Security/identity / XML · 2005-06-18

PIs for ACLs

Cafe con Leche reports on a new spec for an incredibly simple mechanism, published as a W3C Note, to control access rights to XML content by means of a processing instruction. Apparently this mechanism is already in use in some voice browser technology, though the authors of the Note acknowledge that it’s not a be-all end-all solution (no kidding) and that no further work is planned.

PIs are generally considered a nasty way to do anything, but I kind of like the platform-neutral, almost naive simplicity of < ?access-control?>. It’s such methods that often prove to be the most flexible and successful. Though the document refers to its own lack of deep security-considerations analysis, it doesn’t explicitly acknowledge that it’s accomplishing a relatively sophisticated task: attaching access control policy in-band, right inside the content in question. That sounds suspiciously close to the (normally complicated) world of DRM, doesn’t it?