirements be supported within
the framework of the proposed WebDAV extensions [WEBDAV1] to HTTP
[HTTP], in the form of additional protocol operations and compliance
requirements for clients and servers

Palmer                                                          [Page 1]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

1. Introduction

This document proposes WebDAV functionality to support access control in
a Distributed Authoring and Versioning (DAV) environment, as defined by
other specifications produced by the IETF WWW Distributed Authoring and
Versioning working group [WebDAV1,WEBDAV2].  Specifically, this
functionality would enable a Distributed Authoring Tool to discover
access control policies associated with a given resource, to present
those policies in a human-readable form to an end-user, and to set or
modify such policies, as directed by an authorized user.

Although access control policies generally can be formulated in many
ways, it is necessary to define a particular framework within which to
discuss specific requirements for the expression and application of
access control policy information.  This document proposes such a
framework, and then uses it to describe the requirements for DAV
protocol support for the management of access control.

2. Rationale

The IDC report, "The Intranet's Many Faces" [IDC] points to "Central
Administration of user access rights and restrictions" as an essential
benefit of Web-based technology.  Unfortunately, this fundamental
requirement has not been standardized.  Existing Web Server and
Authoring Tool implementations do not have an interoperable mechanism
for assigning access control information to a particular resource or
requesting access control information about a particular resource.

Access control mechanisms in existing Web Servers, such the "htaccess"
mechanism support in NCSA and Apache servers, suggest that Web-based
access control requires a level of flexibility that is not common in the
access control mechanisms of native operating systems.  For example,
Web-based access control often supports access control policies based on
the client's IP address or DNS name.  When user authentication is
desired, Web-based access control allows the requirement for
authentication to be placed selectively on particular resources or
collections of resources, and sometimes supports a choice of user
authentication mechanisms.

Users who authenticate through Web-based user authentication may or may
not have user accounts on the native operating system on which the Web
Server runs.  In some cases, even when a user does have a native
operating system account, it is not used.  For example, the native
operating system identity associated with the Web Server itself may not
enable it to assume the identity of other users for purposes of
accessing the native file system.  In other cases, native operating
system accounts are not created for Web Server users, with the intent to
restrict these users to accessing the system only through the Web
Server.

In spite of the flexibility often provided in formulating Web-based
access control policies, mechanisms for viewing and setting access
controls from Web clients have been limited to proprietary solutions.
In order to realize a standard mechanism for supporting these operations

Palmer                                                          [Page 2]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

within the framework of the proposed HTTP standard for distributed
authoring, there must be a protocol for conveying access control policy
information between client and server, and for executing operations to
view and set this information.

3. Terminology

Where there is overlap, usage is intended to be consistent with that in
the WebDAV requirements specification [WEBDAV2].

ACE
        An Access Control Entry.  This is the smallest unit of access
        control policy.  It grants or denies a given set of access
        rights to a set of principals.  An ACE is a component of an ACL,
        which is associated with a resource.

ACL
        An Access Control List.  This contains all of the access control
        policies which are directly associated with a particular
        resource.  These policies are expressed as ACEs.

Client
        A program which issues HTTP requests and accepts responses.

Collection
        A collection is a resource that contains other resources, either
        directly or by reference.

Distributed Authoring Tool
        A program which can retrieve a source entity via HTTP, allow
        editing of this entity, and then save/publish this entity to a
        server using HTTP.

Entity
        The information transferred in a request or response.

Hierarchical Collection
        A hierarchical organization of resources.  A hierarchical
        collection is a resource that contains other resources,
        including collections, either directly or by reference.

Principal
        A loosely-defined term which is normally used to refer to a user
        identity that has been associated with a user agent as a result
        of some unspecified authentication protocol exchange between a
        server and the user agent.

Principal Attribute
        A characteristic of a user agent, or of a request to a server
        made by a user agent, which has a particular value that can be
        determined by the server at the time of such a request.  In this
        context, a principal attribute is assumed to be significant in
        the formulation of access control policy on the server.


Palmer                                                          [Page 3]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

Principal Description
        A description of a set of principal identities, formulated in
        terms of assertions about the values of the principal
        attributes.  A given principal identity will match a given
        principal description, or not, depending on whether the
        principal attribute assertions in the principal description
        evaluate to "true" or "false" with respect to the principal
        attribute values of the principal identity, and also depending
        on how the Boolean results of such evaluations are logically
        combined in the principal description.

Principal Identity
        A specific set of corresponding values for a given set of
        principal attributes.  A server determines these values at the
        time of an access, and a unique set of values defines a unique
        principal identity for purposes of access control.

Property
        Named descriptive information about a resource.

Resource
        A network data object or service that can be identified by a
        URI.

Server
        A program which receives and responds to HTTP requests.

User Agent
        The client that initiates a request.

4. Access Control Framework

This section proposes a conceptual framework to serve as a context for
describing the operation of access control provisions of the WebDAV
protocol.  The main focus of this model are the abstractions used to
describe access control policies, as the main protocol requirement is to
convey access control policy specifications in a form that is meaningful
to compliant clients and servers.  The meaning of an access control
policy specification is defined by how a server interprets it in
determining whether to grant or deny a particular request.  The model
also describes how resources and access control policies are related.

4.1. Access Rights

Access rights are names for types of access to resources.  A given
request to a server may require access to one or more resources, and
potentially different types of access to different resources.  For
example, a server-based "copy" operation would require "read" access to
the resource being copied, and "modify" access to the collection in
which the copy will be created.  Access rights may be categorized as
generic, that is, those which apply to most or all types of resources,
or specialized, that is, those which apply to a particular type of
resource.  For example, generic access rights might include "read",
"modify", and "delete".  For a hypothetical type of resource that

Palmer                                                          [Page 4]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

represents a bank account, specialized access rights, such as "deposit"
and "withdraw", might be defined.

This specification defines a set of generic access rights that must be
implemented by compliant clients and servers.  WebDAV protocol
specifications should include descriptions of which generic rights are
required to which resources for each defined operation that may be
requested of a server.  The server evaluates the access control policies
associated with referenced resources in order to determine whether the
necessary access rights are granted or denied for a given access.

4.2. Principals

The term, "principal", is often used in security-related discussions to
refer to the identity of an entity involved in some communication.  It
can refer to a person, a program acting as an agent for a person, or a
program with its own associated identity.  It usually seems to abstract
the notion of "who".

In this context, we will normally use the term "principal identity" to
express a related concept.  Specifically, each access to a server has an
associated principal identity, which is usually associated with the user
agent, and which may require the user agent to provide the server with
some kind of authentication credentials.  However, unlike the normal
usage of "principal", we use "principal identity" to refer to a set of
attributes and associated values.  There may be various mechanisms
through which a server obtains values for these attributes.  For
example, a user identity attribute may be obtained through some
authentication protocol, or an IP address of the client may be obtained
from the server's connection state for the client, or some other
attribute may be obtained from an HTTP header.  That is, a principal
identity abstracts not only "who" the client represents, but also other
conditions that may exist at the time of an access, that is, conditions
which are considered relevant to access control policy.

Exactly what is relevant to access control policy is expressed in terms
of "principal attributes".  Each principal attribute has a name that
refers to a particular type of relevant information.  For example, a
principal attribute, "IP", might refer to the IP address of the user
agent, or "user" might refer to an authenticated user name.

In some cases, the value of one principal attribute may be derived from
the value of another.  For example, the value of a principal attribute,
"DNS", representing the DNS name of the user agent, might be determined
via a reverse DNS lookup, using the value of the "IP" attribute.
Similarly, the value of a principal attribute, "group", might be
determined by using the value of the "user" attribute to access a
database which defines the groups to which users belong.

