From c2a4030f2a074bb91f9a14a92951336fb3607613 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Tue, 12 Feb 2019 15:01:17 +0100 Subject: [PATCH 01/14] Add namespace prefix for dc --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c65f289..6548597 100644 --- a/README.md +++ b/README.md @@ -265,6 +265,7 @@ Corresponding `work-groups` Group Listing document: # Contents of https://alice.example.com/work-groups @prefix acl: . @prefix vcard: . +@prefix dc: . <> a acl:GroupListing. From 3843ee2e65e321e5b301ba9df566d55d8e37f918 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Tue, 12 Feb 2019 16:21:23 +0100 Subject: [PATCH 02/14] Describe the use of timestamps in relation to authorizations --- README.md | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6548597..82e384c 100644 --- a/README.md +++ b/README.md @@ -211,6 +211,33 @@ and Control) to one of her web resources, located at acl:Control. ``` +## Timestamps and temporal validity + +To help consuming systems manage authorizations, they should provide +timestamps indicating time of issue, last modified and if possible, an +estimate of future validity. For this purpose, properties from the +[Dublin Core metadata terms vocabulary](http://dublincore.org/documents/dcmi-terms/) +should be used, with the namespace `http://purl.org/dc/terms/`, +`dc:issued`, `dc:modified` and `dc:valid` with a valid `xsd:dateTime` +data type should be used, respectively. + +For example, to authorize Alice with read access to a certain Web +resource, and commit to that it is also valid 5 years from last +modification, it should be given as: + +@prefix acl: . +@prefix dc: . +@prefix xsd: . + +<#authorization1> + a acl:Authorization; + dc:issued "2013-09-11T07:18:19+0000"^^xsd:dateTime; + dc:modified "2019-02-12T16:15:15+0000"^^xsd:dateTime; + dc:valid "2024-02-12T16:15:15+0000"^^xsd:dateTime; + acl:agent ; # Alice's WebID + acl:accessTo ; + acl:mode acl:Read. + ## Describing Agents In WAC, we use the term *Agent* to identify *who* is allowed access to various @@ -266,13 +293,14 @@ Corresponding `work-groups` Group Listing document: @prefix acl: . @prefix vcard: . @prefix dc: . +@prefix xsd: . <> a acl:GroupListing. <#Accounting> a vcard:Group; vcard:hasUID ; - dc:created "2013-09-11T07:18:19+0000"^^xsd:dateTime; + dc:issued "2013-09-11T07:18:19+0000"^^xsd:dateTime; dc:modified "2015-08-08T14:45:15+0000"^^xsd:dateTime; # Accounting group members: From 47e6c234975494c1364793b7086c3f2e3f5760f0 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Tue, 12 Feb 2019 16:56:52 +0100 Subject: [PATCH 03/14] forgot syntax quotes --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 82e384c..0c3d851 100644 --- a/README.md +++ b/README.md @@ -225,6 +225,7 @@ For example, to authorize Alice with read access to a certain Web resource, and commit to that it is also valid 5 years from last modification, it should be given as: +```ttl @prefix acl: . @prefix dc: . @prefix xsd: . @@ -237,6 +238,8 @@ modification, it should be given as: acl:agent ; # Alice's WebID acl:accessTo ; acl:mode acl:Read. +``` + ## Describing Agents From ef0b35adaf6dbd78392e950e5fd72ececfa43b00 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Tue, 12 Feb 2019 17:18:06 +0100 Subject: [PATCH 04/14] On using the timestamp metadata for caching --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 0c3d851..13e46dc 100644 --- a/README.md +++ b/README.md @@ -240,6 +240,27 @@ modification, it should be given as: acl:mode acl:Read. ``` +Specialised systems may use these RDF metadata statements to perform +relevant caching operations on individiual authorization resources. + +### HTTP caching implementation + +Systems should use these times if available to manage ACL caches. If +the HTTP protocol is used, `dc:modified` should be used for +[conditional requests](https://tools.ietf.org/html/rfc7232) and +`dc:valid` for [caching](https://tools.ietf.org/html/rfc7234). Note +that an ACL Resource may contain several +`acl:Authorization`s. Therefore, if used, the server must set the +`Last-Modified` header to the most recent `dc:modified`. Also, if the +server uses `dc:valid` to set the `Expires` header and/or to compute +`max-age`, it must use the `dct:valid` that is set to expire +first. Note that an ACL cache must be private. + +This allows specialised clients or proxies to cache individual +authorizations based on the RDF metadata alone, and for legacy Web +caches to use cached copies of ACL Resources in their operations. + + ## Describing Agents From 9abb4ad031fac7c8a8b96a28832d53c9580fb214 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Wed, 13 Feb 2019 01:15:37 +0100 Subject: [PATCH 05/14] On setting dc:valid in clients --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 13e46dc..7647af2 100644 --- a/README.md +++ b/README.md @@ -243,6 +243,14 @@ modification, it should be given as: Specialised systems may use these RDF metadata statements to perform relevant caching operations on individiual authorization resources. +While `dc:issued` and `dc:modified` can be set automatically, setting +`dc:valid` requires a commitment from the author of the authorization +that it will not change before the indicated time. Developers of +applications that provides ACL editing are encouraged to help users +set this sensibly, and to warn users that some systems may not update +their ACL, and therefore yield unexpected results. + + ### HTTP caching implementation Systems should use these times if available