[Gen-art] Confidentiality of lock information (BugZilla issue 260), was: [Fwd: Gen-art last call review of draft-ietf-webdav-rfc2518bis-17.txt]
Julian Reschke <julian.reschke@gmx.de> Sat, 17 February 2007 19:04 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HIUrc-0000yZ-6W; Sat, 17 Feb 2007 14:04:52 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HIUrb-0000uk-42 for gen-art@ietf.org; Sat, 17 Feb 2007 14:04:51 -0500
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1HIUrY-0004oo-Ms for gen-art@ietf.org; Sat, 17 Feb 2007 14:04:51 -0500
Received: (qmail invoked by alias); 17 Feb 2007 19:04:47 -0000
X-Provags-ID: V01U2FsdGVkX19ohl1LOgNomvg3xhCFgB5xdkESEjPzzDWlNxbBYS 3hdw==
Message-ID: <45D751D1.7040809@gmx.de>
Date: Sat, 17 Feb 2007 20:04:49 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060516 Thunderbird/1.5.0.4 Mnenhy/0.7.4.666
MIME-Version: 1.0
To: WebDAV <w3c-dist-auth@w3.org>
References: <45BF4703.2010906@gmx.de> <45C5ACEC.4050304@gmx.de>
In-Reply-To: <45C5ACEC.4050304@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
Cc: gen-art@ietf.org
Subject: [Gen-art] Confidentiality of lock information (BugZilla issue 260), was: [Fwd: Gen-art last call review of draft-ietf-webdav-rfc2518bis-17.txt]
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
Julian Reschke schrieb: >> Potential security implications of lockdiscovery: s6.8 requires a >> compliant server to support lockdiscovery and expects the response to >> this request to include the names of principals and potentially the lock >> tokens for locks being held on a resource. The privacy implications of >> this are discussed in the Security Considerations but it does not appear >> to be allowed to restrict or deny this request purely on security >> grounds. It is likely that some organizations might consider the >> ability to determine who holds locks is a sensitive matter beyond just >> issues of privacy, and the responses to lockdiscovery might be mediated >> by access controls. > > I agree that this is a problem. The change in RFC2518bis has been done > in an early draft; I don't recall any discussion related to this, nor is > this mentioned in the Changes section. > > Opened issue: > <http://ietf.osafoundation.org:8080/bugzilla/show_bug.cgi?id=260> > ... RFC2518 says in <http://greenbytes.de/tech/webdav/rfc2518.html#rfc.section.13.8>: "The lockdiscovery property returns a listing of who has a lock, what type of lock he has, the timeout type and the time remaining on the timeout, and the associated lock token. The server is free to withhold any or all of this information if the requesting principal does not have sufficient access rights to see the requested data." This was changed in RFC2518bis between drafts 1 and 2, and I'm not aware of any discussion about this, nor is this change recorded in the Changes section. Thus, it probably was unintentional, and I would recommend to restore the old text. Best regards, Julian _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen-art last call review of draft-ietf-… Elwyn Davies
- [Gen-art] Re: [Fwd: Gen-art last call review of d… Elwyn Davies
- [Gen-art] Re: [Fwd: Gen-art last call review of d… Julian Reschke
- [Gen-art] Re: [Fwd: Gen-art last call review of d… Julian Reschke
- [Gen-art] Re: [Fwd: Gen-art last call review of d… Lisa Dusseault
- [Gen-art] Confidentiality of lock information (Bu… Julian Reschke
- [Gen-art] Unlocking notifications (BugZilla issue… Julian Reschke
- [Gen-art] Re: [Fwd: Gen-art last call review of d… Julian Reschke