Re: [Geopriv] RE: [Simple] Changes in xcap-auth

From: Paul Kyzivat ^lt;pkyzivat@cisco.com>
Date: Mon Nov 10 2003 - 11:32:54 EST

I've been trying to ignore this, but I just can't.

        Paul

Henning Schulzrinne wrote:
>
>> you can have a pure exception permission. Rather, a permission is
>> always additive, but merely defines the set of users that get added by
>> specifying a base plus a set of users to remove from that base. To be
>> concrete, I would agree that the set of users listed in any except
>> clauses *MUST* also be present in a non-except clause in the same
>> applies-to statement. This guarantees that the overall applies-to
>> statement is purely additive.
>
> This is indeed a useful additional restriction, but the problem is
> deeper than that. You also need to make sure that the same domain or
> userid does not appear in other rules.

Overlapping rules can come about very naturally via wildcarding:

  <applies-to>
    <domain>*.ny.example.com</domain>
    <except>
      <uri>sip:alice@sales.ny.example.com</domain>
    </except>
  </applies-to>

  <applies-to>
    <domain>sales.*.example.com</domain>
  </applies-to>

You can try to legislate that each ruleset covers a unique subset of all
users, but that may be restrictive.

Jonathan Rosenberg wrote:
>
> However, in xcap, it currently does allow for things like "applies to
> everyone on golf-list, but Joe". It does that by having each group
> defined by an xcap resource (i.e., an http URI) that can be used to
> fetch the group list. Then, membership in the group is determined by
> authenticating as one of the identities in that group.
>
> If you can't fetch the list, the permission isnt granted, and thus its
> privacy safe.

This really provides the poster child for the problem of overlapping lists:

  <applies-to>
    <list>sip:golf-list@example.com</domain>
    <except>
      <uri>sip:alice@example.com</domain>
    </except>
  </applies-to>

  <applies-to>
    <list>sip:vp-list@example.com</domain>
  </applies-to>

What happens if alice is on both the golf-list and the vp-list? Does it
matter what order the two <applies-to> clauses are mentioned?

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Mon Nov 10 18:16:32 2003

This archive was generated by hypermail 2.1.8 : Thu Jan 22 2004 - 12:32:24 EST