The question

Suppose:

• c/ exists
• c/ has its own ACL doc, which looks as follows (leaving out prefix etc):

<#Bob>
  a acl:Authorization;
  acl:agent: <https://bob.com/#me> ;
  acl:accessTo <c/>;
  acl:mode acl:Write.

• c/r does not exist
• Bob (authenticated as https://bob.com/#me) does a PUT to c/r

Note that the Bob's Authorization in the ACL doc of c/ does not contain acl:default, so it does not apply to descendants of c/, only to c/ itself.

Should this request succeed and create c/r?

The facts

• ESS says 'yes'.
• NSS, PSS, and CSS say 'no'.
• For comparison, and in support for 'yes', POST to c/ also only requires accessTo Append, no default permissions required there either.
• But then again, in support of 'no', with a POST the client doesn't get to choose the URL, and with a PUT they do.

Please vote! :)