Re: LDP with Access Control, or future LDPS(ecure)? from Henry Story on 2012-11-14 (public-ldp-wg@w3.org from November 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 14 Nov 2012 14:41:23 +0100
To: ashok.malhotra@oracle.com
Cc: public-ldp-wg@w3.org
Message-Id: <43182062-BB0F-4676-85F9-7157ADEFD26D@bblfish.net>

On 14 Nov 2012, at 14:18, Ashok Malhotra <ashok.malhotra@oracle.com> wrote:

> Hi Andy:
> There are a bunch of cases like this.  For example, take personnel records.
> These are typically restricted to HR folks but you can always see your own records.
> Need to think some more about where to draw the line between access control
> and LDP functionality

Why is this problematic? Can you not just use the following rule to do what
you want?

@prefix wac: <http://www.w3.org/ns/auth/acl#> .

[] wac:accessToClass [ wac:regex "https://oracle.com/u/.*" ]; 
   wac:mode wac:Read, wac:Write, wac:Control; 
   wac:agentClass <https://oracle.com/g/team/admin#it> .

[] wac:accessToClass [ wac:regex "https://oracle.com/u/123123/.*" ]; 
   wac:mode wac:Read; 
   wac:agent <https://oracle.com/u/123123#i> .

the wac:regex relation does not exist. One should probably use powder, but I wanted
to implement something really simple to test this out. It just took a couple of
days to write and test:

 https://github.com/read-write-web/rww-play/blob/master/app/test/WebACLTestSuite.scala#L147

How to specify regular expressions in WAC would be nice, and would be a topic for 
discussion for the Access Control Teleconf

 http://lists.w3.org/Archives/Public/public-ldp-wg/2012Nov/0156.html

It would be useful to work out what the problem is so I can add it to ACTION-28

> All the best, Ashok
> 
> On 11/14/2012 3:04 AM, Andy Seaborne wrote:
>> 
>> 
>> On 12/11/12 20:48, Henry Story wrote:
>>> Luckily Access Control is orthogonal to LDP
>> 
>> I hope that's true but I don't see why it must be so.
>> 
>> The LDP spec covers operations on resources and containers and does not mention access control.
>> 
>> Use case: I create bugReportSecurity57 about a security issue.  I want it restricted because the information contained allows an attacker to exploit the security hole.  Bug reports are normally publicly readable.
>> 
>> What is the operation flow to create a secure bug report if normally bug reports are publicly readable?  (if they are not by default publicly readable, what operation on them makes them so?)
>> 
>> Or concretely: what triples are PUT where?
>> 
>>    Andy
>> 
>> 
> 

Social Web Architect
http://bblfish.net/

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Wednesday, 14 November 2012 13:41:57 UTC