to manage ACL caches. If From 7d6770bcab2d0b9327ac027099926a165b61dd45 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Wed, 13 Feb 2019 01:18:29 +0100 Subject: [PATCH 06/14] Servers must use current authorization --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 7647af2..ab864c9 100644 --- a/README.md +++ b/README.md @@ -250,6 +250,11 @@ applications that provides ACL editing are encouraged to help users set this sensibly, and to warn users that some systems may not update their ACL, and therefore yield unexpected results. +Servers that evaluate authorizations to grant or deny access to +resources and uses an ACL cache, must ensure that the ACL cache uses a +current authorization even in the case that `dc:valid` has been set to +a future date. + ### HTTP caching implementation From d3a24a8ad4fff60bd13ec7507aa6cdfca82b3322 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Wed, 13 Feb 2019 01:26:26 +0100 Subject: [PATCH 07/14] Comment on heuristic freshness (which could cause inconsistencies) --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index ab864c9..7f6d3fd 100644 --- a/README.md +++ b/README.md @@ -273,6 +273,12 @@ This allows specialised clients or proxies to cache individual authorizations based on the RDF metadata alone, and for legacy Web caches to use cached copies of ACL Resources in their operations. +Clients and proxies that +[calculate heuristic freshness](https://tools.ietf.org/html/rfc7234#section-4.2.2) +should take care to ensure the user is not lead to believe that an +authorization is different from the actual authorization on the +server. + ## Describing Agents From 0b7c77f648b414c35ddca1b9ca1fc82f44afc6c8 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Wed, 13 Feb 2019 01:28:06 +0100 Subject: [PATCH 08/14] minor change --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7f6d3fd..c13684e 100644 --- a/README.md +++ b/README.md @@ -230,7 +230,7 @@ modification, it should be given as: @prefix dc: . @prefix xsd: . -<#authorization1> +<#authorization2> a acl:Authorization; dc:issued "2013-09-11T07:18:19+0000"^^xsd:dateTime; dc:modified "2019-02-12T16:15:15+0000"^^xsd:dateTime; From 1774c825043ce36f0535a18a0b63067b1212d93a Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Wed, 13 Feb 2019 01:29:38 +0100 Subject: [PATCH 09/14] Note on group listings --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index c13684e..3986326 100644 --- a/README.md +++ b/README.md @@ -374,6 +374,9 @@ the following issues: Possible future methods for a server to find out whether a given agent is a member of s group are a matter for future research and possible addition here. +Group listings may also use timestamp predicates, and be cached along +with ACL resources. + ### Public Access (All Agents) To specify that you're giving a particular mode of access to *everyone* From afbcb9875793dc8aa00eccf3cdd381dd7ee137df Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Wed, 13 Feb 2019 01:31:48 +0100 Subject: [PATCH 10/14] Update ToC --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 3986326..d7cf590 100644 --- a/README.md +++ b/README.md @@ -24,16 +24,17 @@ Next](https://www.w3.org/community/ldpnext/)) type systems, such as the 3. [ACL Inheritance Algorithm](#acl-inheritance-algorithm) 4. [Representation Format](#representation-format) 5. [Example WAC Document](#example-wac-document) -6. [Describing Agents](#describing-agents) +6. [Timestamps and temporal validity](#timestamps-and-temporal-validity) +7. [Describing Agents](#describing-agents) * [Singular Agent](#singular-agent) * [Groups](#groups-of-agents) * [Public Access (all Agents)](#public-access-all-agents) * [Anyone logged on (Authenticated Agents)](#authenticated-agents-anyone-logged-on) * [Referring to Origins, i.e. Web Apps](#referring-to-origins-ie-web-apps) -7. [Referring to Resources](#referring-to-resources) -8. [Modes of Access](#modes-of-access) -9. [Default (Inherited) Authorizations](#default-inherited-authorizations) -10. [Not Supported by Design](#not-supported-by-design) +8. [Referring to Resources](#referring-to-resources) +9. [Modes of Access](#modes-of-access) +10. [Default (Inherited) Authorizations](#default-inherited-authorizations) +11. [Not Supported by Design](#not-supported-by-design) ## Overview From 6563a8741adb7938735607dffd28069b7f003307 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Mon, 18 Feb 2019 00:50:07 +0100 Subject: [PATCH 11/14] Improve language --- README.md | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index d7cf590..9213024 100644 --- a/README.md +++ b/README.md @@ -214,17 +214,18 @@ and Control) to one of her web resources, located at ## Timestamps and temporal validity -To help consuming systems manage authorizations, they should provide -timestamps indicating time of issue, last modified and if possible, an -estimate of future validity. For this purpose, properties from the +Servers should provide timestamps indicating time of issue, last +modified and if possible, an estimate of future validity, to help +systems that manage authorizations. For this purpose, properties from +the [Dublin Core metadata terms vocabulary](http://dublincore.org/documents/dcmi-terms/) should be used, with the namespace `http://purl.org/dc/terms/`, `dc:issued`, `dc:modified` and `dc:valid` with a valid `xsd:dateTime` data type should be used, respectively. -For example, to authorize Alice with read access to a certain Web -resource, and commit to that it is