Re: [Geopriv] RE: [Simple] Changes in xcap-auth

From: Henning Schulzrinne ^lt;hgs@cs.columbia.edu>
Date: Mon Nov 10 2003 - 14:46:07 EST

Jonathan Rosenberg wrote:

> I agree that groups are a separate issue.
>
> However, in xcap, it currently does allow for things like "applies to
> everyone on golf-list, but Joe". It does that by having each group
> defined by an xcap resource (i.e., an http URI) that can be used to
> fetch the group list. Then, membership in the group is determined by
> authenticating as one of the identities in that group.
>
> If you can't fetch the list, the permission isnt granted, and thus its
> privacy safe.

Clearly, fetching group lists adds significant complexity: expiration
(presumably you don't want to fetch it every time) and the inability,
without significant overhead, to implement a permission system using any
reasonably efficient query mechanism.

>
> If, for some reason, a user specifies a rule based on a list in another
> domain, with members in other domains, the server can't authenticate
> those users, and thus permissions are not granted, and thus its privacy
> safe.
>
> You *would* have problems if you could have an exception defined by an
> external list, but I agree we shouldnt do that.
>
> So, given this design and assumptions, I dont see a problem with groups
> per se. There is a scope question, but I dont see a technical problem.

It just makes efficient implementation difficult to impossible.

>
> The main thing is that the semantics are clear. How these things are
> presented to users is something else.

If nothing else, the discussion has hopefully clarified the semantics a
bit beyond what's in the drafts and meeting minutes.

I guess at this point, if anybody wants exceptions beyond that, they
should speak up.

I would also like to get consensus to rule out random wildcard matching
and, less importantly, domain exceptions. Thus,

applies-to: foo.*.example.com

and

applies-to: example.com
except cs.example.com

seem far less useful and add significant complexity.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Mon Nov 10 14:52:30 2003

This archive was generated by hypermail 2.1.8 : Thu Jan 22 2004 - 12:32:24 EST