A set of principal identities is described by a "principal description".
The simplest form of a principal description would assert that a
particular principal attribute must have a certain specified value,
e.g.:


Palmer                                                          [Page 5]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

        isEqual("user", "fred")

More complex principal descriptions may involve several principal
attributes, with more sophisticated assertions about the values of these
attributes, combined in a logical expression, e.g.:

        OR(isMatch("DNS", "*.foo.com"),
           AND(isEqual("user", "fred"), isMatch("DNS", "*.bar.com")))

[Note that the syntax used here to represent principal descriptions is
intended only to demonstrate the desired level of expressive capability,
and nothing more.]

This specification defines a set of principal attributes, types of
principal attribute assertions, and the mechanisms for combining
principal attribute assertions to form principal descriptions.

4.3. Access Control Entry (ACE)

An Access Control Entry is the most fundamental unit of access control
policy.  An ACE contains a list of access rights, a principal
description, and an indication of whether the specified access rights
are to be granted or denied for principal identities which match the
principal description.  An ACE has no applicability to principal
identities which do not match its principal description.

4.4. Access Control List (ACL)

An Access Control List is an ordered list of ACEs which are directly
associated with a given resource.  When policies expressed by the ACEs
in a given ACL are in conflict, the policies expressed by ACEs nearer
the beginning of the list have precedence.  Conflicts can easily arise
when some principal descriptions are very specific, and others more
general.  For example, a principal description that matches a certain
user name, and a principal description that matches a certain group name
may both apply to that user name.  In this case, one would expect the
ACE for the user to be placed before the ACE for the group, on the
assumption that the policy expressed by the user ACE is an exception to
the policy expressed by the group ACE.

The relative specificity of ACEs may not always be well-defined,
depending on the principal attributes being used in their principal
descriptions.  Even if some precedence were assigned to each principal
attribute, the precedence of a principal description involving several
attributes would be problematic to compute at best.  Precedence based on
simple ordering of the ACEs in an ACL is more intuitive, and thus is
less likely to lead to erroneous policies.

Given that ACEs are ordered within an ACL, they are evaluated in that
order.  Evaluation stops either when all requested access rights have
been granted by one or more ACEs, or when any one of the requested
access rights has been denied by one of the ACEs.  ACEs containing
principal descriptions that do not match the current principal identity
have no effect on the outcome of the evaluation.

Palmer                                                          [Page 6]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

4.5. Inheritance

An ACL which is directly associated with a collection resource may also
apply to the member resources of the collection, in various ways.  The
ACL may be applied only when a new member resource is created in the
collection, not to control the operation of resource creation, but to
assign an initial ACL to the new resource.  This will be known as
"static inheritance".  Alternatively, a collection ACL may apply on
every access to a member resource, supplementing any ACL associated
directly with the member resource, in specifying access control policies
for the resource.  We will refer to this as "dynamic inheritance".

Static and dynamic inheritance are not mutually exclusive, although if
both are supported, it would generally be more useful to allow a
collection to have one statically inherited ACL and one dynamically
inherited ACL, rather than a single ACL that is inherited both
statically and dynamically.  If neither of these ACLs applies to
operations on the collection resource itself, there may be a third ACL
associated with the collection.  Since this third ACL would be like an
ACL associated with a non-collection resource, it will be known as a
"resource ACL".  So a collection may have a "static ACL" and/or a
"dynamic ACL", and all resources, including collections, may have a
resource ACL.  If a static or dynamic ACL is maintained separately from
the resource ACL, it is said to be "inherit-only".

Inheritance may also have the property of being recursive with respect
to the collection hierarchy, meaning that a member resource inherits
ACLs from all collections up from the collection which contains it to
the root of the collection hierarchy.

A server may also support "user-based" inheritance.  That is, if the
server is able to associate user identities with user agents, based on
authentication or some other means, it may also allow an inherit-only
ACL to be associated with a user identity.  The most useful form of
this, from the end-user's perspective, is an ACL that is inherited by
any resource created by that user, that is, a static, inherit-only ACL.
One could also conceive of dynamic, inherit-only ACLs being associated
with user identities.  These might be used to restrict a user's access
rights to all resources, on a per user, rather than per resource basis.