also valid 5 years from last -modification, it should be given as: +For example, the below example authorizes Alice to have read access to +a certain Web resource, and also says that the authorization is valid +5 years from last modification: ```ttl @prefix acl: . @@ -248,8 +249,7 @@ While `dc:issued` and `dc:modified` can be set automatically, setting `dc:valid` requires a commitment from the author of the authorization that it will not change before the indicated time. Developers of applications that provides ACL editing are encouraged to help users -set this sensibly, and to warn users that some systems may not update -their ACL, and therefore yield unexpected results. +set this sensibly. Servers that evaluate authorizations to grant or deny access to resources and uses an ACL cache, must ensure that the ACL cache uses a @@ -274,13 +274,6 @@ This allows specialised clients or proxies to cache individual authorizations based on the RDF metadata alone, and for legacy Web caches to use cached copies of ACL Resources in their operations. -Clients and proxies that -[calculate heuristic freshness](https://tools.ietf.org/html/rfc7234#section-4.2.2) -should take care to ensure the user is not lead to believe that an -authorization is different from the actual authorization on the -server. - - ## Describing Agents From 3b64400173c1337061e8177b086c9e41bed88501 Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Mon, 18 Feb 2019 01:34:17 +0100 Subject: [PATCH 12/14] Elaborate on stale caches --- README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/README.md b/README.md index 9213024..42fb639 100644 --- a/README.md +++ b/README.md @@ -274,6 +274,28 @@ This allows specialised clients or proxies to cache individual authorizations based on the RDF metadata alone, and for legacy Web caches to use cached copies of ACL Resources in their operations. +### Implementation notes + +Applications may use cached authorizations to improve responsiveness +and usability. Since servers must always use the most recent +authorizations for operations, discrepancies between a client/proxy +cache and what the server uses may arise if an application uses a +stale authorization. That will not be security critical (since the the +server always uses the most recent authorization), but can result +in poor security usability. Developers should in particular be aware of +these two cases: + + 1. A user has previously set a `dct:valid`, but the current user + decides to modify the time and date even though the authorization + previously given would still be valid. In this case, the user + should be warned that some clients may not see the update, and + so, it will be confusing to its users. + 1. Clients and proxies might use the timestamps to calculate heuristic + freshness + [(like suggested in the HTTP specification)](https://tools.ietf.org/html/rfc7234#section-4.2.2). + Like above, this may also result in that an expired authorization + is provided to applications. Heuristic freshness should only be + used with extreme care. ## Describing Agents From d05be543a139a52abbcd4a7e46a83a560ae41e5f Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Mon, 18 Feb 2019 02:11:36 +0100 Subject: [PATCH 13/14] skip namespace for clarity and brevity --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 42fb639..5c2186e 100644 --- a/README.md +++ b/README.md @@ -219,7 +219,7 @@ modified and if possible, an estimate of future validity, to help systems that manage authorizations. For this purpose, properties from the [Dublin Core metadata terms vocabulary](http://dublincore.org/documents/dcmi-terms/) -should be used, with the namespace `http://purl.org/dc/terms/`, +should be used: `dc:issued`, `dc:modified` and `dc:valid` with a valid `xsd:dateTime` data type should be used, respectively. From 50546b6e800a3e2d9ae843ddecf2eb5ab79c1dcf Mon Sep 17 00:00:00 2001 From: Kjetil Kjernsmo Date: Mon, 18 Feb 2019 02:15:12 +0100 Subject: [PATCH 14/14] Minor improvements --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5c2186e..773e029 100644 --- a/README.md +++ b/README.md @@ -223,7 +223,7 @@ should be used: `dc:issued`, `dc:modified` and `dc:valid` with a valid `xsd:dateTime` data type should be used, respectively. -For example, the below example authorizes Alice to have read access to +For example, the below authorizes Alice to have read access to a certain Web resource, and also says that the authorization is valid 5 years from last modification: @@ -267,7 +267,7 @@ that an ACL Resource may contain several `acl:Authorization`s. Therefore, if used, the server must set the `Last-Modified` header to the most recent `dc:modified`. Also, if the server uses `dc:valid` to set the `Expires` header and/or to compute -`max-age`, it must use the `dct:valid` that is set to expire +`max-age`, it must use the `dc:valid` that is set to expire first. Note that an ACL cache must be private. This allows specialised clients or proxies to cache individual @@ -285,7 +285,7 @@ server always uses the most recent authorization), but can result in poor security usability. Developers should in particular be aware of these two cases: - 1. A user has previously set a `dct:valid`, but the current user + 1. A user has previously set a `dc:valid`, but the current user decides to modify the time and date even though the authorization previously given would still be valid. In this case, the user should be warned that some clients may not see the update, and