DAV ACLs

1
DAV ACLs

• Lisa Lippert
• Microsoft

2
Agenda

• Background
• drafts, terms, how file systems use ACLs
• Other ACLs efforts
• Scenarios
• Goals
• goals, may-haves, wont-haves

3
Background

• Drafts
• draft-ietf-webdav-acl-reqts-00.txt
• draft-ietf-webdav-acl-00.txt (expired)
• Terms
• ACL
• ACE
• Principal

4
File System ACLs

• Resource x principal x right --gt yes/no
• Each resource (file or directory) has its own
  list
• Each list has entries for various principals and
  rights
• Users, groups, All Users principal
• Common rights read, write, execute
• Other rights list members, read ACLs, write
  ACLs...
• Directories may be treated differently than files
• Access rights may be denied as well as granted
• Various rules for ownership, inheritance,
  avoiding conflict

5
Other ACLs efforts

• LDAP
• IMAP rfc2086
• lookup, read, write, insert, post, create,
  delete, administer, keep seen/unseen info across
  sessions
• Rights apply only to mailboxes
• CAP (Calendar Access Protocol)
• CAT

6
Scenarios

• Basic allow read/write scenario
• Different authors on different resources within
  one collection
• Deny access to a member of a group
• Delegation without relinquishing control
• High-security no evidence that a hidden file
  exists

7
Goals

• Allow access controls to be read and set
• Support most frequently used rights
• read, write, delete, add child, list children,
  delete children, read ACL, write ACL
• Support grant, deny
• Allow access controls to apply to resources and
  collections

8
Goals Continued

• Flexible principal specification
• userid domain, group domain, all, all
  authenticated
• Ability to add and remove access settings without
  resetting entire list

9
Inheritance goals

• Static inheritance
• Dynamic inheritance

10
Extensibility and Discovery

• Add new types of rights to resources or types of
  resources
• Ability to discover new rights

11
Security Ownership

• Allow resource managers to grant and deny access
  to read and write access settings
• Ownership
• Owner is the principal to whom permissions
  cannot be effectively denied
• Useful to have set owner as well as set ACLs
  right (solves delegation scenario)
• Must be supported

12
Security Encryption

• To protect the ACL as sensitive data
• Encryption could reduce chance of snooping
• Snooping is particularly dangerous when account
  names are sent across the wire
• June WG decision
• there should be on-the-wire protection of ACL
  data
• It should be possible to deny unprotected
  transactions

13
May-have

• Property-level access control
• Roles (problematic)
• Management easy to block or log ACLs

14
Out of Scope

• how groups are or should be modeled
• Use of certificates to prove that a user has
  access
• Time-out access control
• Absolute predictability
• Sensitivity
• Delegation