Whether a compliant server supports inheritance (of any form) or not is
beyond the scope of this standard.  However, there are some requirements
which must be met when inheritance is supported, described in the
sections below.

4.5.1. Discovery

It must be possible for a client to discover if a server supports
inheritance, and if so, what kinds of inheritance it supports.
Specifically, the discovery mechanism should make the distinctions in
the type of inheritance supported that have been described above.

4.5.2. Conflict Resolution


Palmer                                                          [Page 7]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

Just as the ACEs within an ACL may specify conflicting policies, ACLs
which are applied to a resource via inheritance may conflict with each
other or with an ACL associated directly with the resource.  As the
potential conflict between ACEs within an ACL was resolved by specifying
that ACEs are ordered, potential conflict between inherited ACLs, the
resource ACL, and user-based ACLs is also resolved by specifying a
logical ordering or precedence.

In the case of static inheritance, the ACL for a new resource would be
created by copying, in order, ACEs from any user-based ACL, and then
from any static ACL on the collection in which the resource is created,
and then from any static ACL on the collection containing that
collection, and so on, up to the collection root.  The result would be a
single resource ACL for the new resource.

The order is different for dynamic inheritance.  First, any dynamic,
user-based ACL is evaluated, then any dynamic ACL on the collection
root, and so on, down to any dynamic ACL on the collection containing
the resource being access, and finally, any resource ACL on the resource
itself.

The reason for using a different ordering of ACLs for static and dynamic
inheritance is based on assumptions about who would be likely to be able
to modify each type ACL.  For static inheritance, the resulting resource
ACL would probably be subject to subsequent modification by the user who
created the resource.  The ordering for static inheritance therefore
attempts to reflect the most likely desires of that user.  That is, it
assumes that static ACLs on resources lower in the collection hierarchy
are more likely to have been set or influenced by the user than ACLs
higher towards the root of the collection hierarchy.

For dynamic inheritance, the assumption is that dynamic ACLs at
different levels of the collection hierarchy may be administered by
different people.  It is further assumed that dynamic ACLs placed higher
towards the root of the collection hierarchy are administered by the
people who have the most authority to set access control policy, and
therefore the ordering favors ACLs set on higher-level collections.

4.5.3. Distinction of Inherited ACLs

The protocol should include a mechanism for inherited ACLs to be
retrieved and set separately from resource ACLs.  A compliant server
which supports inheritance should use these mechanisms.  Servers should
interpret operations to retrieve and set the ACL of a resource as
applying only to the resource ACL on that resource, and not to any
inherited ACLs.

In general, it should be possible for a compliant client to have no
support for dealing with inheritance.  In this case, the client would
have access only to resource ACLs.  Nevertheless, the actual access
control policies in effect for the client's accesses to server resources
would include any policies expressed in the form of inherited ACLs.



Palmer                                                          [Page 8]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

4.6. Access to ACLs

A mechanism is required to enforce access control on the retrieval and
modification of ACLs themselves.  Whether this mechanism and a means to
manage it should be within the scope of this specification is currently
unresolved.

4.7. Other Access Control

A compliant server may support other kinds of access control, which are
outside the scope of this protocol.  For example, the access control
policy in effect when no ACLs are present or no ACEs are applicable is a
server implementation decision.  Similarly, a server may implement other
mechanisms which supplement the ACL-specified policies of this
specification.  These mechanisms may be implemented with higher or lower
precedence than the ACL-specified mechanism.  However, to the extent
that such alternate mechanisms are used to exclusion of ACLs, the
usefulness of this protocol with respect to managing access control on
such a server will be diminished.

5. Requirements

This section describes the WebDAV requirements to enable a client to
manage access control policies on a server.

