Access control and knowledge

Ingrid Melve (Ingrid.Melve@uninett.no)
Thu, 20 Nov 1997 13:52:26 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jim Gettys: "State of draft Rev 01 (and digest rev 00)"
Previous message: Life is hard... and then you die.: "Re: HTTP/1.1 ISSUE: TRAILER_FIELDS - Proposed Resolution"
Next in thread: Roy T. Fielding: "Re: Access control and knowledge"
Reply: Roy T. Fielding: "Re: Access control and knowledge"

Web caches and indexing robots are examples of user agents who do not act=

on behalf of one end user.  The problem of access control when sharing
indexes or caches is not trivial for documents who have access control
based on IP number or domain name, since there is no indication of
access control being used for the particular document.  =


Several popular web servers permit users to create their own access contr=
ol,
like Apache does with local .htaccess files, and the local webmaster
may not know about access restrictions.  This excludes the use of robots.=
txt
file for sharing this information with indexing robots, and the caches
would not be helped.

Cache-control: private has been considered, but it does not
permit sharing information with those in the same realm.

If an extra header indicating that access control was used, is sent =

with the document this problem would be solved.  =

With information of the access list, caches and indexes may still =

be shared and give access to the appropriate information
without compromising security.  Two access restrictions that easily
lend themselves to this are IP numbers and domain names.

Proposed new header
 Restricted: ACL

If the definition of WWW-Authenticate is reused from HTTP/1.1, =

the two special cases would be
  Restricted: IPnr realm=3D"129.215.0.0/255.255.0.0"
  Restricted: Domain realm=3D".dcs.ed.ac.uk"

This header does not ensure the security of a document, but gives multi-u=
ser agents an opportunity to restrict access.  If an unknown realm is enc=
ountered, the indexing robot or cache should treat the document as restri=
cted and not share information.


Ingrid
 (who would rather have sent this message to the HTTP-extentions group or=
 the web cache protocols group or the HTTPSEC group or the shared indexin=
g group)
-- =

  Ingrid.Melve@uninett.no         UNINETT, N-7034 Trondheim, Norway
   Phone +47 73 55 79 07   Fax +47 73 55 79 01   =

                 http://domen.uninett.no/~im/eng.html
 "Sometimes it is better to light a flamethrower than curse the darkness"=

Next message: Jim Gettys: "State of draft Rev 01 (and digest rev 00)"
Previous message: Life is hard... and then you die.: "Re: HTTP/1.1 ISSUE: TRAILER_FIELDS - Proposed Resolution"
Next in thread: Roy T. Fielding: "Re: Access control and knowledge"
Reply: Roy T. Fielding: "Re: Access control and knowledge"