I’m not sure, though after thinking about this some more, I think one of the weaknesses of the remote storage spec is the fact that auth and discovery are baked in with the actual storage protocol.

I think we should probably learn from this and when we do get around to implementing ACLs, this could be defined in a separate spec to be a general ACL system, if possible.

What do you think? Any ideas as to how you would implement an ACL system?