Open pmcb55 opened 5 years ago
i implemented an authorization server based on https://github.com/solid/web-access-control-spec . based on that experience, i believe:
A formal description of the inheritance algorithm with respect to acl:default, and whether permissions are cumulative or not.
the inheritance algorithm is clearly specified (there is exactly one ACL file that applies to a resource, and how acl:default
works). permissions are not cumulative -- only the permissions in the in-force selected ACL matter.
Whether acl:origin is even effective at addressing the security concerns that it is designed to address (and how it is actually supposed to be implemented).
acl:origin
does what it was designed to do. i don't think it is sufficient for the "per-app-per-user" use case though, nor is it consistent with the reality that users can lie to a resource server about what app/origin is being used.
What to do with ACL documents that are semantically ambiguous
i don't think WAC documents are ambiguous. either the in-force ACL file has an acl:Authorization
that grants the desired access, or it doesn't.
What to do with incomplete ACL statements? i.e. Default=DENY or Default=Skip?
there is no such thing as an incomplete ACL statement. if there is no acl:Authorization
that grants an access, then access is denied.
"Access Control List" is a misnomer for WAC, because the acl:Authorization
s aren't ordered (that is, there is no "access control list"). a WAC file comprises an unordered set of authorizations, any of which could permit an attempted access. there's no such thing as "deny" in WAC, so order wouldn't matter anyway. in other words, WAC works by "access is permitted if any authorization rule permits the access".
also, having implemented an authorization server based on WAC, i believe that WAC in its current form is insufficient. see for example gitter conversations at
TL;DR: WAC, while good, is not good enough.
I have also implemented WAC-based authorization for two completely different servers.
Is the specification implementable, as currently written? Yes, certainly
Will all implementations enforce WebAC authorization the same way, based on the text of the specification? That is considerably less certain.
The point @pmcb55 is making is that there is ambiguity in the language of the current specification that makes it difficult to build independent WebAC implementations that are compatible. Here are some specific examples that build on what @pmcb55 stated above.
<> a acl:Authorization
triple? A server could, legitimately, use simple RDFS entailment to infer the presence of that triple, though some implementations require this. It would be helpful if the specification used normative language such as one finds in the LDP Specification:WAC implementations may infer the following triple: one whose subject is the WAC Authorization, whose predicate is rdf:type, and whose object is acl:Authorization, but there is no requirement to materialize this triple in the resource representation.
acl:default
is ambiguous. Here is the comment from the ACL vocabulary:If a resource has no ACL file (it is 404), then access to the resource if given by the ACL of the immediately containing directory, or failing that (404) the ACL of the recursively next containing directory which has an ACL file. Within that ACL file, any Authentication which has that directory as its acl:default applies to the resource. (The highest directory must have an ACL file.)
Given that description, what is the use of acl:default
at all if the next highest container contains any ACL resource (whether that resource has an acl:default
statement or not)? What happens if a resource has no defined ACL document, but its direct parent does contain an ACL document (but that ACL document has no acl:default
statement). And the first ACL document with an acl:default
statement is in the "grand parent" container ACL? Does the inheritance algorithm skip the ACL document in the parent container and only apply the one from the grand parent container? There is ambiguity here.
Furthermore, what happens with an ACL such as:
<#authorization> a acl:Authorization ;
acl:mode acl:Read, acl:Write ;
acl:agent <https://example.com/webid#me> ;
acl:accessTo <.> ;
acl:default <./some-child-resource> .
Would that mean that the Authorization statement is only applied to ./some-child-resource
but not to ./some-other-child-resource
(assuming both lack their own ACL resource)?
acl:origin
may do what it was designed to do (modulo the security concerns about spoofing Origin
headers), but its definition is ambiguous. It is defined in the section about trusted apps, though that section is clearly marked with this warning: NB: this feature was only added recently and is still considered experimental. It's likely to change in the near future.
Furthermore, the ACL vocabulary defines acl:origin
as having an rdfs:domain
of acl:Authorization
-- does that mean that the subject of the acl:origin
triple needs to be the same as the one that grants access to the webID at hand? Or would it have a distinct subject: the specification is silent on this and provides no guidance. The specification also shows examples of using acl:origin
with two properties that are entirely absent from the ACL vocabulary: acl:trustedApp
and acl:trustsForUse
. These examples also do not align with the formal definition of acl:origin
(c.f. acl:origin rdfs:domain acl:Authorization
). Without any definition of those properties, this feature is basically unimplementable, at least not in a way that is guaranteed to work the same as other implementations.
acl:accessToClass
? This is defined in the ACL vocabulary but "not supported by design" by the specification. Does that mean servers "SHOULD NOT implement this feature" or "MUST NOT implement this feature" or does the specification take no stance on that? And in that case, how does this affect portability? Furthermore, what if the acl:accessTo
triple points to a resource in a completely different location? or (as hinted above) what if the acl:default
triple points to a child resource? From the examples, it is clear what a "proper" ACL document could look like, but one needs to assume that a client application (provided it has acl:mode acl:Control
may put all manner of RDF in those resources? And is it legit to put arbitrary RDF in those resources?Will all implementations enforce WebAC authorization the same way, based on the text of the specification? That is considerably less certain.
This confirms earlier observations that the existing draft specs are insufficient. Hence the undertaking of https://github.com/solid/specification/
However, this also brings me to a larger issue: perhaps this panel focused on app authorization is premature, since authorization itself has not been fully fleshed out.
I think we should consider either broadening the scope of this panel, or to at least create another panel and acknowledge the dependency. Will create issues.
@timbl 's interpretation of this is embodied in his implementation, which can be reviewed for some answers.
I doing a PhD on fomalizing Solid and Access control. I gave in my 2nd year report on April 1st 2019. There I located the logics to use, how these need to be tied to the web, and where one can go from there to make a potentially much more flexible system. The remaining year was to be dedicated to using these logics and describe what is happening formally in Solid, as well as potentially go beyond what is currently possible.
(Sadly my funding is running very short and so instead of doing this I am spending most of my time looking for programming work. That is helping me get back to programming and tie theory to practice again, but it is not helping me get the thesis finished.)
I'd like to add to @pmcb55's list, as far as formalizing the WebACL spec, and add the issue of:
Of course we'd like a complete formalization of the current WebACL specification (https://github.com/solid/web-access-control-spec), but very specifically we need practical answers for the following questions:
acl:default
, and whether permissions are cumulative or not.acl:origin
is even effective at addressing the security concerns that it is designed to address (and how it is actually supposed to be implemented).If these areas are not sufficiently important for others on this panel, then we'll just suggest answers ourselves (to have them at least recorded), and then implement our system accordingly.