Security implications of ACL resources on different servers · Issue #90 · solid/web-access-control-spec · GitHub
Skip to content

Security implications of ACL resources on different servers #90

New issue
New issue
Open
Open
Security implications of ACL resources on different servers#90
Assignees
csarven
@csarven

Description

@csarven
csarven
opened on Apr 27, 2020

Rough text from auxiliary resource:

A given
Solid resource MAY Link to auxiliary resources on a different server under a
different authority, per the configuration of the Solid server on which that
resource resides.

If that goes through...

This entails that an ACL resource can be on a different server.. and so raises security issues that should be addressed.

  • Will agent(s) controlling a resource on server-A be authorized to request write operations on the ACL on server-B? Ditto the application.

  • What should happen if/when remote ACL becomes inaccessible (for whatever reason for any period)?

  • What should happen if/when remote ACL is compromised?

  • Would the server need to be authenticated and authorized like any other agent in order to:

    • name the ACL URI on different server, and making sure that the ACL can be created/modified (because it needs to have a link relation from primary resource to the ACL)
    • delete the associated ACL on different server?

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions