-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prioritize formalization of WebACL specification #33
Comments
i implemented an authorization server based on https://github.com/solid/web-access-control-spec . based on that experience, i believe:
the inheritance algorithm is clearly specified (there is exactly one ACL file that applies to a resource, and how
i don't think WAC documents are ambiguous. either the in-force ACL file has an
there is no such thing as an incomplete ACL statement. if there is no "Access Control List" is a misnomer for WAC, because the also, having implemented an authorization server based on WAC, i believe that WAC in its current form is insufficient. see for example gitter conversations at
TL;DR: WAC, while good, is not good enough. |
I have also implemented WAC-based authorization for two completely different servers. Is the specification implementable, as currently written? Yes, certainly Will all implementations enforce WebAC authorization the same way, based on the text of the specification? That is considerably less certain. The point @pmcb55 is making is that there is ambiguity in the language of the current specification that makes it difficult to build independent WebAC implementations that are compatible. Here are some specific examples that build on what @pmcb55 stated above.
Given that description, what is the use of Furthermore, what happens with an ACL such as: <#authorization> a acl:Authorization ;
acl:mode acl:Read, acl:Write ;
acl:agent <https://example.com/webid#me> ;
acl:accessTo <.> ;
acl:default <./some-child-resource> . Would that mean that the Authorization statement is only applied to
Furthermore, the ACL vocabulary defines
|
This confirms earlier observations that the existing draft specs are insufficient. Hence the undertaking of https://github.com/solid/specification/ However, this also brings me to a larger issue: perhaps this panel focused on app authorization is premature, since authorization itself has not been fully fleshed out. I think we should consider either broadening the scope of this panel, or to at least create another panel and acknowledge the dependency. Will create issues. |
Created #36 and solid/process#135 to track. |
@timbl 's interpretation of this is embodied in his implementation, which can be reviewed for some answers. |
I doing a PhD on fomalizing Solid and Access control. I gave in my 2nd year report on April 1st 2019. (Sadly my funding is running very short and so instead of doing this I am spending most of my time looking for programming work. That is helping me get back to programming and tie theory to practice again, but it is not helping me get the thesis finished.) |
I'd like to add to @pmcb55's list, as far as formalizing the WebACL spec, and add the issue of:
|
Of course we'd like a complete formalization of the current WebACL specification (https://github.com/solid/web-access-control-spec), but very specifically we need practical answers for the following questions:
acl:default
, and whether permissions are cumulative or not.acl:origin
is even effective at addressing the security concerns that it is designed to address (and how it is actually supposed to be implemented).If these areas are not sufficiently important for others on this panel, then we'll just suggest answers ourselves (to have them at least recorded), and then implement our system accordingly.
The text was updated successfully, but these errors were encountered: