During last week's IESG call, while discussing webdav acl, Ned pointed out that we had had tried three times to figure out what access control lists should be like (imap, ldap, and now webdav). It's probably wise to take a broader look at the problem, possibly in the form of a workshop. Who on the I* is interested in the question? Who else in the IETF should we drag in? Angelos Keromytis is a natural candidate, plus probably some people from the pki world(s). Others?