5.1. Discovery

The protocol must provide a way for a client to discover any optional or
extended functionality that may be implemented on a server, without
side-effects.  Compliant servers must be able to respond meaningfully to
discovery operations.

5.1.1. Rationale

It is intended that the access control protocol be extensible with
respect to types of ACEs, principal attributes, and access rights, at
least.  The discovery mechanism is needed so that a client and server
can determine what extensions both of them support.

5.2. Operations

The protocol must enable a client to perform a number of operations with
respect to access control policies which are stored on a server.  These
operations are described in the sections below.

If inheritance is supported, then any of these operations that refer to
the ACL of a resource need to also specify whether the resource ACL, a
static, inherit-only ACL, or a dynamic, inherit-only ACL is the target.

5.2.1. ACL Retrieval

An operation to retrieve an ACL for a given resource must be supported.
This operation must return an ACL in such a way that the contents of the
individual ACEs that comprise an ACL can be interpreted by the client,

Palmer                                                          [Page 9]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

and in such a way that the ordering of the ACEs within the ACL can be
determined by client.

5.2.1.1. Rationale

Access control policies are represented in the form of ACLs, and clients
need to be able to retrieve them, either to present the access control
policies to a person, or in preparation for making a modification to
them.  It is not necessary to be able to retrieve individual ACEs from
an ACL.

5.2.2. ACL Creation

An operation to create a new ACL for a given resource must be supported.
This operation may allow the specification of an initial list of ACEs to
be included in the new ACL.

5.2.2.1. Rationale

A separate operation is needed to explicitly create an ACL, because an
empty ACL may have different semantics than no ACL.

5.2.3. ACL Deletion

An operation to delete an ACL for a given resource must be supported.
The ACL and any ACEs it contains are deleted.

5.2.3.1. Rationale

A separate operation to delete an ACL is needed because empty ACLs can
exist.

5.2.4. ACE Insertion

An operation to insert a specified ACE into the ACL of a given resource
must be supported.  This operation must allow the ACE to inserted at any
position relative to any ACEs already present in the ACL.

5.2.4.1. Rationale

An operation to insert an ACE into an ACL is needed because the access
control policies which apply to operations on ACLs will quite likely be
at a granularity that specifies for what access rights the current
principal identity is permitted to change access control policy.  This
would effectively restrict the current principal to inserting or
deleting ACEs that contain only the access rights they are allowed to
modify.  If the only way to modify an ACL was to rewrite the entire ACL,
it would be difficult to apply access control at that level of
granularity.

The order of the ACE in the ACL must be specified, because it is
significant in resolving conflicts between ACEs.

5.2.5. ACE Deletion

Palmer                                                         [Page 10]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

An operation to delete a specified ACE from the ACL of a given resource
must be supported.  The ACE must be specified in a way that uniquely
identifies it.  For example, such a specification might consist of the
complete contents of the ACE and its position in the ACL.  This is
necessary to avoid deleting the wrong ACE in the case where an ACE
insertion operation is performed between the time a client retrieves an
ACL and initiates an ACE deletion operation.

5.2.5.1. Rationale

See 5.2.4.1.

5.2.6. Test Access

An operation to test the access of a specified principal identity to a
given resource must be supported.  The operation includes a list of
access rights, a set of principal attributes and values, and the
resource for which the access rights are to be tested.  The results of
the operation indicate, for each specified access right, whether the
right is granted, denied, or unspecified.  If inheritance is supported,
the results of this operation include its effects.

5.3. ACE Contents

The contents of an ACE must include a list of access rights, a principal
description, and an indication of whether the rights are granted or
denied for matching principal identities.  The protocol may provide for
defining additional types of ACEs.

5.3.1. Rationale

ACEs allow flexibility in describing a principal identity because this
has proven useful in many existing Web servers.

ACEs may contain multiple access rights because it is common to grant or
deny a multiple access rights to the same set of principal identities.

ACEs do not combine granting and denying because that can be achieved
more simply by taking advantage of ACE ordering.

5.4. Principal Description Semantics

The form in which the protocol conveys a principal description must be
capable of expressing arbitrary Boolean expressions involving terms in
the form of principal attribute assertions.  The Boolean operators, AND,
OR, and NOT, must be supported.  The arguments of these operators are
ordered for evaluation purposes, and only as many as necessary are
evaluated in order to determine the result of the operator.  That is,
Boolean operators explicitly employ short-circuiting.

5.4.1. Rationale




Palmer                                                         [Page 11]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

Many existing Web servers enable principal attribute assertions to be
combined in making access control policy.  Using Boolean operators
provides a uniform, flexible, and predictable way to combine principal
attribute assertions.

Short-circuiting of Boolean operators improves efficiency, and also
helps support deferred authentication.  This concept, which many
existing servers support, is that user authentication is postponed until
it has been established that the access control policy which applies to
the current principal cannot be determined without an authenticated user
identity.  It is a common practice to create access control policies
based solely on IP addresses or DNS names, and thus avoid the need for
user authentication.

5.5. Principal Attribute Assertions

The protocol must provide a way to represent assertions about principal
attributes in the context of a principal description.  The types of
assertions that must be supported for each of the required principal
attributes are described below.  The protocol specification should
define a mechanism for extending the protocol with additional types of
principal attribute assertions.

5.5.1. Equality Assertion

It must be possible to encode an assertion that any given principal
attribute is equal to a specified value.  The exact interpretation of
what constitutes "equality" may vary with the type of principal
attribute involved.  For example, string-valued attributes may be
specified to be case-sensitive or case-insensitive.

5.5.2. Matching Assertion

It must be possible to encode an assertion that any given principal
attribute matches a specified pattern.  The format of a valid pattern
may vary with the type of principal attribute involved.  The protocol
may define several different types of patterns, such as lists or regular
expressions.  Possibly the functionality of asserting equality and of
asserting a match could be captured in a single mechanism.

5.6. Principal Attributes

The protocol must be able to encode attribute assertions involving the
principal attributes specified in the following sections.  It should
provide a mechanism for defining additional principal attributes.

In all cases, it should be possible for a compliant client to present
attribute assertions in a form in which they can be reasonably
understood by a person.  It should also be possible for a client to
encode attribute assertions in the protocol, based on input entered by a
person.

5.6.1. IP Address


Palmer                                                         [Page 12]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

It must be possible to express an attribute assertion using the client
IP address as the principal attribute.  Such an assertion might involve
a pattern consisting of an IP address and subnet mask, a list, or a
regular expression.

5.6.1.1. Rationale

IP addresses are supported by many Web servers as a way to describe
principals for access control purposes, and this feature is widely used.

5.6.2. DNS Name

It must be possible to express an attribute assertion using the client
DNS name as the principal attribute.  Such an assertion might involve a
pattern consisting of a list or a regular expression.

5.6.2.1. Rationale

DNS names are supported by many Web servers as a way to describe
principals for access control purposes, and this feature is widely used.

5.6.3. User Name

It must be possible to express an attribute assertion using a user name
as the principal attribute.  It must be possible for the server to
interpret values or patterns which are part of such an assertion in
terms of authenticated user identities.

All compliant servers must support an encoding of a user name in a
simple text form that can be directly presented to, or entered by, a
person.  The protocol may also provide for other encodings of a user
name that assume that the client has access to a user database or
directory, in which case it should also provide a mechanism to ensure
that a client and server are using a given such encoding in a consistent
manner.

5.6.3.1. Rationale

User agents may or may not have access to the Directory service (or user
database) used by a server, but if a server supports user
authentication, it always has access to some kind of Directory service,
or at least to an authentication authority which has such access.  If a
client does not have access to the server's Directory service, it is
likely that a person would have to enter text in order to specify a user
identity in a principal description.  All compliant servers need to be
able to handle such text, as literally entered by a person, as a
specification of a user identity.  Likewise, regardless of how a user
identity is represented internally, a compliant server must be able to
send user identities in a principal description in a form suitable for
presentation to a person, since the client may have no way to translate
an opaque user identifier into such a form.

On the other hand, some clients and servers may share a common Directory
service, and should have some way to discover that.  Assuming that the

Palmer                                                         [Page 13]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

Directory service can translate user identifiers into a form suitable
for human presentation, the client and server could communicate user
identifiers in whatever form is suitable for accessing the Directory.
For example, a client and server which are both LDAP-capable might
convey user identities in the form of LDAP Distinguished Names or LDAP
URLs.

5.7. Access Rights

The protocol should provide for an extensible set of access rights.  In
particular, some resource types or operations may define access rights
which are specialized in applicability to those resource types or
operations.  However, the formulation of access control policies can
often be simplified through the use of a generic access rights, which
are applicable to a broad range of resource types and operations.
Therefore the following sections define a required set of generic access
rights that must be support by compliant clients and server.

It is acceptable if some implementations wish to treat different access
rights as synonymous (e.g., a change to the right controlling "list"
access may simultaneously change both "list" and "read").  However, this
may be done only as specified in the following descriptions of the
generic access rights.

5.7.1. Rationale

The set of access rights needs to be extensible because generic access
rights will not necessarily apply in any intuitive way to all types of
resources and operations.

A generic set of access rights is necessary because it would too
burdensome to require a separate set of access rights to be defined and
used for each new resource type or operation.  Since there is a standard
set of operations which can be applied to many different resource types,
it is consistent to have a generic set of access rights which control
those operations.

Some server implementations may perform mappings between WebDAV access
rights and native file system access rights.  However, in some cases,
not all of the generic rights described here will have distinct,
intuitive mappings to access rights used in the native file system.
Therefore, it is permitted to merge some generic rights with others in
order to facilitate such mappings.

5.7.2. List

A generic access right, known as the "list" access right, determines
whether a particular request to list the contents of a collection
resource will be allowed.  More generally, the "list" right determines
whether a particular request to discover whether a particular resource
exists will be allowed.

The "list" access right may be merged with the "read" access right,
defined below.  When a server does this, the granting or denying of

Palmer                                                         [Page 14]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

"read" access also grants or denies "list" access.  If a client attempts
to create an ACE containing the "list" right, but not the "read" right,
such a server should return an error indicating that "list" is not
supported as an independent right.

5.7.2.1. Rationale

Experience with file systems has shown that unauthorized access or
attempts at circumventing security policies increase when users have
more information about the contents of the file system.  Therefore, it
is helpful to define an access right that controls whether a user can
obtain this information about a particular resource.

5.7.3. Read

A generic access right, known as the "read" access right, determines
whether a particular request to view the contents of a particular
resource will be allowed.

The "read" access right may also subsume the meaning of the "list"
access right, as specified in section 5.7.2.

5.7.3.1. Rationale

Some resources may contain confidential or sensitive information.  It
should be possible to limit whether a particular user is allowed to read
the contents of a resource.

5.7.4. Modify

A generic access right, known as the "modify" access right, determines
whether a particular request to modify the contents of a particular
resource will be allowed.

The "modify" access right may also subsume the meaning of the "delete"
access right, as specified in section 5.7.5.

5.7.4.1. Rationale

Experience with a wide number of information systems has shown that
different users need the ability to modify different resources.

5.7.5. Delete

A generic access right, known as the "delete" access right, determines
whether a particular request to delete a particular resource will be
allowed.

The "delete" access right may be merged with the "modify" access right,
defined above.  When a server does this, the granting or denying of
"modify" access also grants or denies "delete" access.  If a client
attempts to create an ACE containing the "delete" right, but not the
"modify" right, such a server should return an error indicating that
"delete" is not supported as an independent right.

Palmer                                                         [Page 15]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

5.7.5.1. Rationale

Experience with file systems has shown that it is sometimes preferable
to permit certain users to modify a particular resource without allowing
them to delete it.

5.7.6. Change Access

A generic access right, known as the "change access" access right,
determines whether a particular request to change an access control
policy will be allowed.

5.7.6.1. Rationale

Experience with file systems has shown that there is a significant
desire to separate the management of information content (what is
contained within the resources when a user reads it) from the manage of
access control structure.  Often, different people in different roles
are responsible for these capabilities, and it may compromise the
intended security plan to allow users to change access control
information about a resource even if they are normally allowed to change
or delete it.

5.8. Security Considerations

Transfer of access control policies between a client and server over an
open network creates the potential for those policies to be modified or
disclosed without proper authorization.  The requirements for the access
control protocol discussed in this document do not include cryptographic
protection of access control policy information, because it is assumed
that this protection can be provided through an implementation of HTTP
over TLS 1.0 or SSL V3.

The use of client IP addresses or DNS names in formulating access
control policies is subject to spoofing attacks.  This risk should be
carefully considered when implementing such policies.  The Web presents
somewhat of a dilemma in that most users have an expectation of
relatively anonymous read access to servers, leaving IP addresses and
DNS names as the only information about clients available to servers to
be used for controlling read access.

It may also be necessary to require other WebDAV protocol operations to
utilize HTTP over a secure transport protocol, in order to fully enforce
access control policies.  If entities are transferred between a client
and server over an open network without cryptographic protection, those
entities are subject to unauthorized disclosure or modification,
regardless of what access control policies are in effect for the
associated resources, and regardless of whether the access control
policies themselves are protected when in transit over the network.






Palmer                                                         [Page 16]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

6. Copyright

Copyright (C) The Internet Society October 13, 1997. All Rights
Reserved.

This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works.  However, this document itself
may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate it into
languages other than English.

The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.

This document and the information contained herein is provided on an "AS
IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

7. Acknowledgments

Parts of this draft were taken from a working draft edited by Jon
Radoff.  Input from the following people has been instrumental in
bringing this document to its current state of completion, although it
does not necessarily reflect a consensus at this time:

Jim Davis, Xerox PARC, jdavis@parc.xerox.com
Yaron Y. Goland, Microsoft, yarong@microsoft.com
Paul Leach, Microsoft, paulle@microsoft.com
Larry Masinter, Xerox PARC, masinter@parc.xerox.com
Jon Radoff, NovaLink, jradoff@novalink.com
Judith Slein, Xerox, slein@wrc.xerox.com
Jim Whitehead, UC Irvine, ejw@ics.uci.edu

8. References

[HTTP] R. Fielding, J. Gettys, J. C. Mogul, H. Frystyk, and
T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2068,
U.C. Irvine, DEC, MIT/LCS, January 1997.

[IDC] T. Julian, R. Villars, "The Intranet's Many Faces,"
Report 11344, International Data Corporation, April 1996.




Palmer                                                         [Page 17]


INTERNET-DRAFT     WEBDAV Access Control Requirements      November 1997

[WEBDAV1] Y. Y. Goland, E. J. Whitehead, Jr., A. Faizi, S. R. Carter, D.
Jensen. "Extensions for Distributed Authoring and Versioning on
the World Wide Web - WEBDAV", Internet Draft, work-in-progress,
draft-ietf-webdav-protocol-04.txt, October 1997.

[WEBDAV2] J. A. Slein, F. Vitali, E. J. Whitehead, Jr., D. Durand,
"Requirements for Distributed Authoring and Versioning on the
World Wide Web." Internet-draft, work-in-progress,
draft-ietf-webdav-requirements-03.txt, September 1997.

8. Author's Address

Howard Palmer
M/S MV061
Netscape Communications Corp.
501 E. Middlefield Rd.
Mountain View, CA. 94043

EMail: hep@acm.org

Expires May 17, 1998


































Palmer                                                         [Page 18]