-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security implications of ACL resources on different servers #90
Comments
See this comment on the pull request. TLDR; I think it's safe to remove this statement and do the inverse (which would resolve this issue). If we wanted to retain the flexibility in general, we could limit this specifically for ACLs. However, since we want to have default permission sets for auxiliary resources I think it's better to keep them on same server under the same authority. |
Sharing this comment from @emmettownsend :
Edit: To add to above, the server may also persist the rel=acl relation in the headers even after agents no longer having Control on the resource ie. the expectation being that only agents with Control can observe the relation. |
If the ultimate question to resolve this issue is "Is MUST NOT too strong?" I would agree with @csarven, no it is not too strong. IMO security related information should not be ambiguous. Also, regarding the statement following that "An auxiliary resource that resides on a Solid server MUST adhere to the same interaction model used by other regular Solid resources, except where specified in the definition of that auxiliary resource type." I think that the exceptional portion of the statement is open ended. |
Moving this to WAC repo. There are some related considerations about Groups in https://github.com/solid/web-access-control-spec/blob/main/README-v0.5.0.md#group-listings---authentication-of-external-requests that can be taken up at the same time. |
Noting that the current WAC Editor's Draft allows servers to associate resources and ACL resources, and they can be on different origins. See #web-origin-authorization #uri-origin . |
Rough text from auxiliary resource:
If that goes through...
This entails that an ACL resource can be on a different server.. and so raises security issues that should be addressed.
Will agent(s) controlling a resource on server-A be authorized to request write operations on the ACL on server-B? Ditto the application.
What should happen if/when remote ACL becomes inaccessible (for whatever reason for any period)?
What should happen if/when remote ACL is compromised?
Would the server need to be authenticated and authorized like any other agent in order to:
The text was updated successfully, but these errors were encountered: