Netscape Meeting Responses

This discussion about Group Definitions seems to be unnecessarily conflicting with existing definitions of CU Types already codified in iCalendar.

Calendar user type is identified in the ATTENDEE property parameter CUTYPE. The current enumerated values are INDIVIDUAL, GROUP, RESOURCE or UNKNOWN.

--=_alternative 006193F385256872_=-- From owner-ietf-calendar@imc.org Wed Jan 26 13:12:11 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA08240 for ; Wed, 26 Jan 2000 13:12:10 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id JAA01470 for ietf-calendar-bks; Wed, 26 Jan 2000 09:49:06 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA01451 for ; Wed, 26 Jan 2000 09:49:04 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id JAA17566; Wed, 26 Jan 2000 09:50:27 -0800 (PST) Message-ID: <388F33E2.99FF0F43@home.royer.com> Date: Wed, 26 Jan 2000 09:50:26 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: Bob Mahoney CC: ietf-calendar@imc.org Subject: Re: W-19 CAP Group Definitions References: Content-Type: multipart/mixed; boundary="------------35B72F04EF5009DB7BD5B8CB" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------35B72F04EF5009DB7BD5B8CB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bob Mahoney wrote: > > We need to change our definition of groups. > > We now realize there are two types of groups, Users and Calendars. > > Definitions: > > Users are represented as UPNs. A given UPN can be either a Calendar > User (CU) or a User Group (UG). We do not want to continue using the > term Calendar Group (CG). By looking at a UPN, a CUA cannot > determine whether it is a CU or a UG. Only the CS can expand a UG > into a list of CUs. > > Calendars are represented as CSIDs. A given CSID can be either a > Calendar (C), a Calendar Collection (CC), or a Resource Calendar > (RC). By looking at a CSID, a CUA cannot determine whether it is a > C, CC, or RC. Only the CS can expand a CC into a list of Cs or RCs. > > (There is no syntactic difference between a C and RC. They are only > different in the semantic content that is imposed by the data that > they contain and by their calendar properties.) Where is the definition of "Resource Calendar (RC)". I could make a guess :-) And which properties or property values? From you text above I do not know what an RC is. > Commands: > > We want to keep the EXPAND command from yesterday. EXPAND will > accept a CSID and return one or more Cs or RCs. More than one C or > RC returned implies that the CSID was a CC. > > We want to add a new command called LOOKUP, which will accept a UPN, > and returns one or more CSIDs. More than one CSID returned implies > that the UPN was a UG. > > The reverse lookup from a CSID to a UPN is accomplished by looking at > the owner property of the calendar. We allow more than one owner for a calendar. What would that tell you? And why is it different than just asking for the calendar owner properties? It looks to me as if it is the same as just doing a VQUERY for the calendar owner property values? If so, lets not invent another way to do the same thing. > Read this aloud- it will help. We'll follow up later with revisions > to yesterday's text. > > -Bob --------------35B72F04EF5009DB7BD5B8CB Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------35B72F04EF5009DB7BD5B8CB-- From owner-ietf-calendar@imc.org Wed Jan 26 14:12:58 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA09682 for ; Wed, 26 Jan 2000 14:12:57 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id KAA07899 for ietf-calendar-bks; Wed, 26 Jan 2000 10:21:01 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id KAA07895 for ; Wed, 26 Jan 2000 10:20:59 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA09551; Wed, 26 Jan 00 13:23:52 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id NAA19461; Wed, 26 Jan 2000 13:22:45 -0500 (EST) Received: from [18.177.0.98] (WINGNUT.MIT.EDU [18.177.0.98]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id NAA04132; Wed, 26 Jan 2000 13:22:44 -0500 (EST) Mime-Version: 1.0 X-Sender: bobmah@po12.mit.edu Message-Id: In-Reply-To: <388F33E2.99FF0F43@home.royer.com> References: <388F33E2.99FF0F43@home.royer.com> Date: Wed, 26 Jan 2000 13:22:02 -0500 To: ietf-calendar@imc.org From: Bob Mahoney Subject: Re: W-19 CAP Group Definitions Cc: Bob Mahoney , ietf-calendar@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >Where is the definition of "Resource Calendar (RC)". I could >make a guess :-) And which properties or property values? From >you text above I do not know what an RC is. We're adding that. :-) > > The reverse lookup from a CSID to a UPN is accomplished by looking at > > the owner property of the calendar. > >We allow more than one owner for a calendar. What would that tell you? That's ok- it doesn't need to be a one-to-one mapping. >And why is it different than just asking for the calendar owner >properties? It looks to me as if it is the same as just doing a VQUERY >for the calendar owner property values? If so, lets not invent >another way to do the same thing. Exactly. We were just including that for the sake of completeness. -Bob From owner-ietf-calendar@imc.org Wed Jan 26 14:55:55 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA10495 for ; Wed, 26 Jan 2000 14:55:54 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA09754 for ietf-calendar-bks; Wed, 26 Jan 2000 11:31:19 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA09750 for ; Wed, 26 Jan 2000 11:31:18 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id LAA18032; Wed, 26 Jan 2000 11:33:01 -0800 (PST) Message-ID: <388F4BE0.30FBEA0B@home.royer.com> Date: Wed, 26 Jan 2000 11:32:48 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: Bob Mahoney CC: ietf-calendar@imc.org Subject: Re: W-19 CAP Group Definitions References: <388F33E2.99FF0F43@home.royer.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms47F9AEE196BDB21C66903652" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a cryptographically signed message in MIME format. --------------ms47F9AEE196BDB21C66903652 Content-Type: multipart/mixed; boundary="------------7E73F20F3460FDDD7CBF213F" This is a multi-part message in MIME format. --------------7E73F20F3460FDDD7CBF213F Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bob Mahoney wrote: > >And why is it different than just asking for the calendar owner > >properties? It looks to me as if it is the same as just doing a VQUERY > >for the calendar owner property values? If so, lets not invent > >another way to do the same thing. > > Exactly. We were just including that for the sake of completeness. Exactly what? :-) Exactly you agree it is not needed as it is the same? Or exactly (because it is not the same) we need it? -Doug --------------7E73F20F3460FDDD7CBF213F Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------7E73F20F3460FDDD7CBF213F-- --------------ms47F9AEE196BDB21C66903652 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature Content-Transfer-Encoding: base64 MIIKpAYJKoZIhvcNAQcCoIIKlTCCCpECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC CDAwggT6MIIEY6ADAgECAhAV9nEqnM8b86AlSm7V1bgJMA0GCSqGSIb3DQEBBAUAMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTAyMDAwMDAw MFoXDTAwMTAxOTIzNTk1OVowggEVMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO ZXRzY2FwZSBGdWxsIFNlcnZpY2UxGDAWBgNVBAMUD0RvdWdsYXMgTSBSb3llcjEiMCAGCSqG SIb3DQEJARYTZG91Z0Bob21lLnJveWVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAv2PIWJY1kuOozvEfoLqMAefggITPljietkurVEhTBQZU/c2q2c8qCQiIFZ2dP3H/MoEx bVVDmtXsyZrRINk1aWC4yo/dT/3tB3eD41F0KMIpBexD8zN9SfPxzkjaEl/7zD8F6ekERmCU 9irA0zAOF7msHNnxa/InBnZ5f95Y75kCAwEAAaOCAY8wggGLMAkGA1UdEwQCMAAwgawGA1Ud IASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl cmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1W ZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZl cmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDCBhgYKYIZIAYb4RQEGAwR4FnZkNDY1MmJkNjNm MjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzViYzRiYzk3MDE3NDdk YTVkM2YyMTQxYmVhZGIyYmQyZTg5MjFmYTk2YmY1ZDcxMTQ5OWNhM2JlNDdmNWYzZWE0NTBj MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmww DQYJKoZIhvcNAQEEBQADgYEAWuXwK5FbAAU1urGBob5PPRQiCOUeWNQIkDr2F0WECiYnJfeG iawEVMS1PxsIe6BJ9MDxOvz0XyQhNsAXbv/hf0vhy398cd5ICKTpMMeyEEVX6IEVgXcpcyJf N7HKbfQZgRngT3uh/IXSObtFt+cC03VTG12Dic6EfyWihGAmeb0wggMuMIICl6ADAgECAhEA 0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UE ChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1OTU5WjCB zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l dHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3Jw LiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV 2TFBcHqBS7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/ Gdr5FegPh7Yc48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZI AYb4QgEBBAQDAgEGMEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYf d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1Ud DwQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ4 3BuYDAeGW4UVag+5SYWklfEXfWe0fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1 pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg5V+CprGoksVYasGNAzzrw80FopCubjGCAjwwggI4 AgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g VHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQ QSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xh c3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAV 9nEqnM8b86AlSm7V1bgJMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMDAwMTI2MTkzMjUzWjAjBgkqhkiG9w0BCQQxFgQU1a9FDyj9 JtkwIYpsq7qaH/9RD0swUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcN AQEBBQAEgYBsd2O7Uoyky4IMagYSzIOWYi7TsWR7Sb7xs/61JQnhgkQWR5a5TxfqUvqExBci E7KBOl8lumlIShCDOKYXaqX7Gc8QU6Q8UREdtw4jn9JEFyU9eXX7z52QznWe06sEo+BADb6+ CmNXtU9M1UPjuhqTgtKCcGDUKrQxijz4pHchIg== --------------ms47F9AEE196BDB21C66903652-- From owner-ietf-calendar@imc.org Wed Jan 26 15:03:17 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10705 for ; Wed, 26 Jan 2000 15:03:17 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id LAA10026 for ietf-calendar-bks; Wed, 26 Jan 2000 11:39:19 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA10022 for ; Wed, 26 Jan 2000 11:39:18 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA07337; Wed, 26 Jan 00 14:42:11 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id OAA11618; Wed, 26 Jan 2000 14:41:03 -0500 (EST) Received: from [18.177.0.98] (WINGNUT.MIT.EDU [18.177.0.98]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id OAA28963; Wed, 26 Jan 2000 14:41:03 -0500 (EST) Mime-Version: 1.0 X-Sender: bobmah@po12.mit.edu Message-Id: In-Reply-To: <388F4BE0.30FBEA0B@home.royer.com> References: <388F33E2.99FF0F43@home.royer.com> <388F4BE0.30FBEA0B@home.royer.com> Date: Wed, 26 Jan 2000 14:40:50 -0500 To: ietf-calendar@imc.org From: Bob Mahoney Subject: Re: W-19 CAP Group Definitions Cc: Bob Mahoney , ietf-calendar@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >Exactly what? :-) > >Exactly you agree it is not needed as it is the same? > >Or exactly (because it is not the same) we need it? Sorry! "We included this for completeness only in our email (not the CAP text)- you are correct that it is the same as a VQUERY against a Calendar." We should have made the statement: > The reverse lookup from a CSID to a UPN is accomplished by looking at > the owner property of the calendar. read: "The reverse lookup from a CSID to one or more UPNs is accomplished by issuing a VQUERY and looking at the OWNER attribute." -Bob From owner-ietf-calendar@imc.org Wed Jan 26 15:17:16 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10866 for ; Wed, 26 Jan 2000 15:17:15 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id LAA10341 for ietf-calendar-bks; Wed, 26 Jan 2000 11:49:59 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA10337 for ; Wed, 26 Jan 2000 11:49:57 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA11317; Wed, 26 Jan 00 14:52:48 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id OAA12865; Wed, 26 Jan 2000 14:45:23 -0500 (EST) Received: from [18.177.0.98] (WINGNUT.MIT.EDU [18.177.0.98]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id OAA00416; Wed, 26 Jan 2000 14:45:22 -0500 (EST) Mime-Version: 1.0 X-Sender: bobmah@po12.mit.edu Message-Id: In-Reply-To: References: Date: Wed, 26 Jan 2000 14:45:09 -0500 To: From: Bob Mahoney Subject: Re: W-19 CAP Group Definitions Cc: ietf-calendar@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >Do you all realize we already differentiate in RFC2445 different CUTYPEs? > >This discussion about Group Definitions seems to be unnecessarily >conflicting with existing definitions of CU Types already codified >in iCalendar. > >Calendar user type is identified in the ATTENDEE property parameter >CUTYPE. The current enumerated values are INDIVIDUAL, GROUP, >RESOURCE or UNKNOWN. We need to start carefully distinguishing between calendars and users. ATTENDEEs are calendars, and should be referred to by CSIDs. We're not adding new group semantics to a CSID. A CUA cannot distinguish between a C, a CC, or an RC. However, if the CU knows that this CSID refers to a group or resource, the CU could instruct their CUA to use the CUTYPE of GROUP or RESOURCE. However, the CS must take every CSID and evaluate it for expansion as a potential CC. -Bob From owner-ietf-calendar@imc.org Wed Jan 26 16:17:35 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11582 for ; Wed, 26 Jan 2000 16:17:34 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id MAA11410 for ietf-calendar-bks; Wed, 26 Jan 2000 12:39:16 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA11406 for ; Wed, 26 Jan 2000 12:39:14 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id MAA18990; Wed, 26 Jan 2000 12:40:57 -0800 (PST) Message-ID: <388F5BCF.CBB94BA2@home.royer.com> Date: Wed, 26 Jan 2000 12:40:47 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: Bob Mahoney , ietf-calendar@imc.org Subject: Re: W-19 CAP Group Definitions References: <388F33E2.99FF0F43@home.royer.com> <388F4BE0.30FBEA0B@home.royer.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msB2150ACBD492FFD6D9F66B75" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a cryptographically signed message in MIME format. --------------msB2150ACBD492FFD6D9F66B75 Content-Type: multipart/mixed; boundary="------------F6AA351B9AD9F29D18955E70" This is a multi-part message in MIME format. --------------F6AA351B9AD9F29D18955E70 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bob Mahoney wrote: > > >Exactly what? :-) > > > >Exactly you agree it is not needed as it is the same? > > > >Or exactly (because it is not the same) we need it? > > Sorry! > > "We included this for completeness only in our email (not the CAP > text)- you are correct that it is the same as a VQUERY against a > Calendar." > > We should have made the statement: > > > The reverse lookup from a CSID to a UPN is accomplished by looking at > > the owner property of the calendar. > > read: > > "The reverse lookup from a CSID to one or more UPNs is accomplished > by issuing a VQUERY and looking at the OWNER attribute." > > -Bob Sorry - I associated it with the LOOKUP command. So now I am confused differently. > > We want to add a new command called LOOKUP, which will accept a UPN, > > and returns one or more CSIDs. More than one CSID returned implies > > that the UPN was a UG. If my UPN is UPN-doug, and I own X different calendars, What would you get back? One CSID for each calendar? Or are you saying that if 'LOOKUP UPN-doug' returns more than one CSID then any reference to UPN-doug applies to ALL of those CSID's. What do you do with that information? Why is it needed? Can you authenticate with a UG UPN? If not, when would you see them? If you can authenticate with a UG UPN, do your operations apply to all CSID's that it expands to? If so, we are introducing transaction problems and we have deferred that to CAP-. If the CS says you do not have permission to access that information, what feature(s) do you loose? I can still VQUERY on the CSID's, I can still authenticate as UPN-doug. I am not sure what LOOKUP does for me other than allow a CUA to look at the list (what for?). If the CS (in previous email to this list) says that a UG can be dynamicily altered and MUST NOT treat a UG as a static list. What is to keep the LOOKUP results from being invalid the instant they are returned? It looks to me that it allows a CUA to store a static list? Which looks to me as if it also should not be allowed. So I do not yet see a need for LOOKUP. > > The reverse lookup from a CSID to a UPN is accomplished by looking at > > the owner property of the calendar. > --------------F6AA351B9AD9F29D18955E70 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------F6AA351B9AD9F29D18955E70-- --------------msB2150ACBD492FFD6D9F66B75 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature Content-Transfer-Encoding: base64 MIIKpAYJKoZIhvcNAQcCoIIKlTCCCpECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC CDAwggT6MIIEY6ADAgECAhAV9nEqnM8b86AlSm7V1bgJMA0GCSqGSIb3DQEBBAUAMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTAyMDAwMDAw MFoXDTAwMTAxOTIzNTk1OVowggEVMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO ZXRzY2FwZSBGdWxsIFNlcnZpY2UxGDAWBgNVBAMUD0RvdWdsYXMgTSBSb3llcjEiMCAGCSqG SIb3DQEJARYTZG91Z0Bob21lLnJveWVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAv2PIWJY1kuOozvEfoLqMAefggITPljietkurVEhTBQZU/c2q2c8qCQiIFZ2dP3H/MoEx bVVDmtXsyZrRINk1aWC4yo/dT/3tB3eD41F0KMIpBexD8zN9SfPxzkjaEl/7zD8F6ekERmCU 9irA0zAOF7msHNnxa/InBnZ5f95Y75kCAwEAAaOCAY8wggGLMAkGA1UdEwQCMAAwgawGA1Ud IASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl cmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1W ZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZl cmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDCBhgYKYIZIAYb4RQEGAwR4FnZkNDY1MmJkNjNm MjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzViYzRiYzk3MDE3NDdk YTVkM2YyMTQxYmVhZGIyYmQyZTg5MjFmYTk2YmY1ZDcxMTQ5OWNhM2JlNDdmNWYzZWE0NTBj MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmww DQYJKoZIhvcNAQEEBQADgYEAWuXwK5FbAAU1urGBob5PPRQiCOUeWNQIkDr2F0WECiYnJfeG iawEVMS1PxsIe6BJ9MDxOvz0XyQhNsAXbv/hf0vhy398cd5ICKTpMMeyEEVX6IEVgXcpcyJf N7HKbfQZgRngT3uh/IXSObtFt+cC03VTG12Dic6EfyWihGAmeb0wggMuMIICl6ADAgECAhEA 0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UE ChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1OTU5WjCB zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l dHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3Jw LiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV 2TFBcHqBS7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/ Gdr5FegPh7Yc48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZI AYb4QgEBBAQDAgEGMEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYf d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1Ud DwQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ4 3BuYDAeGW4UVag+5SYWklfEXfWe0fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1 pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg5V+CprGoksVYasGNAzzrw80FopCubjGCAjwwggI4 AgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g VHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQ QSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xh c3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAV 9nEqnM8b86AlSm7V1bgJMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMDAwMTI2MjA0MDQ5WjAjBgkqhkiG9w0BCQQxFgQUOA/ffiZy Y38Y+wxeUfn3/8W3Og0wUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcN AQEBBQAEgYAQXS4/p+xMyaJvgFpCrObFrQ4l/7ErZLYmEEH/XnIU7q8z1DhtbWHsHFAZSIjO SPJRKr4aIOnMMySS34Rr5k2DTRow19w9m/Nen7p8pZpuruVow+dpaGZ6Tcowv7xsC2CpIOcV b1aAj4rSRNMuGozzy4VFryBYIpZkQiWPor9v7w== --------------msB2150ACBD492FFD6D9F66B75-- From owner-ietf-calendar@imc.org Wed Jan 26 16:27:32 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11719 for ; Wed, 26 Jan 2000 16:27:31 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id MAA11642 for ietf-calendar-bks; Wed, 26 Jan 2000 12:47:14 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA11638 for ; Wed, 26 Jan 2000 12:47:12 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA02411; Wed, 26 Jan 00 15:50:04 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA01607 for ; Wed, 26 Jan 2000 15:48:57 -0500 (EST) Received: from [18.177.0.98] (WINGNUT.MIT.EDU [18.177.0.98]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA21551 for ; Wed, 26 Jan 2000 15:48:51 -0500 (EST) Mime-Version: 1.0 X-Sender: bobmah@po12.mit.edu Message-Id: Date: Wed, 26 Jan 2000 15:48:26 -0500 To: ietf-calendar@imc.org From: Bob Mahoney Subject: W-19 CAP Group Definitions - corrections to yesterday's work Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Updates and corrections to yesterday's Group proposal (Throw away yesterday's mail). Commentary is in []'s. -------------------------------- (CAP section "Definitions") User Group (UG) A collection of Calendar Users and/or User Groups. These groups are expanded by the CS and may reside either locally or in an external database or directory. The group membership may be fixed or dynamic over time. Calendar (C) Calendar Collection (CC) A collection of Calendars, Resource Calendars, and/or other Calendar Collections. These collections are expanded by the CS and may reside either locally or in an external database or directory. The calendars in the collection may be fixed or dynamic over time. Resource Calendar (RC) A non-human Calendar, associated with an organizational resource. There is no syntactic difference between an RC and a Calendar. (Global modification for UPN definition) Change " CU" to "CU or UG"; Change "user@example.com" to "user@example.com or group@example.com" (CAP section "User Group") A User Group is used to represent a collection of CUs or other UGs that can be referenced in VCARS. A UG is represented in CAP as a UPN. The CUA cannot distinguish between CUs and UGs. UGs are expanded as necessary by the CS. The CS MUST accept a CUA request for UG expansion, although the CS may be configured to restrict some responses. The CS MAY expand a UG (including nested UGs) to obtain a list of unique CUs. Duplicate UPNs are filtered during expansion. Incomplete expansion should be treated as a failure. [ Editor's Note: We need to explore the issue and impact of directory permissions and precedence.] The CS SHOULD not preserve UG expansions across operations. A UG may reference a static list of members, or it may represent a dynamic list. Each operation SHOULD generate its own expansion in order to recognize changes to UG membership. However, during fan out to other CSs, the originating CS SHOULD expand all UGs so that the target CS receives only a list of unique CUs. This is to prevent confusion when two CSs do not share the same UG database or directory. [Editor's Note: Doug had an issue here relating to multiple CUs not having a common directory. We think the above text resolves this] CAP does not define commands or methods for managing UGs. Examples: Small UG - The Three Stooges. There is only and always three at any one time. Large UG - The MIT graduating class of 1999. This is a static list. Dynamic UG - The IETF membership, which is a large and changing list of members. Nested UG - The National Football League, made up of the AFC and NFC, which are made up of 3 divisions each... (CAP table "CAP Calendaring Commands") Add: Command Description EXPAND Return the members of the argument CSID. Successful result yields one or more Calendars and/or Resource Calendars. More than one C or RC returned implies that the CSID was a CC. LOOKUP Return the members of the argument UPN. Successful result yields one or more CSIDs. More than one CSID returned implies that the UPN was a UG. (CAP section "VCalendar Access Rights") Change: "Calendar User" to "CU or UG" (CAP section "Access Rights") Change: "Calendar User" to "CU or UG" Add: VCARS principals can be CU or UG UPNs. Whenever VCARs are evaluated, all referenced User Groups MUST be evaluated as an expanded list. UG expansion SHOULD NOT persist across operations. [Editor's Note: This is where we need to define precedence rules.] (CAP section "State Diagram") Add: While in the Identified state, allow EXPAND and LOOKUP commands. (CAP section "Capability Command") Add: Capability Occurs Description ------------------------------------------------------------------- MAXEXPANDLIST 0 or 1 An integer value that specifies the maximum number of UPNs that can be returned by the EXPAND Command. MAXLOOKUPLIST 0 or 1 An integer value that specifies the maximum number of CSIDs that can be returned by the LOOKUP Command. [Doug- this is structured to mirror the other entries in the Capabilities Section...] (CAP section "Transfer Protocol Commands") Add: EXPAND Command Arguments: CSID Data: data as described below Result: 2.0 Successful, and requested data follows 2.1 Permission Denied 2.2 Requested CSID not found 2.3 Result exceeds MAXEXPANDLIST 2.4 Misc. EXPAND error Example #1: Request lookup of CSID which is a Calendar Collection C: EXPAND cap://cal.example.com/calid14 S: 2.0 cap://cal.example.com/calid14 S: cap://cal.example.com/calid2 S: cap://cal.example.com/calid5 S: cap://cal.example.com/calid66 S: . Example #2: Request lookup of a CSID which is a Resource Calendar C: EXPAND cap://cal.example.com/conf5 S: 2.0 cap://cal.example.com/conf5 S: cap://cal.example.com/conf5 S: . Example #3: Request CSID which exceeds MAXEXPANDLIST C: EXPAND cap://cal.example.com/calid76 S: 2.0 cap://cal.example.com/calid76 S: cap://cal.example.com/calid3 S: cap://cal.example.com/calid12 S: cap://cal.example.com/calid21 S: cap://cal.example.com/calid33 S: 2.3 Expansion resulted in too much data S: . Example #4: CS loses contact with directory server during EXPAND C: EXPAND cap://cal.example.com/calid76 S: 2.0 cap://cal.example.com/calid76 S: cap://cal.example.com/calid3 S: cap://cal.example.com/calid5 S: 2.4 Lost contact with directory server S: . LOOKUP Command Arguments: UPN Data: data as described below Result: 2.0 Successful, and requested data follows 2.1 Permission Denied 2.2 Requested UPN not found 2.3 Result exceeds MAXLOOKUPLIST 2.4 Misc. LOOKUP error Example #1: Request lookup of a UPN which is a CU C: LOOKUP upn@example.com S: 2.0 upn@example.com S: cap://cal.example.com/calid3 S: . Example #2: Request lookup of UPN which is a UG C: LOOKUP group@example.com S: 2.0 group@example.com S: cap://cal.example.com/calid3 S: cap://cal.example.com/calid6 S: cap://cal.example.com/calid1342 S: . Example #3: Request lookup exceeds MAXLOOKUPLIST C: LOOKUP group@example.com S: 2.0 group@example.com S: cap://cal.example.com/calid3 S: cap://cal.example.com/calid12 S: cap://cal.example.com/calid21 S: cap://cal.example.com/calid33 S: 2.3 Lookup resulted in too much data S: . Example #4: CS loses contact with directory server during LOOKUP C: LOOKUP group@example.com S: 2.0 group@example.com S: cap://cal.example.com/calid3 S: cap://cal.example.com/calid5 S: 2.4 Lost contact with directory server S: . (CAP section "RIGHTS Value Type") Change: "The UPN rule part specifies the authenticated CU that the calendar access rights applies to." to "The UPN rule part specifies the CU or UG that the VCARs apply to. From owner-ietf-calendar@imc.org Wed Jan 26 16:32:27 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11820 for ; Wed, 26 Jan 2000 16:32:25 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id MAA11823 for ietf-calendar-bks; Wed, 26 Jan 2000 12:49:43 -0800 (PST) Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA11819 for ; Wed, 26 Jan 2000 12:49:42 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA24233; Wed, 26 Jan 00 15:50:59 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA02404 for ; Wed, 26 Jan 2000 15:51:28 -0500 (EST) Received: from miles-davis (MILES-DAVIS.MIT.EDU [18.177.0.37]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA22480 for ; Wed, 26 Jan 2000 15:51:28 -0500 (EST) Message-Id: <4.2.0.58.20000126153144.01aaf988@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 26 Jan 2000 15:47:46 -0500 To: ietf-calendar@imc.org From: "Paul B. Hill" Subject: revised UPN definition Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Definitions section: User Principal Name (UPN) An identifier that denotes a unique CU. A UPN is an RFC 822 compliant email address and in most cases it is deliverable to the CU. In some cases it is identical to the CU's well known email address. A CU's UPN MUST never be deliverable to a different person. It consists of a realm in the form of a valid, and unique, DNS domain name and a unique username. In it's simplest form it looks like "user@example.com". ------------- Please let everyone know if you disagree or have concerns. Paul From owner-ietf-calendar@imc.org Wed Jan 26 16:44:22 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA12141 for ; Wed, 26 Jan 2000 16:44:17 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id MAA11951 for ietf-calendar-bks; Wed, 26 Jan 2000 12:55:22 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA11947 for ; Wed, 26 Jan 2000 12:55:18 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA05340; Wed, 26 Jan 00 15:58:11 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA03947; Wed, 26 Jan 2000 15:57:03 -0500 (EST) Received: from [18.177.0.98] (WINGNUT.MIT.EDU [18.177.0.98]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA24226; Wed, 26 Jan 2000 15:57:03 -0500 (EST) Mime-Version: 1.0 X-Sender: bobmah@po12.mit.edu Message-Id: In-Reply-To: <388F5BCF.CBB94BA2@home.royer.com> References: <388F33E2.99FF0F43@home.royer.com> <388F4BE0.30FBEA0B@home.royer.com> <388F5BCF.CBB94BA2@home.royer.com> Date: Wed, 26 Jan 2000 15:56:37 -0500 To: ietf-calendar@imc.org From: Bob Mahoney Subject: Re: W-19 CAP Group Definitions Cc: Bob Mahoney , ietf-calendar@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: > > > We want to add a new command called LOOKUP, which will accept a UPN, > > > and returns one or more CSIDs. More than one CSID returned implies > > > that the UPN was a UG. > >If my UPN is UPN-doug, and I own X different calendars, What would >you get back? One CSID for each calendar? > >Or are you saying that if 'LOOKUP UPN-doug' returns more than one CSID >then any reference to UPN-doug applies to ALL of those CSID's. This is addressed in the revised text we just sent. >What do you do with that information? Why is it needed? You have a UPN, and you need a CSID to schedule with, i.e., this is the ATTENDEE. Another example is that you have a group of users that I want to invite to an event, and you want the list to be static. (a snapshot of the current expansion of that UG) >Can you authenticate with a UG UPN? If not, when would you see them? No, but you want to see them for the reason above, as well as for VCARs. >If you can authenticate with a UG UPN, do your operations apply >to all CSID's that it expands to? If so, we are introducing transaction >problems and we have deferred that to CAP-. > >If the CS says you do not have permission to access that information, >what feature(s) do you loose? I can still VQUERY on the CSID's, I can >still authenticate as UPN-doug. I am not sure what LOOKUP does for >me other than allow a CUA to look at the list (what for?). > >If the CS (in previous email to this list) says that a UG can be >dynamicily altered and MUST NOT treat a UG as a static list. What >is to keep the LOOKUP results from being invalid the instant they >are returned? Nothing... >It looks to me that it allows a CUA to store a static >list? Which looks to me as if it also should not be allowed. So I >do not yet see a need for LOOKUP. We say that neither the CS nor the CUA should preserve UG expansions across operations. (Obviously some implementations will cache that expansion for a short period of time) -bob From owner-ietf-calendar@imc.org Wed Jan 26 17:36:58 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA12790 for ; Wed, 26 Jan 2000 17:36:57 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id OAA13597 for ietf-calendar-bks; Wed, 26 Jan 2000 14:11:12 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA13593 for ; Wed, 26 Jan 2000 14:11:10 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id OAA19062; Wed, 26 Jan 2000 14:12:53 -0800 (PST) Message-ID: <388F715F.CC3837A1@home.royer.com> Date: Wed, 26 Jan 2000 14:12:47 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: Bob Mahoney , ietf-calendar@imc.org Subject: Re: W-19 CAP Group Definitions References: <388F33E2.99FF0F43@home.royer.com> <388F4BE0.30FBEA0B@home.royer.com> <388F5BCF.CBB94BA2@home.royer.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msD3A30C1A961B81E85D65E2F9" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a cryptographically signed message in MIME format. --------------msD3A30C1A961B81E85D65E2F9 Content-Type: multipart/mixed; boundary="------------A1581B6836AB3EB23227406A" This is a multi-part message in MIME format. --------------A1581B6836AB3EB23227406A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bob Mahoney wrote: > > >What do you do with that information? Why is it needed? > > You have a UPN, and you need a CSID to schedule with, i.e., this is > the ATTENDEE. Another example is that you have a group of users that > I want to invite to an event, and you want the list to be static. (a > snapshot of the current expansion of that UG) I can see its usage as long as you can not schedule to a group name. If you could then as people get added and deleted from the group name then your original schedule request is bogus. As are (if you included the entire ATTENDEE list in the REQUEST) the other ATTENDEE coppies. I could see a flurry of updates to REQUEST if the list changes daily. So if the CUA via an EXPAND gets a list name, then shows the CU the list. And if only non-CG names are in the ATTENDEE list, I can see how a CUA might use the list to generate an original REQUEST. How would they update the component as members are added/deleted? What if someone move between group-a to group-b, then they reply that they will be attending - Is there a way for the CS or CUA to know that they should be un-invited? What if the CS policy is not to expand CG's. Can you still schedule? If so, how would you send out the REQUEST's? The CS NEEDS to know individuals (MAILTO) or individual calendars (CSID) only in the ATTENDEE property. There needs to be a 1:1 mapping in the ATTENDEE lists. so status information can be maintained. Otherwise the 1st user in the list to say 'no I will not attend' speaks for the entire group (CG). We MUST never allow a CG in an ATTENDEE list? As there would be no way to track who replied or what their ATTENDEE status was. How do you get that CG-UPN? It can not be in an ATTENDEE list. So you could not have gotten it from a PUBLISH or REQUEST. Were did it come from? Is it external to CAP (As in you just know via email or something)? I can see how a CG-UPN could be in a VCAR for dynamic expansion of permissions. But how does it get specified? I could pass down one with a VCAR/create, but how did I know the name in order to specify it? You can send email to a list expander, not the same problem. You could send components to a CG, but not schedule with a CG - correct? --------------A1581B6836AB3EB23227406A Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------A1581B6836AB3EB23227406A-- --------------msD3A30C1A961B81E85D65E2F9 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature Content-Transfer-Encoding: base64 MIIKpAYJKoZIhvcNAQcCoIIKlTCCCpECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC CDAwggT6MIIEY6ADAgECAhAV9nEqnM8b86AlSm7V1bgJMA0GCSqGSIb3DQEBBAUAMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTAyMDAwMDAw MFoXDTAwMTAxOTIzNTk1OVowggEVMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO ZXRzY2FwZSBGdWxsIFNlcnZpY2UxGDAWBgNVBAMUD0RvdWdsYXMgTSBSb3llcjEiMCAGCSqG SIb3DQEJARYTZG91Z0Bob21lLnJveWVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAv2PIWJY1kuOozvEfoLqMAefggITPljietkurVEhTBQZU/c2q2c8qCQiIFZ2dP3H/MoEx bVVDmtXsyZrRINk1aWC4yo/dT/3tB3eD41F0KMIpBexD8zN9SfPxzkjaEl/7zD8F6ekERmCU 9irA0zAOF7msHNnxa/InBnZ5f95Y75kCAwEAAaOCAY8wggGLMAkGA1UdEwQCMAAwgawGA1Ud IASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl cmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1W ZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZl cmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDCBhgYKYIZIAYb4RQEGAwR4FnZkNDY1MmJkNjNm MjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzViYzRiYzk3MDE3NDdk YTVkM2YyMTQxYmVhZGIyYmQyZTg5MjFmYTk2YmY1ZDcxMTQ5OWNhM2JlNDdmNWYzZWE0NTBj MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmww DQYJKoZIhvcNAQEEBQADgYEAWuXwK5FbAAU1urGBob5PPRQiCOUeWNQIkDr2F0WECiYnJfeG iawEVMS1PxsIe6BJ9MDxOvz0XyQhNsAXbv/hf0vhy398cd5ICKTpMMeyEEVX6IEVgXcpcyJf N7HKbfQZgRngT3uh/IXSObtFt+cC03VTG12Dic6EfyWihGAmeb0wggMuMIICl6ADAgECAhEA 0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UE ChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1OTU5WjCB zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l dHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3Jw LiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV 2TFBcHqBS7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/ Gdr5FegPh7Yc48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZI AYb4QgEBBAQDAgEGMEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYf d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1Ud DwQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ4 3BuYDAeGW4UVag+5SYWklfEXfWe0fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1 pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg5V+CprGoksVYasGNAzzrw80FopCubjGCAjwwggI4 AgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g VHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQ QSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xh c3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAV 9nEqnM8b86AlSm7V1bgJMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMDAwMTI2MjIxMjQ4WjAjBgkqhkiG9w0BCQQxFgQURe7rvXJY /1KK77tPVWyztrqO7JMwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcN AQEBBQAEgYBJS8bjo+lQChvxe8HzVxx90dC4PW1S/lVQEmGoYSIkqcPDGe2PFdIMjPIapocE 3qYwH9CJ7ijN3s1lGqlGi2Cu9Hs6uel6Dz/Vrf6QWPXoCtiyKBJDEOJ6Ib6UgTyMdXDXsT0K dDzrPrF3qIKcbwDlgyyOwwxqnxgPiNg/93c3Kg== --------------msD3A30C1A961B81E85D65E2F9-- From owner-ietf-calendar@imc.org Thu Jan 27 11:42:47 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA09396 for ; Thu, 27 Jan 2000 11:42:45 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA22822 for ietf-calendar-bks; Thu, 27 Jan 2000 08:00:53 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA22817 for ; Thu, 27 Jan 2000 08:00:51 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA11928; Thu, 27 Jan 00 11:03:48 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id LAA19324 for ; Thu, 27 Jan 2000 11:02:40 -0500 (EST) Received: from miles-davis (MUCKLEY-FOURTEEN.MIT.EDU [18.172.5.14]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id LAA18715 for ; Thu, 27 Jan 2000 11:02:38 -0500 (EST) Message-Id: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 27 Jan 2000 10:59:19 -0500 To: ietf-calendar@imc.org From: "Paul B. Hill" Subject: revised security section Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 8bit Hi, Rich, Dave, Bob and I thought that we sent this out on Wednesday afternoon but it never made it to the list :( --- Suggested replacements to existing sections: 2.4, 2.5, 2.7, 6.0. These changes create sections: 2.4 Security Model 2.4.1 Authentication, Credentials, and Identity 2.4.2 Calendar User and UPNs 2.4.2.1 UPNs and Certificates 2.4.2.2 Anonymous Users and Authentication 2.4.3 User Groups 2.4.4 Access Rights 2.4.4.1 VCalendar Access Right (VCAR) 2.4.4.2 Enforced VCARs 2.4.4.3 Inheritance 2.4.4.4 Policies This text will later be followed by new text for the AUTHENTICATE command. And even later more text of calendar addresses, including stuff on mapping UPNs to CSIDs, Calendar Collections, and Resource Calendars. Paul ---------------------------------- 2.4 Security Model Authentication to the CS will be performed using SASL [RFC2222]. As noted in the CAP system model section, a variety of connectivity scenarios are possible. This complicates the security model considerably, and a thorough familiarity with the concepts is required to ensure interoperability. Basic threats to a Calendaring and Scheduling System include: (1) Unauthorized access to data via data-fetching operations, (2) Unauthorized access to reusable client authentication information by monitoring others' access, (3) Unauthorized access to data by monitoring others' access, (4) Unauthorized modification of data, (5) Unauthorized or excessive use of resources (denial of service), and (6) Spoofing of CS: Tricking a client into believing that information came from the CS when in fact it did not, either by modifying data in transit or misdirecting the client's connection. Threats (1), (4), (5) and (6) are due to hostile clients. Threats (2), and (3) are due to hostile agents on the path between client and server, or posing as a server. CAP can be protected with the following security mechanisms: (1) Client authentication by means of the SASL [RFC2222] mechanism set, possibly backed by the TLS credentials exchange mechanism, (2) Client authorization by means of access control based on the requestor's authenticated identity, (3) Data integrity protection by means of the TLS protocol or data-integrity SASL mechanisms, (4) Protection against snooping by means of the TLS protocol or data-encrypting SASL mechanisms, (5) Resource limitation by means of administrative limits on service controls, and (6) Server authentication by means of the TLS protocol or SASL mechanism. Imposition of access controls (authorizations) is done by means of VCARs, an overview is provided in section 2.4.4.1, and a detailed syntax is provided in section 14.5. Authentication is explained in detail in section 7.1.3. 2.4.1 Authentication, Credentials, and Identity Generically, authentication credentials are the evidence supplied by one party to another, asserting the identity of the supplying party (e.g. a user) who is attempting to establish an association with the other party (typically a server). Authentication is the process of generating, transmitting, and verifying these credentials and thus the identity they assert. An authentication identity is the name presented in a credential. There are many forms of authentication credentials. The form used depends upon the particular authentication mechanism negotiated by the parties. For example: X.509 certificates, Kerberos tickets, simple identity and password pairs. Note that an authentication mechanism may constrain the form of authentication identities used with it. SASL only provides a protocol to negotiate a mutually acceptable authentication mechanism. SASL itself does not constrain or dictate the form of the authentication identities used to perform the authentication. 2.4.2 Calendar User and UPNs A Calendar User(CU) is an entity that can be authenticated. It is represented in CAP as a UPN. A UPN is the owner of a calendar and the subject of access rights. The UPN representation is independent of the authentication mechanism used during a particular CUA/CS interaction. This is because UPNs are used within VCARs. If the UPN were dependant on the authentication mechanism, a VCAR could not be consistently evaluated. A CU may use one mechanism while using one CUA but the same CU may use a different authentication mechanism when using a different CUA, or while connecting from a different location. The user may also have multiple UPNs for various purposes. Note that the immutability of the user's UPN may be achieved by using SASL's authorization identity feature. (The transmitted authorization identity may be different than the identity in the client's authentication credentials.) [RFC2222, section 3] This also permits a CU to authenticate using their own credentials, yet request the access privileges of the identity for which they are proxying [RFC2222]. Also, the form of authentication identity supplied by a service like TLS may not correspond to the UPNs used to express a server's access control policy, requiring a server-specific mapping to be done. The method by which a server composes and validates an authorization identity from the authentication credentials supplied by a client is implementation-specific. The authorization identity feature SHOULD not be used to provide an alternate mechanism to implement the ACTONBEHALFOF policy, that is described in section 2.4.4.3[ editor check before final cut]. For Calendaring and Scheduling Systems that are integrated with a directory system, the CS MUST support the ability to configure which schema attribute stores the UPN. The CS MAY allow one or more attributes to be searched for the UPN. 2.4.2.1 UPNs and Certificates When using X.509 certificates for purposes of CAP authentication, the UPN should appear in the certificate. Unfortunately there is no single correct guideline for which field should contain the UPN. From RFC-2459, section 4.1.2.6 (Subject): If subject naming information is present only in the subjectAltName extension (e.g., a key bound only to an email address or URI), then the subject name MUST be an empty sequence and the subjectAltName extension MUST be critical. Implementations of this specification MAY use these comparison rules to process unfamiliar attribute types (i.e., for name chaining). This allows implementations to process certificates with unfamiliar attributes in the subject name. In addition, legacy implementations exist where an RFC 822 name is embedded in the subject distinguished name as an EmailAddress attribute. The attribute value for EmailAddress is of type IA5String to permit inclusion of the character '@', which is not part of the PrintableString character set. EmailAddress attribute values are not case sensitive (e.g., "fanfeedback@redsox.com" is the same as "FANFEEDBACK@REDSOX.COM"). Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name field (see sec. 4.2.1.7 [of RFC 2459]) to describe such identities. Simultaneous inclusion of the EmailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted. Since no single method of including the UPN in the certificate will work in all cases, CAP implementations MUST support the ability to configure what the mapping will be by the CS administrator. Implementations MAY support multiple mapping definitions, for example, the UPN may be found in either the subject alternative name field, or the UPN may be embedded in the subject distinguished name as an EmailAddress attribute. Note: If a CS or CUA is validating data received via iMIP, if the "ORGANIZER" or "ATTENDEE" property said (e.g.) "ATTENDEE;CN=Joe Random User:juser@example.com" then the email address should be checked against the UPN, and the CN should also be checked. This is so the "ATTENDEE" property couldn't be munged to something misleading like "ATTENDEE;CN=Joe Rictus User:juser@example.com" and have it pass validation. This validation will also defeat other attempts at confusion. 2.4.2.2 Anonymous Users and Authentication Anonymous access is often desirable. For example an organization may publish calendar information that does not require any access control for viewing or login. Conversely, a user may wish to view unrestricted calendar information without revealing their identity. For anonymous access the UPN that MUST be used by the CUA is "@", a UPN with a null username and null realm. A UPN with a null username, but non-null realm, such as "@foo.com" may be used to mean any identity from that realm, which is useful to grant access rights to all users in a given realm. A UPN with a non-null username and null realm, such as "bob@" could be a security risk and MUST not be used. For detailed syntax information on anonymous authentication please refer to the AUTHENTICATE command in section 7.1.3. 2.4.3 User Groups A User Group is used to represent a collection of CUs or other UGs that can be referenced in VCARS. A UG is represented in CAP as a UPN. The CUA cannot distinguish between CUs and UGs. UGs are expanded as necessary by the CS. The CS MUST accept a CUA request for UG expansion, although the CS may be configured to restrict some responses. The CS MAY expand a UG (including nested UGs) to obtain a list of unique CUs. Duplicate UPNs are filtered during expansion. Incomplete expansion should be treated as a failure. [ Editor's Note: We need to explore the issue and impact of directory permissions and precedence.] The CS SHOULD not preserve UG expansions across operations. A UG may reference a static list of members, or it may represent a dynamic list. Each operation SHOULD generate its own expansion in order to recognize changes to UG membership. However, during fan out to other CSs, the originating CS SHOULD expand all UGs so that the target CS receives only a list of unique CUs. This is to prevent confusion when two CSs do not share the same UG database or directory. [Editor's Note: Doug had an issue here relating to multiple CUs not having a common directory. We think the above text resolves this] CAP does not define commands or methods for managing UGs. Examples: Small UG - The Three Stooges. There is only and always three at any one time. Large UG - The MIT graduating class of 1999. This is a static list. Dynamic UG - The IETF membership, which is a large and changing list of members. Nested UG - The National Football League, made up of the AFC and NFC, which are made up of 3 divisions each... 2.4.4 Access Rights In simple terms, access rights are used to grant or deny access to a calendar for a CU. CAP defines a new component type called a VCalendar Access Right (VCAR). Specifically, a VCAR grants, or denies, UPNs the right to read and write components, properties, and parameters on calendars within a CS. The VCAR model does not put any restriction on the sequence in which the object and access rights are created. That is, an event associated with a particular VCAR might be created before or after the actual VCAR is defined. In addition, the VCAR and VEVENT definition might be created in the same iCalendar object and passed together in a single command. All rights MUST be denied unless specifically granted; individual VCARs MUST be specifically granted to an authenticated CU. 2.4.4.1 VCalendar Access Right (VCAR) Access rights within CAP are specified with the "VCAR" calendar component, "RIGHTS" value type and the "GRANT", "DENY" and "CARID" component properties. Properties within an iCalendar object are unordered. This also is the case for the "GRANT", "DENY" and "CARID" properties. Likewise, there is no implied ordering required for components of a "RIGHTS" value type other than that specified by the ABNF. [ editor's note, this requires a lot of review. We think that this paragraph may be incorrect. ] For details on the VCAR syntax please see section 14.4 2.4.4.2 Enforced VCARs [ editor's note: new concept. This will also require some syntax modification 14.4] A CS MAY choose to allow forced VCARs on all calendars. This is not the same as inheritance. 2.4.4.3 Inheritance Calendars inherit VCARs from their parent. VCARs specified in a calendar or a sub-calendar override all inherited VCARs. 2.4.4.4 Policies Calendar access policies are individual sets of well-defined VCARs that can be referenced by their policy name. CAP specifies some standard POLICIES that are necessary for interoperability between CS and CUA implementations. The POLICY rule part of a VCAR is used to specify these policies. For details on the VCAR syntax please see section 14.4 NOTE: Possible calendar access policy that may be standardized by CAP include: - READBUSYTIMEINFO - Specifies rights for reading busy time data. - ACTONBEHALFOF - Specifies rights for any CAP function taken on PUBLIC or PRIVATE calendar components. However, no CAP function can be taken on CONFIDENTIAL classified calendar components. - REQUESTONLY - Specifies rights for creating new event invitations, to-do assignments and journal entries. - UPDATEPARTSTATUS - Specifies rights for modifying ones own participation status. - OWNER - Specifies the same rights given to the owner of the calendar store or calendar. From owner-ietf-calendar@imc.org Thu Jan 27 11:47:10 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA09471 for ; Thu, 27 Jan 2000 11:47:08 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA23320 for ietf-calendar-bks; Thu, 27 Jan 2000 08:18:57 -0800 (PST) Received: from arista.iris.com (arista.iris.com [198.112.211.22]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA23316 for ; Thu, 27 Jan 2000 08:18:52 -0800 (PST) From: Bruce_Kahn@iris.com Importance: High X-Priority: 1 (High) To: Bob Mahoney Cc: Frank_Dawson@lotus.com, ietf-calendar@imc.org Subject: Re: W-19 CAP Group Definitions X-Mailer: Lotus Notes Release 5.0.2 November 4, 1999 Message-ID: Date: Thu, 27 Jan 2000 11:20:43 -0500 X-MIMETrack: S/MIME Sign by Notes Client on Bruce Kahn/Iris(Release 5.0.2 |November 4, 1999) at 01/27/2000 11:20:24 AM, Serialize by Notes Client on Bruce Kahn/Iris(Release 5.0.2 |November 4, 1999) at 01/27/2000 11:20:24 AM, Serialize complete at 01/27/2000 11:20:24 AM, Itemize by Notes Client on Bruce Kahn/Iris(Release 5.0.2 |November 4, 1999) at 01/27/2000 11:20:24 AM, S/MIME Sign complete at 01/27/2000 11:20:24 AM, Serialize by Router on Arista/Iris(Release 5.0.2b |December 16, 1999) at 01/27/2000 11:21:29 AM, Serialize complete at 01/27/2000 11:21:29 AM MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary=-------z01886_boundary_sign Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is an S/MIME signed message. ---------z01886_boundary_sign Content-Type: multipart/alternative; boundary="=_alternative 0059C23C85256873_=" This is a multipart message in MIME format. --=_alternative 0059C23C85256873_= Content-Type: text/plain; charset="us-ascii" Bob wrote: >We need to start carefully distinguishing between calendars and >users. ATTENDEEs are calendars, and should be referred to by CSIDs. You need to be careful about using CSID vs CalID in your texts. Calendar Stores are identified by CSIDs. Calendars are identified by CalIDs. Just because a Fully Qualified CalID contains a CSID, they are NOT interchangable; Relative CalIDs do not contain any CSID info. Bruce =========================================================================== Bruce Kahn INet: Bruce_Kahn@iris.com Iris Associates Phone: 978.392.5335 Westford, MA, USA 01886 FAX: and nothing but the FAX... Standard disclaimers apply, even where prohibited by law... --=_alternative 0059C23C85256873_= Content-Type: text/html; charset="us-ascii"
Bob wrote:
>We need to start carefully distinguishing between calendars and
>users. ATTENDEEs are calendars, and should be referred to by CSIDs.

You need to be careful about using CSID vs CalID in your texts. Calendar Stores are identified by CSIDs. Calendars are identified by CalIDs. Just because a Fully Qualified CalID contains a CSID, they are NOT interchangable; Relative CalIDs do not contain any CSID info.

Bruce
===========================================================================
Bruce Kahn INet: Bruce_Kahn@iris.com
Iris Associates Phone: 978.392.5335
Westford, MA, USA 01886 FAX: and nothing but the FAX...
Standard disclaimers apply, even where prohibited by law... --=_alternative 0059C23C85256873_=-- ---------z01886_boundary_sign Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAA oIAwggHZMIIBg6ADAgECAiBgUF6eflpWh6h9PfgYD7sAlMCM8enGl8RXOcIo9uhg ezANBgkqhkiG9w0BAQQFADBGMQswCQYDVQQGEwJVUzENMAsGA1UECBMETUFTUzEN MAsGA1UEChMESXJpczEZMBcGA1UEAxMQSXJpcyBJbnRlcm5ldCBDQTAeFw05OTEx MTcxOTEzMjdaFw0wMTExMTYxOTEyNTNaMEgxDTALBgNVBAoTBElyaXMxEzARBgNV BAMTCkJydWNlIEthaG4xIjAgBgkqhkiG9w0BCQEWE0JydWNlX0thaG5AaXJpcy5j b20wWzANBgkqhkiG9w0BAQEFAANKADBHAkEA495S/vcTouExtWuNrF33Q28Lcjjk 4lj2W6ERZ3MhEBR5vHL3wTaXoRWVhPeoDaUcCc54oig8YQlC/hwSp3YF4QICQlGj PDA6MBEGA1UdDgQKBAhG2i3x0db2dzAPBgNVHQ8BAf8EBQMDB7AAMBQGC2CGSAGG +A4CAgMCBAUDAweAADANBgkqhkiG9w0BAQQFAANBAJnY7BPUuh9G4grcCnmNPlMH JsE0/KULlvaqMab5uWQd0nFkZg64TIWwlYMLrwKqzenyrEkVF4QO6yjiShaej/Aw ggF+MIIBKKADAgECAgQ2PhKnMA0GCSqGSIb3DQEBBAUAMEYxCzAJBgNVBAYTAlVT MQ0wCwYDVQQIEwRNQVNTMQ0wCwYDVQQKEwRJcmlzMRkwFwYDVQQDExBJcmlzIElu dGVybmV0IENBMB4XDTk4MTEwMjA4MTQwMFoXDTA4MTAzMDA4MTQwMFowRjELMAkG A1UEBhMCVVMxDTALBgNVBAgTBE1BU1MxDTALBgNVBAoTBElyaXMxGTAXBgNVBAMT EElyaXMgSW50ZXJuZXQgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAw+BjK0cg xCxC13brFzl7eB4j2cat+s6ZSd2flxlTuJGg1dtyQHwKYRsDODiEpqUC5oI5yBLD j5LDYXUEwBm4YQIDAQABMA0GCSqGSIb3DQEBBAUAA0EASQ/WFnGO4okdcxMtJrwz cO3Ltq2HlXm3akcNDZ0cltVk60oXJyKq+LVXR/Twj+ZI/Zsr5qfhb5JALi7C+/wi ngAAMYAwggF5AgEBMGowRjELMAkGA1UEBhMCVVMxDTALBgNVBAgTBE1BU1MxDTAL BgNVBAoTBElyaXMxGTAXBgNVBAMTEElyaXMgSW50ZXJuZXQgQ0ECIGBQXp5+WlaH qH09+BgPuwCUwIzx6caXxFc5wij26GB7MAkGBSsOAwIaBQCggaswGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwMTI3MTYyMDI0WjAj BgkqhkiG9w0BCQQxFgQU1rC9DY3ZVb6vLfPX731lq8DyQ9MwTAYJKoZIhvcNAQkP MT8wPTAHBgUrDgMCHTAOBggqhkiG9w0DAgICAIAwCgYIKoZIhvcNAwcwBwYFKw4D AgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEQKh+7MVv9U47f/JI/ryj H+q2Zr88wD4ueipsZ7HVBwKFKOqzu/jgBJB4FZ65fqScogK0ldIxxemrt1Mw6hCF VFgAAAAAAAAAAA== ---------z01886_boundary_sign-- From owner-ietf-calendar@imc.org Thu Jan 27 12:33:55 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA10352 for ; Thu, 27 Jan 2000 12:33:54 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id IAA23910 for ietf-calendar-bks; Thu, 27 Jan 2000 08:59:57 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA23906 for ; Thu, 27 Jan 2000 08:59:55 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA03021; Thu, 27 Jan 00 12:02:46 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id LAA05728; Thu, 27 Jan 2000 11:56:17 -0500 (EST) Received: from [18.177.0.98] (WINGNUT.MIT.EDU [18.177.0.98]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id LAA07129; Thu, 27 Jan 2000 11:56:17 -0500 (EST) Mime-Version: 1.0 X-Sender: bobmah@po12.mit.edu Message-Id: In-Reply-To: References: Date: Thu, 27 Jan 2000 11:55:54 -0500 To: From: Bob Mahoney Subject: Re: W-19 CAP Group Definitions Cc: Bob Mahoney , Frank_Dawson@lotus.com, ietf-calendar@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >You need to be careful about using CSID vs CalID in your texts. > Calendar Stores are identified by CSIDs. Calendars are identified >by CalIDs. Just because a Fully Qualified CalID contains a CSID, >they are NOT interchangable; Relative CalIDs do not contain any CSID >info. :-) We spent a *while* yesterday trying to fix little inconsistencies like this... (we had, for example, used "group" several hundred times, and very often incorrectly) I hope everyone continues to find problematic language or misuse of terms- frequently those folks most familiar with the drafts miss these gotchas, because they understand what was *intended*, even when it was stated poorly. -Bob From owner-ietf-calendar@imc.org Thu Jan 27 13:38:10 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA11653 for ; Thu, 27 Jan 2000 13:38:09 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id KAA25468 for ietf-calendar-bks; Thu, 27 Jan 2000 10:11:04 -0800 (PST) Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id KAA25461 for ; Thu, 27 Jan 2000 10:11:01 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA13845; Thu, 27 Jan 00 13:12:21 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id NAA25878 for ; Thu, 27 Jan 2000 13:12:51 -0500 (EST) Received: from miles-davis (MUCKLEY-FOURTEEN.MIT.EDU [18.172.5.14]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id NAA29693 for ; Thu, 27 Jan 2000 13:12:51 -0500 (EST) Message-Id: <4.2.0.58.20000127130402.01a48e90@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 27 Jan 2000 13:09:32 -0500 To: ietf-calendar@imc.org From: "Paul B. Hill" Subject: CAP Roles? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Hi, The CAP draft has the following section of text: CAP defines methods for managing [RFC2445] objects on a Calendar Store and exchanging [RFC2445] objects for the purposes of group calendaring and scheduling between "Calendar Users" (CUs). There are two distinct roles taken on by CUs in CAP. The CU who creates an initial event or to-do and invites other CUs as attendees takes on the role of "Organizer". The CUs asked to participate in the group event or to-do take on the role of "Attendee". Note that "role" is also a descriptive parameter to the "ATTENDEE" property. Its use is to convey descriptive context to an "Attendee" such as "chair", "REQ-PARTICIPANT" or NON- PARTICIPANT" and has nothing to do with the scheduling workflow. --------- Should the above text belong in CAP? As I recall, yesterday Richard convinced Dave, Bob, and I that it really belonged in an iCalendar extension document. Paul From owner-ietf-calendar@imc.org Thu Jan 27 13:42:36 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA11744 for ; Thu, 27 Jan 2000 13:42:34 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id KAA25505 for ietf-calendar-bks; Thu, 27 Jan 2000 10:12:09 -0800 (PST) Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id KAA25499 for ; Thu, 27 Jan 2000 10:12:07 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA14274; Thu, 27 Jan 00 13:13:25 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id NAA23905 for ; Thu, 27 Jan 2000 13:04:58 -0500 (EST) Received: from miles-davis (MUCKLEY-FOURTEEN.MIT.EDU [18.172.5.14]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id NAA27373 for ; Thu, 27 Jan 2000 13:04:56 -0500 (EST) Message-Id: <4.2.0.58.20000127121344.01a48e90@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 27 Jan 2000 13:01:37 -0500 To: ietf-calendar@imc.org From: "Paul B. Hill" Subject: further suggestion for section 2.4.2.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Hi, Below are further suggested modifications to section 2.4.2.1 and section [TBD] for the syntactic details of anonymous authentication. 2.4.2.1 Anonymous Users and Authentication Anonymous access is often desirable. For example an organization may publish calendar information that does not require any access control for viewing or login. Conversely, a user may wish to view unrestricted calendar information without revealing their identity. For detailed syntax information on anonymous authentication please refer to the AUTHENTICATE command in section 7.1.3. [7.1.?.?] ATHENTICATE - ANONYMOUS RFC-2245 defines the Anonymous SASL mechanism. This RFC states that "the mechanism consists of a single message from the client to the server. The client sends optional trace information in the form of a human readable string. The trace information should take one of three forms: an Internet email address, an opaque string which does not contain the '@' character and can be interpreted by the system administrator of the client's domain, or nothing. For privacy reasons, an Internet email address should only be used with permission from the user. " RFC-2245 goes on to state, " A client which uses the user's correct email address as trace information without explicit permission may violate that user's privacy." Information about who accesses an anonymous CS on a sensitive subject (e.g., AA meeting times and locations) has strong privacy needs. "Clients should not send the email address without explicit permission of the user and should offer the option of supplying no trace token -- thus only exposing the source IP address and time. " Example of CUA using the Capability command followed by an anonymous authentication: C: CAPABILITY S: 2.0 S:CAPVERSION=1.0 S:AUTH=KERBEROS_V4 S:AUTH=DIGEST_MD5 S:AUTH=ANONYMOUS S:. C:AUTHENTICATE ANONYMOUS S:+ C:c21yaGM= S:2.0 Subsequent to the initial Anonymous Authentication with a CS, a CUA will have to provide a UPN for some CAP operations. For anonymous access the UPN that MUST be used by the CUA is "@", a UPN with a null username and null realm. A UPN with a null username, but non-null realm, such as "@example.com" may be used to mean any identity from that realm, which is useful to grant access rights to all users in a given realm. A UPN with a non-null username and null realm, such as "bob@" could MUST not be used. ---------------------- As always, please send questions, comments, or concerns to the list. Thanks. Paul From owner-ietf-calendar@imc.org Thu Jan 27 13:49:53 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA11893 for ; Thu, 27 Jan 2000 13:49:49 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id KAA25481 for ietf-calendar-bks; Thu, 27 Jan 2000 10:11:51 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA25477 for ; Thu, 27 Jan 2000 10:11:49 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id KAA20261 for ; Thu, 27 Jan 2000 10:13:39 -0800 (PST) Message-ID: <38908ACB.D86F9DFB@home.royer.com> Date: Thu, 27 Jan 2000 10:13:31 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: VCAR unorderd (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms924A9EAB3D5FD16C929E664E" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a cryptographically signed message in MIME format. --------------ms924A9EAB3D5FD16C929E664E Content-Type: multipart/mixed; boundary="------------82BB45D396EC2AAC5EDC5F4D" This is a multi-part message in MIME format. --------------82BB45D396EC2AAC5EDC5F4D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Paul B. Hill" wrote: > Properties within an iCalendar object are unordered. This also is the > case for the "GRANT", "DENY" and "CARID" properties. Likewise, there > is no implied ordering required for components of a "RIGHTS" value type > other than that specified by the ABNF. [ editor's note, this requires a lot > of review. We think that this paragraph may be incorrect. ] This looks convenient: BEGIN:VCAR GRANT:UPN=all; DENY:UPN=IDoNotLikeYou@example.com; DENY:UPN...; ... END:VCAR and might be different than: BEGIN:VCAR DENY:UPN=IDoNotLikeYou@example.com; DENY:UPN...;rule-set-Alpha> ... GRANT:UPN=all; END:VCAR If we do not order them, how can we do this? I think we need to be able to do this. I don't think that we can specify process ordering (as in DENY then GRANT) as the example can be reversed: BEGIN:VCAR DENY:UPN=all; GRANT:UPN=IDoNotLikeYou@example.com; GRANT:UPN...; ... END:VCAR -Doug --------------82BB45D396EC2AAC5EDC5F4D Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------82BB45D396EC2AAC5EDC5F4D-- --------------ms924A9EAB3D5FD16C929E664E Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature Content-Transfer-Encoding: base64 MIIKpAYJKoZIhvcNAQcCoIIKlTCCCpECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC CDAwggT6MIIEY6ADAgECAhAV9nEqnM8b86AlSm7V1bgJMA0GCSqGSIb3DQEBBAUAMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTAyMDAwMDAw MFoXDTAwMTAxOTIzNTk1OVowggEVMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO ZXRzY2FwZSBGdWxsIFNlcnZpY2UxGDAWBgNVBAMUD0RvdWdsYXMgTSBSb3llcjEiMCAGCSqG SIb3DQEJARYTZG91Z0Bob21lLnJveWVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAv2PIWJY1kuOozvEfoLqMAefggITPljietkurVEhTBQZU/c2q2c8qCQiIFZ2dP3H/MoEx bVVDmtXsyZrRINk1aWC4yo/dT/3tB3eD41F0KMIpBexD8zN9SfPxzkjaEl/7zD8F6ekERmCU 9irA0zAOF7msHNnxa/InBnZ5f95Y75kCAwEAAaOCAY8wggGLMAkGA1UdEwQCMAAwgawGA1Ud IASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl cmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1W ZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZl cmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDCBhgYKYIZIAYb4RQEGAwR4FnZkNDY1MmJkNjNm MjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzViYzRiYzk3MDE3NDdk YTVkM2YyMTQxYmVhZGIyYmQyZTg5MjFmYTk2YmY1ZDcxMTQ5OWNhM2JlNDdmNWYzZWE0NTBj MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmww DQYJKoZIhvcNAQEEBQADgYEAWuXwK5FbAAU1urGBob5PPRQiCOUeWNQIkDr2F0WECiYnJfeG iawEVMS1PxsIe6BJ9MDxOvz0XyQhNsAXbv/hf0vhy398cd5ICKTpMMeyEEVX6IEVgXcpcyJf N7HKbfQZgRngT3uh/IXSObtFt+cC03VTG12Dic6EfyWihGAmeb0wggMuMIICl6ADAgECAhEA 0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UE ChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1OTU5WjCB zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l dHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3Jw LiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV 2TFBcHqBS7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/ Gdr5FegPh7Yc48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZI AYb4QgEBBAQDAgEGMEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYf d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1Ud DwQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ4 3BuYDAeGW4UVag+5SYWklfEXfWe0fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1 pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg5V+CprGoksVYasGNAzzrw80FopCubjGCAjwwggI4 AgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g VHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQ QSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xh c3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAV 9nEqnM8b86AlSm7V1bgJMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMDAwMTI3MTgxMzMzWjAjBgkqhkiG9w0BCQQxFgQUF4gn/veC D2GBcOyMXvD3HTFOdTcwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcN AQEBBQAEgYC7/XSqPLQOZlCkafUS9b5V9hpbmWkl4d58mULCvmBCP3zHAa6P43dlaArltMIs DIuCrQOWc8C1oqmVlMMVq3NUUzkGePIGjDWFfkfUhBv4ZsEXl1dZmGsKEoVKUInWCRQzXmGE dvLeIRpxezwq8ZT8ArRHVCo8RgQj0/5HeHFQrw== --------------ms924A9EAB3D5FD16C929E664E-- From owner-ietf-calendar@imc.org Thu Jan 27 13:53:48 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA11939 for ; Thu, 27 Jan 2000 13:53:47 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id KAA25588 for ietf-calendar-bks; Thu, 27 Jan 2000 10:17:16 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA25583 for ; Thu, 27 Jan 2000 10:17:15 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id KAA20266 for ; Thu, 27 Jan 2000 10:19:06 -0800 (PST) Message-ID: <38908C19.18A01472@home.royer.com> Date: Thu, 27 Jan 2000 10:19:05 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: forced VCAR (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Content-Type: multipart/mixed; boundary="------------D3E90BF4B7B3255E9473A061" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------D3E90BF4B7B3255E9473A061 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Paul B. Hill" wrote: > 2.4.4.2 Enforced VCARs > [ editor's note: new concept. This will also require some syntax > modification 14.4] > > A CS MAY choose to allow forced VCARs on all calendars. This is not the > same as inheritance. Also needs new text. What is a 'forced' VCAR? -Doug --------------D3E90BF4B7B3255E9473A061 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------D3E90BF4B7B3255E9473A061-- From owner-ietf-calendar@imc.org Thu Jan 27 14:23:08 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA12554 for ; Thu, 27 Jan 2000 14:23:06 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id KAA26152 for ietf-calendar-bks; Thu, 27 Jan 2000 10:52:43 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA26148 for ; Thu, 27 Jan 2000 10:52:42 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id KAA20280 for ; Thu, 27 Jan 2000 10:54:33 -0800 (PST) Message-ID: <38909469.EECEB436@home.royer.com> Date: Thu, 27 Jan 2000 10:54:33 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: READBUSYTIMEINFO (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Content-Type: multipart/mixed; boundary="------------BA8E2EF3C4CD16F4B373BB18" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------BA8E2EF3C4CD16F4B373BB18 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit (I know the text I am commenting below is mostly from the existing CAP-DRAFT, but I think they need comments). > 2.4.4.4 Policies > Calendar access policies are individual sets of well-defined VCARs that can > be referenced by their policy name. CAP specifies some standard POLICIES > that are necessary for interoperability between CS and CUA implementations. > The POLICY rule part of a VCAR is used to specify these policies. > > For details on the VCAR syntax please see section 14.4 > > NOTE: Possible calendar access policy that may be standardized by CAP include: > > - READBUSYTIMEINFO - Specifies rights for reading busy time data. Not specific... Does: BEGIN:VCAR CARID:my carid GRANT:UPN=;POLICY=READBUSYTIMEINFO END:VCAR (1) Specify the rights for reading VFREEBUSY components? As in: BEGIN:VCAR CARID:READBUSYTIMEINFO GRANT:UPN=;OBJECT=VFREEBUSY;ACTION=READ END:VCAR (2) Or do you mean perform any VQUERY with DTSTART/DTEND/DURATION ? as in: BEGIN:VCAR CARID:READBUSYTIMEINFO GRANT:UPN=;OBJECT=DTSTART,DTEND,DURATION;ACTION=READ END:VCAR (3) Or do you mean both? As in: BEGIN:VCAR CARID:READBUSYTIMEINFO GRANT:UPN=:OBJECT=VFREEBUSY,DTSTART,DTEND,DURATION;ACTION=READ BEGIN:VCAR I think the talks in the past meant (1), I am not sure and we need to exactly specify its meaning. If we mean (1), then what is to keep CUs from doing a VQUERY for DTSTART/DTEND/DURATION and getting the same information outside of using a VFREEBUSY? Perhaps circumventing what the CU/administrator thought they were getting with POLICY READBUSYTIMEINFO + DENY. As in: BEGIN:VCAR CARID:my carid-2 GRANT:UPN=;POLICY=READBUSYTIMEINFO DENY:UPN=pain@example.com;POLICY=READBUSYTIMEINFO END:VCAR What (if (1) above) would keep 'pain@example.com' from a VQUERY for DTSTART/DTEND/DRUATION and the the same results? If you say that you can allways in this case add extra DENY properties ... BEGIN:VCAR CARID:my carid-2 GRANT:UPN=;POLICY=READBUSYTIMEINFO DENY:UPN=pain@example.com;POLICY=READBUSYTIMEINFO DENY:UPN=pain@example.com;OBJECT=DTSTART,DTEND,DURATION;ACTION=READ END:VCAR ... then why not say that READBUSYTIMEINFO is (3)? When would you not want both of the DENY lines when you DENY any UPN VFREEBUSY? If we mean (3) or (2) then how can we VQUERY for -ANY- component where including DTSTART/DTEND/DURATION was restricted with a POLICY READBUSYTIMEINFO + DENY? VFREEBUSY is an iTIP idea that I do not think maps well into CAP. Ether you want or do not want a UPN to be able to see your busy time. If you do not want a UPN to see your busy time, then how usfull is it to get 1+ VEVENTs without DTSTART/DTEND/DURATION ? So in other words - WHY do we have READBUSYTIMEINFO? I think it does not provide a generic policy that can work in an interoperable way. And the access control can be provided exactly as the CU-owner or CS-administrator whished using non-POLICY VCARs. (as shown above). -Doug --------------BA8E2EF3C4CD16F4B373BB18 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------BA8E2EF3C4CD16F4B373BB18-- From owner-ietf-calendar@imc.org Thu Jan 27 14:26:17 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA12606 for ; Thu, 27 Jan 2000 14:26:16 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id KAA26192 for ietf-calendar-bks; Thu, 27 Jan 2000 10:56:00 -0800 (PST) Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id KAA26188 for ; Thu, 27 Jan 2000 10:55:59 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA29660; Thu, 27 Jan 00 13:57:17 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id NAA07714 for ; Thu, 27 Jan 2000 13:57:47 -0500 (EST) Received: from miles-davis (MUCKLEY-FOURTEEN.MIT.EDU [18.172.5.14]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id NAA12862; Thu, 27 Jan 2000 13:57:47 -0500 (EST) Message-Id: <4.2.0.58.20000127134930.01a9dc30@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 27 Jan 2000 13:54:44 -0500 To: ietf-calendar@imc.org, ietf-calendar@imc.org From: "Paul B. Hill" Subject: Re: forced VCAR (was: revised security section) In-Reply-To: <38908C19.18A01472@home.royer.com> References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Hi, A CS MAY choose to implement and allow persistent immutable VCARs, that are configured by the CS Administrator, which apply to all calendars on the server. For example a company may decide that it wants all calendars on its server to have the Policy READBUSYTIMEINFO. They made me use the shorter sentence. :) Paul At 10:19 AM 1/27/2000 -0800, Doug Royer wrote: >"Paul B. Hill" wrote: > > > 2.4.4.2 Enforced VCARs > > [ editor's note: new concept. This will also require some syntax > > modification 14.4] > > > > A CS MAY choose to allow forced VCARs on all calendars. This is not the > > same as inheritance. > >Also needs new text. What is a 'forced' VCAR? > >-Doug From owner-ietf-calendar@imc.org Thu Jan 27 14:36:56 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA13038 for ; Thu, 27 Jan 2000 14:36:53 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id LAA26516 for ietf-calendar-bks; Thu, 27 Jan 2000 11:10:01 -0800 (PST) Received: from lotus2.lotus.com (lotus2.lotus.com [192.233.136.8]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA26512; Thu, 27 Jan 2000 11:10:00 -0800 (PST) From: Frank_Dawson@lotus.com Received: from internet2.lotus.com (internet2 [9.95.4.236]) by lotus2.lotus.com (8.9.3/8.9.3) with ESMTP id OAA27226; Thu, 27 Jan 2000 14:26:41 -0500 (EST) Received: from barium.Lotus.com (BARIUM.lotus.com [9.95.4.108]) by internet2.lotus.com (8.9.3/8.9.3) with ESMTP id OAA06415; Thu, 27 Jan 2000 14:11:17 -0500 (EST) To: ietf-calendar@imc.org Cc: ietf-calendar@imc.org, owner-ietf-calendar@imc.org Subject: Re: forced VCAR (was: revised security section) X-Mailer: Lotus Notes Release 5.0.2b December 16, 1999 Message-ID: Date: Thu, 27 Jan 2000 14:12:19 -0500 X-MIMETrack: Serialize by Router on Barium/CAM/M/Lotus(Release 5.0.2a |November 23, 1999) at 01/27/2000 02:12:23 PM, Serialize complete at 01/27/2000 02:12:24 PM, Serialize by Router on Barium/CAM/M/Lotus(Release 5.0.2a |November 23, 1999) at 01/27/2000 02:12:24 PM MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 0069A64085256873_=" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multipart message in MIME format. --=_alternative 0069A64085256873_= Content-Type: text/plain; charset="us-ascii" Is this a CS overriding the request CAR specified by a CUA with it's own default CAR? If so, I assume that an exception would also be returned to the requesting CUA by the CS. -- Frank --=_alternative 0069A64085256873_= Content-Type: text/html; charset="us-ascii"
Is this a CS overriding the request CAR specified by a CUA with it's own default CAR?

If so, I assume that an exception would also be returned to the requesting CUA by the CS.

-- Frank --=_alternative 0069A64085256873_=-- From owner-ietf-calendar@imc.org Thu Jan 27 14:37:08 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA13049 for ; Thu, 27 Jan 2000 14:37:06 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id LAA26488 for ietf-calendar-bks; Thu, 27 Jan 2000 11:08:23 -0800 (PST) Received: from lotus2.lotus.com (lotus2.lotus.com [192.233.136.8]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA26483; Thu, 27 Jan 2000 11:08:22 -0800 (PST) From: Frank_Dawson@lotus.com Received: from internet2.lotus.com (internet2 [9.95.4.236]) by lotus2.lotus.com (8.9.3/8.9.3) with ESMTP id OAA26984; Thu, 27 Jan 2000 14:25:04 -0500 (EST) Received: from barium.Lotus.com (BARIUM.lotus.com [9.95.4.108]) by internet2.lotus.com (8.9.3/8.9.3) with ESMTP id OAA06145; Thu, 27 Jan 2000 14:09:39 -0500 (EST) To: "Paul B. Hill" Cc: ietf-calendar@imc.org, owner-ietf-calendar@imc.org Subject: Re: revised security section X-Mailer: Lotus Notes Release 5.0.2b December 16, 1999 Message-ID: Date: Thu, 27 Jan 2000 14:10:36 -0500 X-MIMETrack: Serialize by Router on Barium/CAM/M/Lotus(Release 5.0.2a |November 23, 1999) at 01/27/2000 02:10:45 PM, Serialize complete at 01/27/2000 02:10:45 PM MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 00697E0F85256873_=" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multipart message in MIME format. --=_alternative 00697E0F85256873_= Content-Type: text/plain; charset="us-ascii" Paul: Shouldn't: 2.4.4.1 VCalendar Access Right (VCAR) Read: 2.4.4.1 Calendar Access Rights (CAR) Yes, the component is probably identified as BEGIN:VCAR/END:VCAR. But, it defines a calendar access rights object, none the less. -- Frank --=_alternative 00697E0F85256873_= Content-Type: text/html; charset="us-ascii"
Paul:

2.4.4.1 VCalendar Access Right (VCAR)

Read:

2.4.4.1 Calendar Access Rights (CAR)

Yes, the component is probably identified as BEGIN:VCAR/END:VCAR. But, it defines a calendar access rights object, none the less.

-- Frank --=_alternative 00697E0F85256873_=-- From owner-ietf-calendar@imc.org Thu Jan 27 14:37:47 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA13062 for ; Thu, 27 Jan 2000 14:37:44 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id LAA26363 for ietf-calendar-bks; Thu, 27 Jan 2000 11:01:05 -0800 (PST) Received: from lotus2.lotus.com (lotus2.lotus.com [192.233.136.8]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA26358; Thu, 27 Jan 2000 11:01:04 -0800 (PST) From: Frank_Dawson@lotus.com Received: from internet2.lotus.com (internet2 [9.95.4.236]) by lotus2.lotus.com (8.9.3/8.9.3) with ESMTP id OAA25730; Thu, 27 Jan 2000 14:17:46 -0500 (EST) Received: from barium.Lotus.com (BARIUM.lotus.com [9.95.4.108]) by internet2.lotus.com (8.9.3/8.9.3) with ESMTP id OAA04710; Thu, 27 Jan 2000 14:02:22 -0500 (EST) To: "Paul B. Hill" Cc: ietf-calendar@imc.org, owner-ietf-calendar@imc.org Subject: Re: CAP Roles? X-Mailer: Lotus Notes Release 5.0.2b December 16, 1999 Message-ID: Date: Thu, 27 Jan 2000 14:03:22 -0500 X-MIMETrack: Serialize by Router on Barium/CAM/M/Lotus(Release 5.0.2a |November 23, 1999) at 01/27/2000 02:03:29 PM, Serialize complete at 01/27/2000 02:03:29 PM MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 0068D46185256873_=" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multipart message in MIME format. --=_alternative 0068D46185256873_= Content-Type: text/plain; charset="us-ascii" Paul: Roles in iCalendar are participation roles within a meeting. Participation is identified by an ATTENDEE property. The valid roles are CHAIR, REQ-PARTICIPANT, OPT-PARTICIPANT, NON-PARTICIPANT. The ORGANIZER role is explicit by the specification of the ORGANIZER property within a group scheduled calendar component. The addition of ORGANIZER to the enumerated values of the ATTENDEE ROLE parameter is unnecessary and confuses the meaning of the original parameter. If you want to know who created the event, this can be found by parsing for the ORGANIZER property. The suggestion of adding ORGANIZER value should not be included in either CAP or an iCalendar extension. -- Frank --=_alternative 0068D46185256873_= Content-Type: text/html; charset="us-ascii"
Paul:

Roles in iCalendar are participation roles within a meeting. Participation is identified by an ATTENDEE property. The valid roles are CHAIR, REQ-PARTICIPANT, OPT-PARTICIPANT, NON-PARTICIPANT. The ORGANIZER role is explicit by the specification of the ORGANIZER property within a group scheduled calendar component. The addition of ORGANIZER to the enumerated values of the ATTENDEE ROLE parameter is unnecessary and confuses the meaning of the original parameter.

If you want to know who created the event, this can be found by parsing for the ORGANIZER property.

The suggestion of adding ORGANIZER value should not be included in either CAP or an iCalendar extension.

--=_alternative 0068D46185256873_=-- From owner-ietf-calendar@imc.org Thu Jan 27 14:48:31 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA13270 for ; Thu, 27 Jan 2000 14:48:30 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id LAA26625 for ietf-calendar-bks; Thu, 27 Jan 2000 11:13:03 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA26621 for ; Thu, 27 Jan 2000 11:13:02 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id LAA20315 for ; Thu, 27 Jan 2000 11:14:48 -0800 (PST) Message-ID: <38909927.A861FF28@home.royer.com> Date: Thu, 27 Jan 2000 11:14:47 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: CLASS ordering (was: revised security section) Content-Type: multipart/mixed; boundary="------------A7DC998C1AE7F3DC253911C2" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------A7DC998C1AE7F3DC253911C2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > 2.4.4.4 Policies > Calendar access policies are individual sets of well-defined VCARs that can > be referenced by their policy name. CAP specifies some standard POLICIES > that are necessary for interoperability between CS and CUA implementations. > The POLICY rule part of a VCAR is used to specify these policies. > - ACTONBEHALFOF - Specifies rights for any CAP function taken on PUBLIC or > PRIVATE calendar components. However, no CAP function can be taken on > CONFIDENTIAL classified calendar components. I think the new "iCalendar" MUST specify the importance of PUBLIC, PRIVATE, and CONFIDENTIAL! We need to specify the ordering for PRIVATE, PUBLIC, and CONFIDENTIAL. The above text almost does. Example on some existing CUA's, PRIVATE is more restrictive than CONFIDENTIAL, others CONFIDENTIAL is more restrictive than PRIVATE. Reading the above text it implies that CONFIDENTIAL is the most restrictive. This can cause real security issues. CUA-A thinks CONFIDENTIAL is more restrictive, CS-B thinks that PRIVATE is more restrictive. So CU-A puts personal information in CONFIDENTIAL. CU-B might now see it as their CS (CS-B) calendar policy allows CU-B to read it. -DOug --------------A7DC998C1AE7F3DC253911C2 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------A7DC998C1AE7F3DC253911C2-- From owner-ietf-calendar@imc.org Thu Jan 27 15:32:58 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA14177 for ; Thu, 27 Jan 2000 15:32:55 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id MAA28067 for ietf-calendar-bks; Thu, 27 Jan 2000 12:01:44 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA28062 for ; Thu, 27 Jan 2000 12:01:43 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id MAA20338 for ; Thu, 27 Jan 2000 12:03:34 -0800 (PST) Message-ID: <3890A496.89ACBD02@home.royer.com> Date: Thu, 27 Jan 2000 12:03:34 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: ACTONBEHALFOF (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Content-Type: multipart/mixed; boundary="------------C949CEA0C7036599635D70AB" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------C949CEA0C7036599635D70AB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > 2.4.4.4 Policies > Calendar access policies are individual sets of well-defined VCARs that can > be referenced by their policy name. CAP specifies some standard POLICIES > that are necessary for interoperability between CS and CUA implementations. > The POLICY rule part of a VCAR is used to specify these policies. > > ... > - ACTONBEHALFOF - Specifies rights for any CAP function taken on PUBLIC or > PRIVATE calendar components. However, no CAP function can be taken on > CONFIDENTIAL classified calendar components. This has been a request from day one. What 'exactly' is it? Does this mean I can book using your name, with STATUS=CONFIRMED? Does this mean I can book using your name , with STATUS=NEEDSACTION? Both? Nether? Does this mean I can REPLY for you? Does this mean I can do anything except REPLY for you? Does this mean I can ONLY REPLY for you and ONLY update STATUS and nothing else? Does this mean I can REQUEST using your name, and update your calendar? Does this mean I can REQUEST using your name, except I can not update your calendar? Does it mean I can alter your CAP calendar properties? Does it mean I can do anything except alter your CAP calendar properties? What exactly are the rules ? -Doug --------------C949CEA0C7036599635D70AB Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------C949CEA0C7036599635D70AB-- From owner-ietf-calendar@imc.org Thu Jan 27 15:34:43 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA14226 for ; Thu, 27 Jan 2000 15:34:39 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id MAA28211 for ietf-calendar-bks; Thu, 27 Jan 2000 12:06:59 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA28207 for ; Thu, 27 Jan 2000 12:06:57 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id MAA20346 for ; Thu, 27 Jan 2000 12:08:49 -0800 (PST) Message-ID: <3890A5D0.894404CD@home.royer.com> Date: Thu, 27 Jan 2000 12:08:48 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: REQUESTONLY (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Content-Type: multipart/mixed; boundary="------------0AC8EB67BC3D080B5545FD80" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------0AC8EB67BC3D080B5545FD80 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > - REQUESTONLY - Specifies rights for creating new event invitations, to-do > assignments and journal entries. What exactly is this? Does it mean I can create new (direct book) an appointment? If so why not name it CREATEONLY? -Doug --------------0AC8EB67BC3D080B5545FD80 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------0AC8EB67BC3D080B5545FD80-- From owner-ietf-calendar@imc.org Thu Jan 27 15:54:27 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA14634 for ; Thu, 27 Jan 2000 15:54:23 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id MAA28723 for ietf-calendar-bks; Thu, 27 Jan 2000 12:35:14 -0800 (PST) Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA28719 for ; Thu, 27 Jan 2000 12:35:12 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA07129; Thu, 27 Jan 00 15:36:32 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA05721; Thu, 27 Jan 2000 15:37:02 -0500 (EST) Received: from miles-davis (MILES-DAVIS.MIT.EDU [18.177.0.37]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA14569; Thu, 27 Jan 2000 15:37:01 -0500 (EST) Message-Id: <4.2.0.58.20000127153336.01ab19d0@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 27 Jan 2000 15:33:52 -0500 To: Frank_Dawson@lotus.com, ietf-calendar@imc.org From: "Paul B. Hill" Subject: Re: forced VCAR (was: revised security section) In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: At 02:12 PM 1/27/2000 -0500, Frank_Dawson@lotus.com wrote: >Is this a CS overriding the request CAR specified by a CUA with it's own >default CAR? > >If so, I assume that an exception would also be returned to the requesting >CUA by the CS. > >-- Frank Yes. From owner-ietf-calendar@imc.org Thu Jan 27 15:56:22 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA14663 for ; Thu, 27 Jan 2000 15:56:17 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id MAA28643 for ietf-calendar-bks; Thu, 27 Jan 2000 12:30:39 -0800 (PST) Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA28639 for ; Thu, 27 Jan 2000 12:30:38 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA05441; Thu, 27 Jan 00 15:31:58 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA04389 for ; Thu, 27 Jan 2000 15:32:28 -0500 (EST) Received: from miles-davis (MILES-DAVIS.MIT.EDU [18.177.0.37]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA13006; Thu, 27 Jan 2000 15:32:28 -0500 (EST) Message-Id: <4.2.0.58.20000127135707.01b5ed60@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 27 Jan 2000 13:58:31 -0500 To: ietf-calendar@imc.org, ietf-calendar@imc.org From: "Paul B. Hill" Subject: Re: READBUSYTIMEINFO (was: revised security section) In-Reply-To: <38909469.EECEB436@home.royer.com> References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: At 10:54 AM 1/27/2000 -0800, Doug Royer wrote: > > - READBUSYTIMEINFO - Specifies rights for reading busy time data. > >Not specific... > >... >I think the talks in the past meant (1), I am not sure and we >need to exactly specify its meaning. I think we originally said that we do need to specify the policies very clearly. But nobody has sat down and taken the time to write up a proposal yet. Paul From owner-ietf-calendar@imc.org Thu Jan 27 16:02:24 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA14795 for ; Thu, 27 Jan 2000 16:02:19 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id MAA28791 for ietf-calendar-bks; Thu, 27 Jan 2000 12:42:55 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA28787 for ; Thu, 27 Jan 2000 12:42:54 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id MAA20366 for ; Thu, 27 Jan 2000 12:44:45 -0800 (PST) Message-ID: <3890AE3C.31C5A7C1@home.royer.com> Date: Thu, 27 Jan 2000 12:44:44 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: OWNER (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Content-Type: multipart/mixed; boundary="------------F5AF1E7BEE9C261609670E00" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------F5AF1E7BEE9C261609670E00 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > - OWNER - Specifies the same rights given to the owner of the calendar > store or calendar. The OWNER is given rights. CS policy may mandate that certain operations can not be done by an OWNER. An example given at the LA IETF was some calendars might NEVER allow deletions - for government tracking. So, if the OWNER policy is the SAME RIGHTS GIVEN TO OWNER. Why not make them an OWNER? And why do we need an OWNER policy? -Doug --------------F5AF1E7BEE9C261609670E00 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------F5AF1E7BEE9C261609670E00-- From owner-ietf-calendar@imc.org Thu Jan 27 16:04:15 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA14845 for ; Thu, 27 Jan 2000 16:04:10 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id MAA28805 for ietf-calendar-bks; Thu, 27 Jan 2000 12:43:43 -0800 (PST) Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA28801 for ; Thu, 27 Jan 2000 12:43:42 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA10801; Thu, 27 Jan 00 15:45:02 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA08109 for ; Thu, 27 Jan 2000 15:45:31 -0500 (EST) Received: from miles-davis (MILES-DAVIS.MIT.EDU [18.177.0.37]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA17231 for ; Thu, 27 Jan 2000 15:45:31 -0500 (EST) Message-Id: <4.2.0.58.20000127153625.01bf4850@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 27 Jan 2000 15:42:24 -0500 To: ietf-calendar@imc.org From: "Paul B. Hill" Subject: Re: ACTONBEHALFOF (was: revised security section) In-Reply-To: <3890A496.89ACBD02@home.royer.com> References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: At 12:03 PM 1/27/2000 -0800, Doug Royer wrote: > > 2.4.4.4 Policies I'm glad the discussion has started but at the interim meeting we did not modify the VCAR and Policy text. In this area all we started on was a reorganization so that a reader didn't half to traverse the entire document several times to find the relevant sections. Paul From owner-ietf-calendar@imc.org Thu Jan 27 16:08:46 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA14885 for ; Thu, 27 Jan 2000 16:08:44 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id MAA28855 for ietf-calendar-bks; Thu, 27 Jan 2000 12:47:45 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA28850 for ; Thu, 27 Jan 2000 12:47:44 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA24322; Thu, 27 Jan 00 15:50:38 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA09301 for ; Thu, 27 Jan 2000 15:49:30 -0500 (EST) Received: from miles-davis (MILES-DAVIS.MIT.EDU [18.177.0.37]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA18603 for ; Thu, 27 Jan 2000 15:49:29 -0500 (EST) Message-Id: <4.2.0.58.20000127154336.01a7e538@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 27 Jan 2000 15:46:40 -0500 To: ietf-calendar@imc.org From: "Paul B. Hill" Subject: Re: OWNER (was: revised security section) In-Reply-To: <3890AE3C.31C5A7C1@home.royer.com> References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Hi Doug, A short sidebar not intended for the list... At 12:44 PM 1/27/2000 -0800, you wrote: >And why do we need an OWNER policy? :) I think you were the person that wrote all of the policy text :) It was not anyone at the meeting that took place this week. Seriously, I think the time has come for submitting suggested changes to this section, possibly along with some comments explaining the reasoning, instead of asking someone else to justify and explain. If all we ever do is ask, the section is unlikely to get finished. Paul From owner-ietf-calendar@imc.org Thu Jan 27 16:57:12 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA15547 for ; Thu, 27 Jan 2000 16:57:10 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id NAA29540 for ietf-calendar-bks; Thu, 27 Jan 2000 13:31:30 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA29536 for ; Thu, 27 Jan 2000 13:31:29 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id NAA20390 for ; Thu, 27 Jan 2000 13:33:20 -0800 (PST) Message-ID: <3890B9A0.3E3C906D@home.royer.com> Date: Thu, 27 Jan 2000 13:33:20 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: OWNER (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> <4.2.0.58.20000127154336.01a7e538@po12.mit.edu> Content-Type: multipart/mixed; boundary="------------EF88001D5B158BC38007683A" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------EF88001D5B158BC38007683A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Paul B. Hill" wrote: > > Hi Doug, > > A short sidebar not intended for the list... > > At 12:44 PM 1/27/2000 -0800, you wrote: > >And why do we need an OWNER policy? > > :) I think you were the person that wrote all of the policy text :) It was > not anyone at the meeting that took place this week. No, it was Frank. I have always been opposed to POLICY. I have yet to see any one that can not be done with a VCAR (I wrote VCAR - then VACL). > Seriously, I think the time has come for submitting suggested changes to > this section, possibly along with some comments explaining the reasoning, > instead of asking someone else to justify and explain. I am sill looking for a reason for them to exist. I was not complaining, just starting to do what I can to get rid if them. Someone needs to justify and explain them, especially in the draft, or we need to drop them. I did not mean to imply that they were modified or reviewed this week. > If all we ever do is > ask, the section is unlikely to get finished. I would like to delete the POLICY section and all references to POLICY. My next email (formulating it now), I'll propose how to delete POLICY and replace them with VCARs. I just needed to set the framework for my next comments. -Doug --------------EF88001D5B158BC38007683A Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------EF88001D5B158BC38007683A-- From owner-ietf-calendar@imc.org Thu Jan 27 21:20:13 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA17867 for ; Thu, 27 Jan 2000 21:20:12 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id RAA03811 for ietf-calendar-bks; Thu, 27 Jan 2000 17:53:10 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA03807 for ; Thu, 27 Jan 2000 17:53:09 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id RAA20550 for ; Thu, 27 Jan 2000 17:55:01 -0800 (PST) Message-ID: <3890F6EE.D3D2363D@home.royer.com> Date: Thu, 27 Jan 2000 17:54:54 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: POLICY in general. Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msBB6F460385A37E01AC0BB6BB" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a cryptographically signed message in MIME format. --------------msBB6F460385A37E01AC0BB6BB Content-Type: multipart/mixed; boundary="------------37C9DFF6386FCE28DBB395CB" This is a multi-part message in MIME format. --------------37C9DFF6386FCE28DBB395CB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Originally the discussions surrounding POLICY it was started when some said they wanted a simplified access rules for thinner CS's. Now we can have a compatibility problem if we do not map from one model into another. So if we keep POLICY, it is time now to define them, or drop them and only use VCARs. And I think we can drop them and specify a minimum set of VCARs that a CS MUST support. And report that set with CAPABILITY. Will call this minimum set 'CAR-MIN'. Can a CS support POLICY only? Not from reading the cap-draft-text. It does not state that anywhere and the ABNF implies both MUST be supported. It looks like all CS's must support POLICY and non-POLICY VCAR's. However from hallway conversations, I think others will have strong opinions on this ... ... if so SPEAK UP NOW! (1) READBUSYTIMEINFO - Specifies rights for reading busy time data. As I have pointed out in previous email, I think we can eliminate this entirely. (See CAPABILITY below also). Example: replace: BEGIN:VCAR CARID:name GRANT:UPN=<...>;POLICY=READBUSYTIMEINFO END:VCAR With: BEGIN:VCAR CARID:READBUSYTIMEINFO GRANT:UPN=<...>;OBJECT=VFREEBUSY;ACTION=READ DENY:UPN=<...>;OBJECT=VFREEBUSY;ACTION=READ END:VCAR (or OBJECT=VFREEBUSY,DTSTART,DTEND,DURATION if the WG wants READBUSYTIMEINFO to mean that). (2) REQUESTONLY - Specifies rights for creating new event invitations, to-do assignments and journal entries. As we are going to have to define what this means, then we can simply define in in terms of a VCAR and eliminate this as a POLICY. It could be (assuming I understand what the intent was): BEGIN:VCAR CARID:REQUESTONLY GRANT:UPN=<...>;OBJECT=ALL;ACTION=CREATE; END:VCAR (3) ACTONBEHALFOF - Specifies rights for any CAP function taken on PUBLIC or PRIVATE calendar components. However, no CAP function can be taken on CONFIDENTIAL classified calendar components. As we are going to have to define what this means, then we can simply define in in terms of a VCAR and eliminate this as a POLICY. Perhaps: BEGIN:VCAR CARID:ACTONBEHALFOF GRANT:UPN=<...> ;OBJECT=ORGANIZER;VALUE= ;OBJECT=SENT-BY;VALUE=SELF ;OBJECT=CLASS;VALUE=PUBLIC,PRIVATE ;ACTION=ALL END:VCAR ++In addition, 'self' probably would have to have CREATE, MODIFY, DELETE, permission in the target calendar. (4) UPDATEPARTSTATUS - Specifies rights for modifying ones own participation status. Perhaps: BEGIN:VCAR CARID:UPDATESTATUS GRANT:UPN=<...> ;OBJECT=PARTSTAT;VALUE=ALL ;OBJECT=ATTENDEE;VALUE=SELF ;ACTION=MODIFY END:VCAR (5) OWNER - Specifies the same rights given to the owner of the calendar store or calendar. Make them an OWNER by adding their OWNER property to the calendar properly list. And then: BEGIN:VCAR CARID:OWNER GRANT:UPN=OWNER;OBJECT=ALL;VALUE=ALL;ACTION=ALL END:VCAR (6) CAPABILITY reply. In the current CAP draft in the ABNF it has CAR0, CAR1, CAR2, and CAR3. This needs to be changed to CAR-MIN, and CAR-FULL-1 Define CAR-MIN as the above definitions (Or what ever tweaks the WG makes to the above definitions). If CAR-MIN is returned by CAPABILITY, then ONLY the ones defined above are supported. They can be hard coded into a CS (plus storage for which UPNs they apply to), or parsed. Ether way I think this would solve both problems (thin CS's and a complete IF supported VCAR). If CAR-FULL-1 is returned by CAPABILITY, then all of the VCAR support MUST be supported. Only one of CAR-MIN or CAR-FULL-1 can be returned by CAPABILITY. --------------37C9DFF6386FCE28DBB395CB Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------37C9DFF6386FCE28DBB395CB-- --------------msBB6F460385A37E01AC0BB6BB Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature Content-Transfer-Encoding: base64 MIIKpAYJKoZIhvcNAQcCoIIKlTCCCpECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC CDAwggT6MIIEY6ADAgECAhAV9nEqnM8b86AlSm7V1bgJMA0GCSqGSIb3DQEBBAUAMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTAyMDAwMDAw MFoXDTAwMTAxOTIzNTk1OVowggEVMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO ZXRzY2FwZSBGdWxsIFNlcnZpY2UxGDAWBgNVBAMUD0RvdWdsYXMgTSBSb3llcjEiMCAGCSqG SIb3DQEJARYTZG91Z0Bob21lLnJveWVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAv2PIWJY1kuOozvEfoLqMAefggITPljietkurVEhTBQZU/c2q2c8qCQiIFZ2dP3H/MoEx bVVDmtXsyZrRINk1aWC4yo/dT/3tB3eD41F0KMIpBexD8zN9SfPxzkjaEl/7zD8F6ekERmCU 9irA0zAOF7msHNnxa/InBnZ5f95Y75kCAwEAAaOCAY8wggGLMAkGA1UdEwQCMAAwgawGA1Ud IASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl cmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1W ZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZl cmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDCBhgYKYIZIAYb4RQEGAwR4FnZkNDY1MmJkNjNm MjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzViYzRiYzk3MDE3NDdk YTVkM2YyMTQxYmVhZGIyYmQyZTg5MjFmYTk2YmY1ZDcxMTQ5OWNhM2JlNDdmNWYzZWE0NTBj MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmww DQYJKoZIhvcNAQEEBQADgYEAWuXwK5FbAAU1urGBob5PPRQiCOUeWNQIkDr2F0WECiYnJfeG iawEVMS1PxsIe6BJ9MDxOvz0XyQhNsAXbv/hf0vhy398cd5ICKTpMMeyEEVX6IEVgXcpcyJf N7HKbfQZgRngT3uh/IXSObtFt+cC03VTG12Dic6EfyWihGAmeb0wggMuMIICl6ADAgECAhEA 0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UE ChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1OTU5WjCB zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l dHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3Jw LiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV 2TFBcHqBS7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/ Gdr5FegPh7Yc48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZI AYb4QgEBBAQDAgEGMEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYf d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1Ud DwQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ4 3BuYDAeGW4UVag+5SYWklfEXfWe0fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1 pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg5V+CprGoksVYasGNAzzrw80FopCubjGCAjwwggI4 AgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g VHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQ QSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xh c3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAV 9nEqnM8b86AlSm7V1bgJMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMDAwMTI4MDE1NDU2WjAjBgkqhkiG9w0BCQQxFgQUFV0dmcZP 8YwIC0JqN9I1ahgCzokwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcN AQEBBQAEgYAUU5Le89AR0cDgFouFbDx/7qIcYNUJ+fABuD+BzR083VuMIeRg697Wk/kIBoXI VgKdG6Y0jslOffWYoTaIvtDHMjLyWtt2J/by91ELL+1eIxHs74+ymMIJCmNQwaU2eHJ49G3U 0W7uGC2xC/9IMDZk1YzKXuff+In8UbLIqd4qfA== --------------msBB6F460385A37E01AC0BB6BB-- From owner-ietf-calendar@imc.org Thu Jan 27 23:16:06 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA20446 for ; Thu, 27 Jan 2000 23:16:06 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id TAA13249 for ietf-calendar-bks; Thu, 27 Jan 2000 19:35:01 -0800 (PST) Received: from mail.austin.rr.com (sm1.texas.rr.com [24.93.35.54]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA13245 for ; Thu, 27 Jan 2000 19:35:00 -0800 (PST) Received: from carey ([24.28.82.14]) by mail.austin.rr.com with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 27 Jan 2000 21:37:21 -0600 Reply-To: From: "Carey Jung" To: Subject: Reference icalendar server implementations Date: Thu, 27 Jan 2000 21:38:52 -0600 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_005B_01BF690E.E766DD00" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. ------=_NextPart_000_005B_01BF690E.E766DD00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi all, Please forgive a somewhat off-topic note from a lurker, but could somebody please fill me in on the current state of Internet-based calendar server implementations? Are there reference implementations out there, perhaps even open-source? I ask, because I know that MS Outlook has support for icalendar servers, but I've not found any such server products or implementations myself. thanks in advance, Carey Jung ---------------------------------------------------------------------------- ---- Carey Jung IT Freedom carey@itfreedom.com 512.502.1171, fax 349.2165 ------=_NextPart_000_005B_01BF690E.E766DD00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

carey@itfreedom.com

512.502.1171, fax = 349.2165

------=_NextPart_000_005B_01BF690E.E766DD00-- From owner-ietf-calendar@imc.org Fri Jan 28 01:48:56 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA24643 for ; Fri, 28 Jan 2000 01:48:55 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id WAA23043 for ietf-calendar-bks; Thu, 27 Jan 2000 22:21:45 -0800 (PST) Received: from pivsbh1.ms.com (pivsbh1.ms.com [199.89.64.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA23037 for ; Thu, 27 Jan 2000 22:21:43 -0800 (PST) Received: (from uucp@localhost) by pivsbh1.ms.com (8.9.3/fw v1.30) id BAA01924; Fri, 28 Jan 2000 01:23:37 -0500 (EST) Received: from localhost(127.0.0.1) by pivsbh1 via smap (4.1) id sma.9490406121.001094; Fri, 28 Jan 00 01:23:32 -0500 Received: by pivsbh1.ms.com (8.9.3/8.9.3(vs)) id BAA01088; Fri, 28 Jan 2000 01:23:32 -0500 (EST) X-Authentication-Warning: pivsbh1.ms.com: Processed from queue /var/spool/mqueue-vs X-Authentication-Warning: pivsbh1.ms.com: Processed by uucp with -C /etc/mail/sendmail.vs.cf X-Interface: IDMZ Received: from sasmh4.ms.com(144.14.193.5) by pivsbh1 via smap (4.1) id sma.9490406061.000971; Fri, 28 Jan 00 01:23:26 -0500 Received: from msdw.com (hqdsl26.morgan.com [205.228.1.26]) by sasmh4.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id BAA17263; Fri, 28 Jan 2000 01:23:26 -0500 (EST) Message-ID: <389135DF.EA6240CC@msdw.com> Date: Fri, 28 Jan 2000 01:23:27 -0500 From: David Madeo Reply-To: David.Madeo@msdw.com Organization: Morgan Stanley Dean Witter & Co. X-Mailer: Mozilla 4.51 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: "Paul B. Hill" CC: ietf-calendar@imc.org Subject: Re: further suggestion for section 2.4.2.1 References: <4.2.0.58.20000127121344.01a48e90@po12.mit.edu> Content-Type: multipart/mixed; boundary="------------6DEC372A6327FB86DD572898" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------6DEC372A6327FB86DD572898 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > Subsequent to the initial Anonymous Authentication with a CS, a CUA will > have to provide a UPN for some CAP operations. For anonymous access the UPN > that MUST be used by the CUA is "@", a UPN with a null username and null > realm. A UPN with a null username, but non-null realm, such as > "@example.com" may be used to mean any identity from that realm, which is > useful to grant access rights to all users in a given realm. A UPN with a > non-null username and null realm, such as "bob@" could MUST not be used. Minor nit. Remove "could" from the previous sentance. Or insert the rest of it eg: "could be a security issue and MUST" A more serious point is that I believe it's inappropriate to describe "@example.com" in the "anonymous" section. "@example.com" is not anonymous access. It's "any authenticated user in example.com". An anonymous UPN is "@". Unless you actually authenticate the user, it's not possible for the server to determine if the user really is from "@example.com". dmadeo --------------6DEC372A6327FB86DD572898 Content-Type: text/x-vcard; charset=us-ascii; name="David.Madeo.vcf" Content-Description: Card for David Madeo Content-Disposition: attachment; filename="David.Madeo.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Madeo;David tel;fax:212-762-1009 tel;work:212-762-2348 x-mozilla-html:FALSE url:www.ms.com org:Morgan Stanley Dean Witter and Discover;Information Technology version:2.1 email;internet:dmadeo@ms.com adr;quoted-printable:;;750 Seventh Ave=0D=0A;NY;NY;10019;USA x-mozilla-cpt:;0 fn:David Madeo end:vcard --------------6DEC372A6327FB86DD572898-- From owner-ietf-calendar@imc.org Fri Jan 28 02:07:28 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA02363 for ; Fri, 28 Jan 2000 02:07:27 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id WAA24864 for ietf-calendar-bks; Thu, 27 Jan 2000 22:36:44 -0800 (PST) Received: from hqvsbh1.ms.com (hqvsbh1.ms.com [205.228.12.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA24858 for ; Thu, 27 Jan 2000 22:36:42 -0800 (PST) Received: (from uucp@localhost) by hqvsbh1.ms.com (8.9.3/fw v1.30) id BAA20682 for ; Fri, 28 Jan 2000 01:38:36 -0500 (EST) Received: from localhost(127.0.0.1) by hqvsbh1 via smap (4.1) id sma.9490414901.019261; Fri, 28 Jan 00 01:38:10 -0500 Received: by hqvsbh1.ms.com (8.9.3/8.9.3(vs)) id BAA19239 for ; Fri, 28 Jan 2000 01:38:10 -0500 (EST) X-Authentication-Warning: hqvsbh1.ms.com: Processed from queue /var/spool/mqueue-vs X-Authentication-Warning: hqvsbh1.ms.com: Processed by uucp with -C /etc/mail/sendmail.vs.cf X-Interface: IDMZ Received: from sasmh4.ms.com(144.14.193.5) by hqvsbh1 via smap (4.1) id sma.9490414801.018324; Fri, 28 Jan 00 01:38:00 -0500 Received: from msdw.com (hqdsl26.morgan.com [205.228.1.26]) by sasmh4.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id BAA19055 for ; Fri, 28 Jan 2000 01:38:00 -0500 (EST) Message-ID: <38913948.B9E39FF5@msdw.com> Date: Fri, 28 Jan 2000 01:38:00 -0500 From: David Madeo Reply-To: David.Madeo@msdw.com Organization: Morgan Stanley Dean Witter & Co. X-Mailer: Mozilla 4.51 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Thanks for hosting us. Content-Type: multipart/mixed; boundary="------------150C423A20BAFD6165C19787" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------150C423A20BAFD6165C19787 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I think it's appropriate to thank Paul and Bob from MIT for hosting this climatically challenged session. As predicted, it was cold, but I don't think anyone expected the amount of snow that Frank was buried under down in NC. In any case, it was productive for those who attended (Paul, Bob, Rich Shusterman, Mike Ciavarini and I) as evidenced by the recent traffic on the list. Please help to continue this burst of activity by actively asking questions, suggesting solutions, and most importantly, submitting proposed text. As someone reminded us during our visit, the final product is the document, not the conversations leading to it. Thanks, dmadeo --------------150C423A20BAFD6165C19787 Content-Type: text/x-vcard; charset=us-ascii; name="David.Madeo.vcf" Content-Description: Card for David Madeo Content-Disposition: attachment; filename="David.Madeo.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Madeo;David tel;fax:212-762-1009 tel;work:212-762-2348 x-mozilla-html:FALSE url:www.ms.com org:Morgan Stanley Dean Witter and Discover;Information Technology version:2.1 email;internet:dmadeo@ms.com adr;quoted-printable:;;750 Seventh Ave=0D=0A;NY;NY;10019;USA x-mozilla-cpt:;0 fn:David Madeo end:vcard --------------150C423A20BAFD6165C19787-- From owner-ietf-calendar@imc.org Fri Jan 28 02:17:44 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA03241 for ; Fri, 28 Jan 2000 02:17:43 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id WAA26364 for ietf-calendar-bks; Thu, 27 Jan 2000 22:53:12 -0800 (PST) Received: from pivsbh1.ms.com (pivsbh1.ms.com [199.89.64.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA26357 for ; Thu, 27 Jan 2000 22:53:10 -0800 (PST) Received: (from uucp@localhost) by pivsbh1.ms.com (8.9.3/fw v1.30) id BAA25012 for ; Fri, 28 Jan 2000 01:55:04 -0500 (EST) Received: from localhost(127.0.0.1) by pivsbh1 via smap (4.1) id sma.9490424871.024372; Fri, 28 Jan 00 01:54:47 -0500 Received: by pivsbh1.ms.com (8.9.3/8.9.3(vs)) id BAA24362 for ; Fri, 28 Jan 2000 01:54:47 -0500 (EST) X-Authentication-Warning: pivsbh1.ms.com: Processed from queue /var/spool/mqueue-vs X-Authentication-Warning: pivsbh1.ms.com: Processed by uucp with -C /etc/mail/sendmail.vs.cf X-Interface: IDMZ Received: from sasmh4.ms.com(144.14.193.5) by pivsbh1 via smap (4.1) id sma.9490424791.023876; Fri, 28 Jan 00 01:54:39 -0500 Received: from msdw.com (hqdsl26.morgan.com [205.228.1.26]) by sasmh4.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id BAA20803 for ; Fri, 28 Jan 2000 01:54:38 -0500 (EST) Message-ID: <38913D2E.B17C2C04@msdw.com> Date: Fri, 28 Jan 2000 01:54:38 -0500 From: David Madeo Reply-To: David.Madeo@msdw.com Organization: Morgan Stanley Dean Witter & Co. X-Mailer: Mozilla 4.51 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: ACTONBEHALFOF (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> <3890A496.89ACBD02@home.royer.com> Content-Type: multipart/mixed; boundary="------------47A0B48129BF7BF7FDC4C5C8" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------47A0B48129BF7BF7FDC4C5C8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Doug Royer wrote: > > - ACTONBEHALFOF - Specifies rights for any CAP function taken on PUBLIC or > > PRIVATE calendar components. However, no CAP function can be taken on > > CONFIDENTIAL classified calendar components. > > This has been a request from day one. What 'exactly' is it? > > Does this mean I can book using your name, with STATUS=CONFIRMED? > Does this mean I can book using your name , with STATUS=NEEDSACTION? > Both? Nether? > Does this mean I can REPLY for you? > Does this mean I can do anything except REPLY for you? > Does this mean I can ONLY REPLY for you and ONLY update STATUS and nothing else? > > Does this mean I can REQUEST using your name, and update your calendar? > Does this mean I can REQUEST using your name, except I can not update your > calendar? > > Does it mean I can alter your CAP calendar properties? > Does it mean I can do anything except alter your CAP calendar properties? The general problem we're trying to solve here is how do I let my secretary or P/A modify my calendar. One way is to grant permissions such as above. Another is to authenticate via SASL as yourself, but then ask for the UPN of your principal (eg: the boss). If the SASL server is configured properly, you may be allowed use that UPN even though it's not your "own". Each side has it's merits. In the first case, we have to go through and figure out what is meant, however we can be precise. In the second case, as far as the CS is concerned, the boss just logged in and can do whatever they'd like, subject to the BOSS's VCAR's. There's no way to tell which were created by the secretary and which by the owner. For the first case, where we need to make some choices, my experience is that most principals who have secretaries handling their schedules trust them completely at least as far as their calendar is concerned. If they don't, there's no way the principals let them manage their calendar. I'd vote for "can do anything except alter your CAP calendar properties. I'm not too concerned if "CONFIDENTAL" events were outside the purview of the PA or not. dmadeo --------------47A0B48129BF7BF7FDC4C5C8 Content-Type: text/x-vcard; charset=us-ascii; name="David.Madeo.vcf" Content-Description: Card for David Madeo Content-Disposition: attachment; filename="David.Madeo.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Madeo;David tel;fax:212-762-1009 tel;work:212-762-2348 x-mozilla-html:FALSE url:www.ms.com org:Morgan Stanley Dean Witter and Discover;Information Technology version:2.1 email;internet:dmadeo@ms.com adr;quoted-printable:;;750 Seventh Ave=0D=0A;NY;NY;10019;USA x-mozilla-cpt:;0 fn:David Madeo end:vcard --------------47A0B48129BF7BF7FDC4C5C8-- From owner-ietf-calendar@imc.org Fri Jan 28 02:33:16 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA04045 for ; Fri, 28 Jan 2000 02:33:15 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id XAA28294 for ietf-calendar-bks; Thu, 27 Jan 2000 23:08:03 -0800 (PST) Received: from hqvsbh1.ms.com (hqvsbh1.ms.com [205.228.12.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA28287 for ; Thu, 27 Jan 2000 23:08:01 -0800 (PST) Received: (from uucp@localhost) by hqvsbh1.ms.com (8.9.3/fw v1.30) id CAA24026; Fri, 28 Jan 2000 02:09:54 -0500 (EST) Received: from localhost(127.0.0.1) by hqvsbh1 via smap (4.1) id sma.9490433801.023659; Fri, 28 Jan 00 02:09:40 -0500 Received: by hqvsbh1.ms.com (8.9.3/8.9.3(vs)) id CAA23651; Fri, 28 Jan 2000 02:09:39 -0500 (EST) X-Authentication-Warning: hqvsbh1.ms.com: Processed from queue /var/spool/mqueue-vs X-Authentication-Warning: hqvsbh1.ms.com: Processed by uucp with -C /etc/mail/sendmail.vs.cf X-Interface: IDMZ Received: from sasmh4.ms.com(144.14.193.5) by hqvsbh1 via smap (4.1) id sma.9490433661.023205; Fri, 28 Jan 00 02:09:26 -0500 Received: from msdw.com (hqdsl26.morgan.com [205.228.1.26]) by sasmh4.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id CAA22756; Fri, 28 Jan 2000 02:09:26 -0500 (EST) Message-ID: <389140A5.DD45BAEC@msdw.com> Date: Fri, 28 Jan 2000 02:09:25 -0500 From: David Madeo Reply-To: David.Madeo@msdw.com Organization: Morgan Stanley Dean Witter & Co. X-Mailer: Mozilla 4.51 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: "Paul B. Hill" CC: Frank_Dawson@lotus.com, ietf-calendar@imc.org Subject: Re: forced VCAR (was: revised security section) References: <4.2.0.58.20000127153336.01ab19d0@po12.mit.edu> Content-Type: multipart/mixed; boundary="------------6F351C42A7486A781F94E265" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------6F351C42A7486A781F94E265 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Paul B. Hill" wrote: > At 02:12 PM 1/27/2000 -0500, Frank_Dawson@lotus.com wrote: > > >Is this a CS overriding the request CAR specified by a CUA with it's own > >default CAR? > > > >If so, I assume that an exception would also be returned to the requesting > >CUA by the CS. > > > >-- Frank > > Yes. Richard accused me of asking for the world yesterday, but I'd like to clarify what I was thinking when I proposed this. Assuming Doug can go through and get rid of policies and replace them with "VCAR scenarios often encountered in the real world", I'd like to see the "forced VCAR" be a mandatory addition to every calendars set of VCAR's. Users should be able to (subject to implementation configuration) create additional VCARs that complement but do not remove or override the forced VCAR's. This does not raise the inheritance issue Rich was concerned. The VCAR is stored with the calendar just like everything else. The server just knows that that particular VCAR can't be changed by the end user. --------------6F351C42A7486A781F94E265 Content-Type: text/x-vcard; charset=us-ascii; name="David.Madeo.vcf" Content-Description: Card for David Madeo Content-Disposition: attachment; filename="David.Madeo.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Madeo;David tel;fax:212-762-1009 tel;work:212-762-2348 x-mozilla-html:FALSE url:www.ms.com org:Morgan Stanley Dean Witter and Discover;Information Technology version:2.1 email;internet:dmadeo@ms.com adr;quoted-printable:;;750 Seventh Ave=0D=0A;NY;NY;10019;USA x-mozilla-cpt:;0 fn:David Madeo end:vcard --------------6F351C42A7486A781F94E265-- From owner-ietf-calendar@imc.org Fri Jan 28 04:37:58 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA04833 for ; Fri, 28 Jan 2000 04:37:56 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id BAA09922 for ietf-calendar-bks; Fri, 28 Jan 2000 01:20:09 -0800 (PST) Received: from mumrik.nada.kth.se (mumrik.nada.kth.se [130.237.226.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA09916 for ; Fri, 28 Jan 2000 01:20:07 -0800 (PST) Received: from localhost (d92-pla@localhost) by mumrik.nada.kth.se (8.8.7/8.8.7) with ESMTP id KAA03997 for ; Fri, 28 Jan 2000 10:21:56 +0100 (MET) Date: Fri, 28 Jan 2000 10:21:56 +0100 (MET) From: =?ISO-8859-1?Q?P=E4r_Lanner=F6?= To: ietf-calendar@imc.org Subject: Re: Reference icalendar server implementations In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 8BIT On Thu, 27 Jan 2000, Carey Jung wrote: > Please forgive a somewhat off-topic note from a lurker, but could somebody > please fill me in on the current state of Internet-based calendar server > implementations? Are there reference implementations out there, perhaps > even open-source? I ask, because I know that MS Outlook has support for > icalendar servers, but I've not found any such server products or > implementations myself. There are at least two open source implementations that I know of: * WhenWare Tempus server available at http://www.whenware.com/html/downloads.html * Libical iCalendar library available at http://www.softwarestudio.org/libical/ Are there other similar projects out there? /P�r -P�r-Lanner�---------------------------------------------------------- mailto:par.lannero@metamatrix.se jobb:+46(0)8337785 http://www.metamatrix.se/ hem:+46(0)853039951 icq:306436 gsm:+46(0)708/826888 ---------------------------------------------------------------------- - implementing SKiCal compliant software From owner-ietf-calendar@imc.org Fri Jan 28 11:30:01 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA17824 for ; Fri, 28 Jan 2000 11:29:54 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id IAA06996 for ietf-calendar-bks; Fri, 28 Jan 2000 08:04:45 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA06992 for ; Fri, 28 Jan 2000 08:04:44 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id IAA21061 for ; Fri, 28 Jan 2000 08:06:39 -0800 (PST) Message-ID: <3891BE8E.D365DC28@home.royer.com> Date: Fri, 28 Jan 2000 08:06:38 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: further suggestion for section 2.4.2.1 References: <4.2.0.58.20000127121344.01a48e90@po12.mit.edu> <389135DF.EA6240CC@msdw.com> Content-Type: multipart/mixed; boundary="------------F76D3D9EEB4E1BE8655269DB" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------F76D3D9EEB4E1BE8655269DB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Madeo wrote: > "@example.com" is not anonymous access. It's "any authenticated user in > example.com". An anonymous UPN is "@". Unless you actually authenticate the > user, it's not possible for the server to determine if the user really is from > "@example.com". I did not get that from the email. I understood it to mean any user that happens to come from example.com. PLEASE clarify! It is possible to determine which host (or IP address) a connection is from as soon as the connection is made - prior to any data transfers. So I think the text needs to be clarified; does it mean that any user from example.com is allowed as anonymous. Or does it mean any already known user (non-anonymous) is allowed as long as they can authenticate? -Doug --------------F76D3D9EEB4E1BE8655269DB Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------F76D3D9EEB4E1BE8655269DB-- From owner-ietf-calendar@imc.org Fri Jan 28 11:31:30 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA17922 for ; Fri, 28 Jan 2000 11:31:24 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id IAA07152 for ietf-calendar-bks; Fri, 28 Jan 2000 08:09:12 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA07148 for ; Fri, 28 Jan 2000 08:09:11 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id IAA21071 for ; Fri, 28 Jan 2000 08:11:07 -0800 (PST) Message-ID: <3891BF9A.B12247AB@home.royer.com> Date: Fri, 28 Jan 2000 08:11:06 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: ACTONBEHALFOF (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> <3890A496.89ACBD02@home.royer.com> <38913D2E.B17C2C04@msdw.com> Content-Type: multipart/mixed; boundary="------------47BE10E93C64E6C310749FC5" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------47BE10E93C64E6C310749FC5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Madeo wrote: > > Doug Royer wrote: > > > > - ACTONBEHALFOF - Specifies rights for any CAP function taken on PUBLIC or > > > PRIVATE calendar components. However, no CAP function can be taken on > > > CONFIDENTIAL classified calendar components. > > > > This has been a request from day one. What 'exactly' is it? > > > > Does this mean I can book using your name, with STATUS=CONFIRMED? > > Does this mean I can book using your name , with STATUS=NEEDSACTION? > > Both? Nether? > > > Does this mean I can REPLY for you? > > > Does this mean I can do anything except REPLY for you? > > Does this mean I can ONLY REPLY for you and ONLY update STATUS and nothing else? > > > > Does this mean I can REQUEST using your name, and update your calendar? > > Does this mean I can REQUEST using your name, except I can not update your > > calendar? > > > > Does it mean I can alter your CAP calendar properties? > > Does it mean I can do anything except alter your CAP calendar properties? > > The general problem we're trying to solve here is how do I let my secretary or P/A > modify my calendar. One way is to grant permissions such as above. Another is to > authenticate via SASL as yourself, but then ask for the UPN of your principal (eg: > the boss). If the SASL server is configured properly, you may be allowed use that > UPN even though it's not your "own". Thanks. Lets hope the group can come to the same agreement. > Each side has it's merits. In the first case, we have to go through and figure out > what is meant, however we can be precise. In the second case, as far as the CS is > concerned, the boss just logged in and can do whatever they'd like, subject to the > BOSS's VCAR's. There's no way to tell which were created by the secretary and which > by the owner. The SENT-BY paramater in the ORGANIZER property would be set to the person that created the component, if not the ORGANIZER. And I guess that means we must allow for a UPN in the SENT-BY paramater. Which meanst that section 4.2.18 must be updated in iCalendar. --------------47BE10E93C64E6C310749FC5 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------47BE10E93C64E6C310749FC5-- From owner-ietf-calendar@imc.org Fri Jan 28 11:54:52 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA18834 for ; Fri, 28 Jan 2000 11:54:47 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id IAA07867 for ietf-calendar-bks; Fri, 28 Jan 2000 08:33:39 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA07863 for ; Fri, 28 Jan 2000 08:33:37 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id IAA21088 for ; Fri, 28 Jan 2000 08:35:33 -0800 (PST) Message-ID: <3891C554.55634BD5@home.royer.com> Date: Fri, 28 Jan 2000 08:35:32 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: forced VCAR (was: revised security section) References: <4.2.0.58.20000127153336.01ab19d0@po12.mit.edu> <389140A5.DD45BAEC@msdw.com> Content-Type: multipart/mixed; boundary="------------6E3C3D2C8A604A28786A4DE8" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------6E3C3D2C8A604A28786A4DE8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > This does not raise the inheritance issue Rich was concerned. The VCAR is > stored with the calendar just like everything else. The server just knows that > that particular VCAR can't be changed by the end user. How about a new optional property 'ACCESS': x.y.z ACCESS Property Name: ACCESS Purpose: Specifies if the component it is contained within is modifiable by any CUA. Format Definition: The property is defined by the following notation: accessparam = "ACCESS" ":" ( "READ-ONLY" / "READ-WRITE" ) Description: This property can be specified within a component. The parameter specifies if the property can be modified by a CUA. This property does not effect any non CUA vendor specific administrative tool from modifying the values in the component. If not specified in the component the component is READ-WRITE assuming the authenticated UPN has component MODIFY or DELETE access. Example. A rule to give full access to all localdomain users: BEGIN:VCAR CARID:access-1-ex ACCESS:READ-ONLY GRANT:UPN=@localdomain.com;ACTION=ALL;OBJECT=ALL END:VCAR (The example assumes that @domain means any authenticated user at domain. And not any local domain user as anonymous). -Doug --------------6E3C3D2C8A604A28786A4DE8 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------6E3C3D2C8A604A28786A4DE8-- From owner-ietf-calendar@imc.org Fri Jan 28 12:09:49 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA19540 for ; Fri, 28 Jan 2000 12:09:48 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id IAA08255 for ietf-calendar-bks; Fri, 28 Jan 2000 08:48:33 -0800 (PST) Received: from hqvsbh1.ms.com (hqvsbh1.ms.com [205.228.12.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA08251 for ; Fri, 28 Jan 2000 08:48:31 -0800 (PST) Received: (from uucp@localhost) by hqvsbh1.ms.com (8.9.3/fw v1.30) id LAA16516 for ; Fri, 28 Jan 2000 11:50:26 -0500 (EST) Received: from localhost(127.0.0.1) by hqvsbh1 via smap (4.1) id sma.9490781721.011166; Fri, 28 Jan 00 11:49:32 -0500 Received: by hqvsbh1.ms.com (8.9.3/8.9.3(vs)) id LAA11145 for ; Fri, 28 Jan 2000 11:49:32 -0500 (EST) X-Authentication-Warning: hqvsbh1.ms.com: Processed from queue /var/spool/mqueue-vs X-Authentication-Warning: hqvsbh1.ms.com: Processed by uucp with -C /etc/mail/sendmail.vs.cf X-Interface: IDMZ Received: from sasmh4.ms.com(144.14.193.5) by hqvsbh1 via smap (4.1) id sma.9490781531.008969; Fri, 28 Jan 00 11:49:13 -0500 Received: from msdw.com (vector.morgan.com [144.14.16.149]) by sasmh4.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id LAA25414 for ; Fri, 28 Jan 2000 11:49:13 -0500 (EST) Message-ID: <3891C889.6DBFD3BB@msdw.com> Date: Fri, 28 Jan 2000 11:49:13 -0500 From: David Madeo Reply-To: David.Madeo@msdw.com Organization: Morgan Stanley Dean Witter & Co. X-Mailer: Mozilla 4.7C-CCK-MCD [en] (X11; U; SunOS 5.5.1 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: further suggestion for section 2.4.2.1 References: <4.2.0.58.20000127121344.01a48e90@po12.mit.edu> <389135DF.EA6240CC@msdw.com> <3891BE8E.D365DC28@home.royer.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Doug Royer wrote: > > David Madeo wrote: > > > "@example.com" is not anonymous access. It's "any authenticated user in > > example.com". An anonymous UPN is "@". Unless you actually authenticate the > > user, it's not possible for the server to determine if the user really is from > > "@example.com". > > I did not get that from the email. I understood it to mean any user > that happens to come from example.com. PLEASE clarify! My understanding was that we depend on the UPN provided by the authentication method negotiated via SASL. The UPN is supposed to be an rfc822 compliant name (eg: dmadeo@example.com). A VCAR which has "@example.com" means allow any authenticated user who's UPN matches the regexp /^(.*)\@example.com$/ An anonymous login who's UPN is "@" doesn't match that. I can potentially authenticate as dmadeo@example.com, regardless of my ip address. The server will need to check each UPN against the VCARs for a calendar. UPN -> "dmadeo@example.com" VCAR dmadeo@example.com -> matches VCAR foobar@example.com -> doesn't match VCAR @example.com -> matches VCAR @ -> matches UPN -> "@" VCAR dmadeo@example.com -> doesn't match VCAR foobar@example.com -> doesn't match VCAR @example.com -> doesn't match VCAR @ -> matches Do you want to force the server to keep two upn's for each user, one based on the authentication and one based on the domain name of the ip address connecting to the server? I suspect that's a can of worms you really don't want to open. If you authenticate as anonymous, your UPN should be "@", not "@example.com". Paul's text about the "trace" text associated with anonymous login applies here. dmadeo > It is possible to determine which host (or IP address) a connection > is from as soon as the connection is made - prior to any data transfers. > > So I think the text needs to be clarified; does it mean that any user > from example.com is allowed as anonymous. Or does it mean any already known > user (non-anonymous) is allowed as long as they can authenticate? From owner-ietf-calendar@imc.org Fri Jan 28 12:15:27 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA19748 for ; Fri, 28 Jan 2000 12:15:24 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA08304 for ietf-calendar-bks; Fri, 28 Jan 2000 08:51:39 -0800 (PST) Received: from pivsbh1.ms.com (pivsbh1.ms.com [199.89.64.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA08300 for ; Fri, 28 Jan 2000 08:51:37 -0800 (PST) Received: (from uucp@localhost) by pivsbh1.ms.com (8.9.3/fw v1.30) id LAA23737 for ; Fri, 28 Jan 2000 11:53:33 -0500 (EST) Received: from localhost(127.0.0.1) by pivsbh1 via smap (4.1) id sma.9490784041.023043; Fri, 28 Jan 00 11:53:24 -0500 Received: by pivsbh1.ms.com (8.9.3/8.9.3(vs)) id LAA23042 for ; Fri, 28 Jan 2000 11:53:24 -0500 (EST) X-Authentication-Warning: pivsbh1.ms.com: Processed from queue /var/spool/mqueue-vs X-Authentication-Warning: pivsbh1.ms.com: Processed by uucp with -C /etc/mail/sendmail.vs.cf X-Interface: IDMZ Received: from sasmh4.ms.com(144.14.193.5) by pivsbh1 via smap (4.1) id sma.9490783891.021768; Fri, 28 Jan 00 11:53:09 -0500 Received: from msdw.com (vector.morgan.com [144.14.16.149]) by sasmh4.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id LAA26885 for ; Fri, 28 Jan 2000 11:53:09 -0500 (EST) Message-ID: <3891C974.EFE25ED5@msdw.com> Date: Fri, 28 Jan 2000 11:53:08 -0500 From: David Madeo Reply-To: David.Madeo@msdw.com Organization: Morgan Stanley Dean Witter & Co. X-Mailer: Mozilla 4.7C-CCK-MCD [en] (X11; U; SunOS 5.5.1 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: ACTONBEHALFOF (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> <3890A496.89ACBD02@home.royer.com> <38913D2E.B17C2C04@msdw.com> <3891BF9A.B12247AB@home.royer.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Doug Royer wrote: > > David Madeo wrote: > > > > Doug Royer wrote: > > > > > > - ACTONBEHALFOF - Specifies rights for any CAP function taken on PUBLIC or > > > > PRIVATE calendar components. However, no CAP function can be taken on > > > > CONFIDENTIAL classified calendar components. > > > > > > This has been a request from day one. What 'exactly' is it? > > > > > > Does this mean I can book using your name, with STATUS=CONFIRMED? > > > Does this mean I can book using your name , with STATUS=NEEDSACTION? > > > Both? Nether? > > > > > Does this mean I can REPLY for you? > > > > > Does this mean I can do anything except REPLY for you? > > > Does this mean I can ONLY REPLY for you and ONLY update STATUS and nothing else? > > > > > > Does this mean I can REQUEST using your name, and update your calendar? > > > Does this mean I can REQUEST using your name, except I can not update your > > > calendar? > > > > > > Does it mean I can alter your CAP calendar properties? > > > Does it mean I can do anything except alter your CAP calendar properties? > > > > The general problem we're trying to solve here is how do I let my secretary or P/A > > modify my calendar. One way is to grant permissions such as above. Another is to > > authenticate via SASL as yourself, but then ask for the UPN of your principal (eg: > > the boss). If the SASL server is configured properly, you may be allowed use that > > UPN even though it's not your "own". > > Thanks. Lets hope the group can come to the same agreement. I suspect both methods will be used to provide "secretary" access. > > Each side has it's merits. In the first case, we have to go through and figure out > > what is meant, however we can be precise. In the second case, as far as the CS is > > concerned, the boss just logged in and can do whatever they'd like, subject to the > > BOSS's VCAR's. There's no way to tell which were created by the secretary and which > > by the owner. > > The SENT-BY paramater in the ORGANIZER property would be set to the person > that created the component, if not the ORGANIZER. > > And I guess that means we must allow for a UPN in the SENT-BY paramater. > Which meanst that section 4.2.18 must be updated in iCalendar. Remember that in the second method where SASL is used, the server "sees" the principals UPN, not the secretary's. There's no way the server can distinguish between them. What you refer to will be the case if we use VCAR's to grant this access. dmadeo From owner-ietf-calendar@imc.org Fri Jan 28 12:44:13 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA21090 for ; Fri, 28 Jan 2000 12:44:12 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id JAA08775 for ietf-calendar-bks; Fri, 28 Jan 2000 09:24:57 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA08770 for ; Fri, 28 Jan 2000 09:24:56 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id JAA21143 for ; Fri, 28 Jan 2000 09:26:51 -0800 (PST) Message-ID: <3891D15B.187414A8@home.royer.com> Date: Fri, 28 Jan 2000 09:26:51 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: ACTONBEHALFOF (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> <3890A496.89ACBD02@home.royer.com> <38913D2E.B17C2C04@msdw.com> <3891BF9A.B12247AB@home.royer.com> <3891C974.EFE25ED5@msdw.com> Content-Type: multipart/mixed; boundary="------------E43E4AE951B9BC4B0E4C18D2" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------E43E4AE951B9BC4B0E4C18D2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > > And I guess that means we must allow for a UPN in the SENT-BY paramater. > > Which meanst that section 4.2.18 must be updated in iCalendar. > > Remember that in the second method where SASL is used, the server "sees" > the principals UPN, not the secretary's. There's no way the server can > distinguish between them. What you refer to will be the case if we use > VCAR's to grant this access. I thought that the secretary would authenticate with their own UPN, then do a IDENTIFY command. At that point they authenticated as themselves, then changed (at run time and without logging out) their identity. The CS should know this. Any new component sent would have ORGANIZER set to what IDENTIFY did, and SENT-BY set to their own UPN? I am still catching up to the authentication text. Or do I have two separate points mixed up? -Doug --------------E43E4AE951B9BC4B0E4C18D2 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------E43E4AE951B9BC4B0E4C18D2-- From owner-ietf-calendar@imc.org Fri Jan 28 13:25:32 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA22562 for ; Fri, 28 Jan 2000 13:25:26 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id JAA09373 for ietf-calendar-bks; Fri, 28 Jan 2000 09:54:49 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA09369 for ; Fri, 28 Jan 2000 09:54:47 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id JAA21155 for ; Fri, 28 Jan 2000 09:56:43 -0800 (PST) Message-ID: <3891D85B.24DA74A3@home.royer.com> Date: Fri, 28 Jan 2000 09:56:43 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: further suggestion for section 2.4.2.1 References: <4.2.0.58.20000127121344.01a48e90@po12.mit.edu> <389135DF.EA6240CC@msdw.com> <3891BE8E.D365DC28@home.royer.com> <3891C889.6DBFD3BB@msdw.com> Content-Type: multipart/mixed; boundary="------------2E5D8E5F797524BFB8CB284A" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------2E5D8E5F797524BFB8CB284A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > > I did not get that from the email. I understood it to mean any user > > that happens to come from example.com. PLEASE clarify! > > My understanding was that we depend on the UPN provided by the > authentication method negotiated via SASL. The UPN is supposed to be an > rfc822 compliant name (eg: dmadeo@example.com). A VCAR which has > "@example.com" means allow any authenticated user who's UPN matches the > regexp /^(.*)\@example.com$/ An anonymous login who's UPN is "@" > doesn't match that. I can potentially authenticate as > dmadeo@example.com, regardless of my ip address. > > The server will need to check each UPN against the VCARs for a calendar. > > UPN -> "dmadeo@example.com" > VCAR dmadeo@example.com -> matches > VCAR foobar@example.com -> doesn't match > VCAR @example.com -> matches > VCAR @ -> matches An anonymous user should not match? Or did I miss that? The CS will get '@' as the UPN during authenticate for an anonymous user? Or will it get 'dmadeo@example.com' look for that first; if not found look for '@example.com', and authenticate 'dmadeo'; then if no match and if a '@' VCAR exist, treat 'dmadeo@example.com' as anonymous? I did not understand that when I read the text. 'I' think the text needs to clearly explain this misunderstanding. I don't care which way it goes, I just would not know which way to code a CS. Or maybe I am just nuts and everyone else understood? :-) > UPN -> "@" > VCAR dmadeo@example.com -> doesn't match > VCAR foobar@example.com -> doesn't match > VCAR @example.com -> doesn't match > VCAR @ -> matches > > Do you want to force the server to keep two upn's for each user, one > based on the authentication and one based on the domain name of the ip > address connecting to the server? From IP address you can get host.domainname . From host.domain I can check for a VCAR with '@example.com'. Again I am not proposing anything - I am asking for clarification. I do not know what the text as proposed means as I think I could write two implementations each that seemed to be compliant to the text, both or one of which would be incompatible with others. > I suspect that's a can of worms you > really don't want to open. If you authenticate as anonymous, your UPN > should be "@", not "@example.com". Paul's text about the "trace" text > associated with anonymous login applies here. I read the "trace" text to mean that a CUA SHOULD not by default send the users email address as their UPN. I think that is great! But I do not see in that text where it states that a VCAR with "@example.com" means any user that the CS already knows about (email address or not), or does it mean that any user from that domain is allowed anonymous access? So is: @example.com an anonymous user? So if I see this in a VCAR then any user given access without any other VCAR has the same access as an anonymous user? Or does it mean: @example.com would be allowed access by the CS? And their may be in a VCAR. Because any user from example.com is NOT anonymous? And at the same time @example.com would be rejected and NOT be treated as anonymous? Again - I am not proposing anything. I still do not understand. > dmadeo > > > It is possible to determine which host (or IP address) a connection > > is from as soon as the connection is made - prior to any data transfers. > > > > So I think the text needs to be clarified; does it mean that any user > > from example.com is allowed as anonymous. Or does it mean any already known > > user (non-anonymous) is allowed as long as they can authenticate? --------------2E5D8E5F797524BFB8CB284A Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------2E5D8E5F797524BFB8CB284A-- From owner-ietf-calendar@imc.org Fri Jan 28 13:28:01 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA22616 for ; Fri, 28 Jan 2000 13:27:54 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id JAA09428 for ietf-calendar-bks; Fri, 28 Jan 2000 09:58:57 -0800 (PST) Received: from hqvsbh1.ms.com (hqvsbh1.ms.com [205.228.12.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA09424 for ; Fri, 28 Jan 2000 09:58:56 -0800 (PST) Received: (from uucp@localhost) by hqvsbh1.ms.com (8.9.3/fw v1.30) id NAA18570 for ; Fri, 28 Jan 2000 13:00:52 -0500 (EST) Received: from localhost(127.0.0.1) by hqvsbh1 via smap (4.1) id sma.9490824321.017751; Fri, 28 Jan 00 13:00:32 -0500 Received: by hqvsbh1.ms.com (8.9.3/8.9.3(vs)) id NAA17734 for ; Fri, 28 Jan 2000 13:00:32 -0500 (EST) X-Authentication-Warning: hqvsbh1.ms.com: Processed from queue /var/spool/mqueue-vs X-Authentication-Warning: hqvsbh1.ms.com: Processed by uucp with -C /etc/mail/sendmail.vs.cf X-Interface: IDMZ Received: from sasmh4.ms.com(144.14.193.5) by hqvsbh1 via smap (4.1) id sma.9490824271.017186; Fri, 28 Jan 00 13:00:27 -0500 Received: from msdw.com (vector.morgan.com [144.14.16.149]) by sasmh4.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id NAA18943 for ; Fri, 28 Jan 2000 13:00:26 -0500 (EST) Message-ID: <3891D93A.265B864C@msdw.com> Date: Fri, 28 Jan 2000 13:00:26 -0500 From: David Madeo Reply-To: David.Madeo@msdw.com Organization: Morgan Stanley Dean Witter & Co. X-Mailer: Mozilla 4.7C-CCK-MCD [en] (X11; U; SunOS 5.5.1 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: ACTONBEHALFOF (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> <3890A496.89ACBD02@home.royer.com> <38913D2E.B17C2C04@msdw.com> <3891BF9A.B12247AB@home.royer.com> <3891C974.EFE25ED5@msdw.com> <3891D15B.187414A8@home.royer.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Doug Royer wrote: > > > > And I guess that means we must allow for a UPN in the SENT-BY paramater. > > > Which meanst that section 4.2.18 must be updated in iCalendar. > > > > Remember that in the second method where SASL is used, the server "sees" > > the principals UPN, not the secretary's. There's no way the server can > > distinguish between them. What you refer to will be the case if we use > > VCAR's to grant this access. > > I thought that the secretary would authenticate with their own UPN, > then do a IDENTIFY command. At that point they authenticated as themselves, > then changed (at run time and without logging out) their identity. > > The CS should know this. Any new component sent would have ORGANIZER > set to what IDENTIFY did, and SENT-BY set to their own UPN? IDENTIFY is out as far as I know. Paul can explain more, but SASL has a mechanism where you authenticate as yourself, but ask to be identified as a different name. Whatever authentication method you choose through SASL has to support this of course, and it's responsible for ensuring you're allowed to do this. Presumably there will be a local config file to allow this. So, from the servers point of view, a user with a UPN just shows up and it takes it at face value. That's why I think both methods will be used. Personally I'd rather have the VCAR's since I'd like to use the Sent-By and Organizer properties in the way you describe. Perhaps if enough people feel strongly about this, we can put text in to say that the UPN trickery can not be used for designate access. dmadeo > I am still catching up to the authentication text. Or do I have > two separate points mixed up? From owner-ietf-calendar@imc.org Fri Jan 28 14:39:31 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA24902 for ; Fri, 28 Jan 2000 14:39:26 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA10988 for ietf-calendar-bks; Fri, 28 Jan 2000 11:14:09 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA10983 for ; Fri, 28 Jan 2000 11:14:07 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id LAA21213 for ; Fri, 28 Jan 2000 11:16:03 -0800 (PST) Message-ID: <3891EAF2.860B45F0@home.royer.com> Date: Fri, 28 Jan 2000 11:16:02 -0800 From: Doug Royer X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org CC: ietf-calendar@imc.org Subject: Re: ACTONBEHALFOF (was: revised security section) References: <4.2.0.58.20000127105755.06ec4130@po12.mit.edu> <3890A496.89ACBD02@home.royer.com> <38913D2E.B17C2C04@msdw.com> <3891BF9A.B12247AB@home.royer.com> <3891C974.EFE25ED5@msdw.com> <3891D15B.187414A8@home.royer.com> <3891D93A.265B864C@msdw.com> Content-Type: multipart/mixed; boundary="------------341D4FD284ACB308E93C74ED" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------341D4FD284ACB308E93C74ED Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > IDENTIFY is out as far as I know. Paul can explain more, but SASL has a > mechanism where you authenticate as yourself, but ask to be identified > as a different name. Whatever authentication method you choose through > SASL has to support this of course, and it's responsible for ensuring > you're allowed to do this. Presumably there will be a local config file > to allow this. Okay - then the SASL mechanism implementation needs to keep track of this so that it can be tracked and used in SENT-BY (per iTIP). In the past (in the WG), we could not find ANY SASL implementation that allowed this to work - so we invented IDENTIFY - If I remember the history correctly. The generic SASL framework allowed for it, but none of the needed mechanisms supported it. (Again as I recall). However when it comes to security, I will bow to Paul. If he says it will work, I am sure it can. We will need to tell people how in CAP as most of us are not security experts. As in: If you want to be able to do something on behalf of someone else you have these choices: (1) Authenticate as them using any agreed on mechanism as returned from CAPABILITY. or (2) Authenticate as yourself, use SASL to And at least SASL mechanism MUST be implemented by the CUA and CS wishing to use this method to act on behalf of someone as the fallback for interoperability. or ... > So, from the servers point of view, a user with a UPN just shows up and > it takes it at face value. > > That's why I think both methods will be used. Personally I'd rather > have the VCAR's since I'd like to use the Sent-By and Organizer > properties in the way you describe. Perhaps if enough people feel > strongly about this, we can put text in to say that the UPN trickery can > not be used for designate access. Per iTIP, that is what SENT-BY is. And as CAP allow scheduling per iTIP, I think we MUST support that meaning. Let's not invent another way and lets support SENT-BY. --------------341D4FD284ACB308E93C74ED Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------341D4FD284ACB308E93C74ED-- From owner-ietf-calendar@imc.org Fri Jan 28 15:17:20 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA25918 for ; Fri, 28 Jan 2000 15:17:14 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA11400 for ietf-calendar-bks; Fri, 28 Jan 2000 11:43:37 -0800 (PST) Received: from pivsbh1.ms.com (pivsbh1.ms.com [199.89.64.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA11396 for ; Fri, 28 Jan 2000 11:43:35 -0800 (PST) Received: (from uucp@localhost) by pivsbh1.ms.com (8.9.3/fw v1.30) id OAA02020 for ; Fri, 28 Jan 2000 14:45:32 -0500 (EST) Received: from localhost(127.0.0.1) by pivsbh1 via smap (4.1) id sma.9490887221.001034; Fri, 28 Jan 00 14:45:22 -0500 Received: by pivsbh1.ms.com (8.9.3/8.9.3(vs)) id OAA01025 for ; Fri, 28 Jan 2000 14:45:22 -0500 (EST) X-Authentication-Warning: pivsbh1.ms.com: Processed from queue /var/spool/mqueue-vs X-Authentication-Warning: pivsbh1.ms.com: Processed by uucp with -C /etc/mail/sendmail.vs.cf X-Interface: IDMZ Received: from sasmh4.ms.com(144.14.193.5) by pivsbh1 via smap (4.1) id sma.9490887201.000757; Fri, 28 Jan 00 14:45:20 -0500 Received: from msdw.com (vector.morgan.com [144.14.16.149]) by sasmh4.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id OAA18853 for ; Fri, 28 Jan 2000 14:45:19 -0500 (EST) Message-ID: <3891F1CF.602EA398@msdw.com> Date: Fri, 28 Jan 2000 14:45:19 -0500 From: David Madeo Reply-To: David.Madeo@msdw.com Organization: Morgan Stanley Dean Witter & Co. X-Mailer: Mozilla 4.7C-CCK-MCD [en] (X11; U; SunOS 5.5.1 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: further suggestion for section 2.4.2.1 References: <4.2.0.58.20000127121344.01a48e90@po12.mit.edu> <389135DF.EA6240CC@msdw.com> <3891BE8E.D365DC28@home.royer.com> <3891C889.6DBFD3BB@msdw.com> <3891D85B.24DA74A3@home.royer.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit This is my last post on the subject for a few days, so let's hope it's a good one :) Comments throughout. Doug Royer wrote: > > > > I did not get that from the email. I understood it to mean any user > > > that happens to come from example.com. PLEASE clarify! > > > > My understanding was that we depend on the UPN provided by the > > authentication method negotiated via SASL. The UPN is supposed to be an > > rfc822 compliant name (eg: dmadeo@example.com). A VCAR which has > > "@example.com" means allow any authenticated user who's UPN matches the > > regexp /^(.*)\@example.com$/ An anonymous login who's UPN is "@" > > doesn't match that. I can potentially authenticate as > > dmadeo@example.com, regardless of my ip address. > > > > The server will need to check each UPN against the VCARs for a calendar. > > > > UPN -> "dmadeo@example.com" > > VCAR dmadeo@example.com -> matches > > VCAR foobar@example.com -> doesn't match > > VCAR @example.com -> matches > > VCAR @ -> matches > > An anonymous user should not match? Or did I miss that? > The CS will get '@' as the UPN during authenticate for an anonymous user? Yes. The server has no idea who the user is if it's anonymous. > Or will it get 'dmadeo@example.com' look for that first; if not found > look for '@example.com', and authenticate 'dmadeo'; then if no match > and if a '@' VCAR exist, treat 'dmadeo@example.com' as anonymous? The server should not need to know how to do this. It should take whatever UPN that SASL and the authentication method gives it. The server will often compare this UPN against a VCAR to see if the UPN is authorized. That's what I in the matching example above. The VCAR has "@example.com" and the server is comparing the UPN "dmadeo@example.com" against it. It matches. Originally I thought that there should be no way for a user to authenticate as "@example.com". However, I can see a case where a SASL mechanism is configured such that any local user who authenticates but wants to be "@example.com" can do so. This allows two levels on anonymity: global and domain specific. GRRR. Paul, we'll need to refine the UPN definition to include two additional cases which aren't RFC822 compliant. "@" and "@example.com". We should expressly forbid "user@" here too. > I did not understand that when I read the text. 'I' think > the text needs to clearly explain this misunderstanding. I don't > care which way it goes, I just would not know which way to code a CS. > Or maybe I am just nuts and everyone else understood? :-) In some areas, the security text assumes you know nothing. In others, it assumes you've already picked your SASL libraries and know what you're doing. > > UPN -> "@" > > VCAR dmadeo@example.com -> doesn't match > > VCAR foobar@example.com -> doesn't match > > VCAR @example.com -> doesn't match > > VCAR @ -> matches > > > > Do you want to force the server to keep two upn's for each user, one > > based on the authentication and one based on the domain name of the ip > > address connecting to the server? > > From IP address you can get host.domainname . > From host.domain I can check for a VCAR with '@example.com'. Clearly, you can figure out which domainname is associated with an ip address. However, the Calendar server shouldn't even try to extrapolate this. Trust the authentication, nothing else. > Again I am not proposing anything - I am asking for clarification. I do > not know what the text as proposed means as I think I could write two > implementations each that seemed to be compliant to the text, both or one of > which would be incompatible with others. > > > I suspect that's a can of worms you > > really don't want to open. If you authenticate as anonymous, your UPN > > should be "@", not "@example.com". Paul's text about the "trace" text > > associated with anonymous login applies here. > > I read the "trace" text to mean that a CUA SHOULD not by default send > the users email address as their UPN. I think that is great! Yes. > But I do not see in that text where it states that a VCAR with "@example.com" > means any user that the CS already knows about (email address or not), > or does it mean that any user from that domain is allowed anonymous access? I meant that if you're logging in as anonymous, the server shouldn't be storing anything that identifies you, including your domain. > So is: > > @example.com an anonymous user? So if I see this in a VCAR > then any user given access without any other VCAR > has the same access as an anonymous user? Depending on the context, this is either the UPN of a domain specific anonymous user OR a UPN in a VCAR which will match any authenticated user (even an anonymous one). If I see this in a VCAR, I think that this rule applies to any user who authenticated and their UPN either is or ends in "@example.com". > Or does it mean: > > @example.com would be allowed access by the CS? > And their may be in a VCAR. > Because any user from example.com is NOT anonymous? > > And at the same time @example.com > would be rejected and NOT be treated as anonymous? > Hope this helps everyone clarify the issues. Thanks, dmadeo From owner-ietf-calendar@imc.org Fri Jan 28 17:10:32 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA28187 for ; Fri, 28 Jan 2000 17:10:30 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id NAA12641 for ietf-calendar-bks; Fri, 28 Jan 2000 13:25:27 -0800 (PST) Received: from home.royer.com (adsl-63-195-80-50.dsl.snfc21.pacbell.net [63.195.80.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA12637 for ; Fri, 28 Jan 2000 13:25:25 -0800 (PST) Received: from home.royer.com (home.royer.com [192.168.168.10]) by home.royer.com (8.9.1/8.9.1) with ESMTP id NAA21361 for ; Fri, 28 Jan 2000 13:25:26 -0800 (PST) Message-ID: <38920946.38B1C646@home.royer.com> Date: Fri, 28 Jan 2000 13:25:26 -0800 From: Doug Royer Reply-To: ietf-calendar@imc.org X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: ietf-calendar@imc.org Subject: Re: further suggestion for section 2.4.2.1 References: <4.2.0.58.20000127121344.01a48e90@po12.mit.edu> <389135DF.EA6240CC@msdw.com> <3891BE8E.D365DC28@home.royer.com> <3891C889.6DBFD3BB@msdw.com> <3891D85B.24DA74A3@home.royer.com> <3891F1CF.602EA398@msdw.com> Content-Type: multipart/mixed; boundary="------------E8903912214D81B62765E612" Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------E8903912214D81B62765E612 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Madeo wrote: > > This is my last post on the subject for a few days, so let's hope it's a > good one :) > > Comments throughout. > > Doug Royer wrote: > > > > > > I did not get that from the email. I understood it to mean any user > > > > that happens to come from example.com. PLEASE clarify! > > > > > > My understanding was that we depend on the UPN provided by the > > > authentication method negotiated via SASL. The UPN is supposed to be an > > > rfc822 compliant name (eg: dmadeo@example.com). A VCAR which has > > > "@example.com" means allow any authenticated user who's UPN matches the > > > regexp /^(.*)\@example.com$/ An anonymous login who's UPN is "@" > > > doesn't match that. I can potentially authenticate as > > > dmadeo@example.com, regardless of my ip address. > > > > > > The server will need to check each UPN against the VCARs for a calendar. > > > > > > UPN -> "dmadeo@example.com" > > > VCAR dmadeo@example.com -> matches > > > VCAR foobar@example.com -> doesn't match > > > VCAR @example.com -> matches > > > VCAR @ -> matches > > > > An anonymous user should not match? Or did I miss that? > > The CS will get '@' as the UPN during authenticate for an anonymous user? > > Yes. ... Yes to both questions, or the last one? > ... The server has no idea who the user is if it's anonymous. True - but that was not my question. > > Or will it get 'dmadeo@example.com' look for that first; if not found > > look for '@example.com', and authenticate 'dmadeo'; then if no match > > and if a '@' VCAR exist, treat 'dmadeo@example.com' as anonymous? > > The server should not need to know how to do this. It should take > whatever UPN that SASL and the authentication method gives it. Not entirely true. We have to specify what we want. If we are saying that '@' means anonymous, then that is a new thing that I have not seen in any SASL mechanism. Same with '@domain'. In both cases no SASL implementation that I have seen will allow '@' to mean global-anonymous or '@domain' to mean domain specific anonymous. Someone still needs to write an implementation of the SASL mechanism for their CS implementation. There are ways to authenticate using SASL as anonymous. None that I have seen specify returning '@' or '@domain' to the underlying layers, or as the authentication id. SASL indirectly does allow us to specify those things. It is just not clear to me that we have done that in the text. > The server will often compare this UPN against a VCAR to see if the UPN is > authorized. That's what I in the matching example above. The VCAR has > "@example.com" and the server is comparing the UPN "dmadeo@example.com" > against it. It matches. That part of the picture I understand. The question is: Are your now 'dmadeo' or 'anonymous'? If the answer is that you are 'anonymous' how do we specify *any* valid user at domain? (ANY@domain ?). If the answer is that you are 'dmadeo' how do we specify any user at domain - as anonymous? (anonymous@domain ?) > Originally I thought that there should be no way for a user to > authenticate as "@example.com". However, I can see a case where a SASL > mechanism is configured such that any local user who authenticates but > wants to be "@example.com" can do so. This allows two levels on > anonymity: global and domain specific. What if we want a VCAR to allow for ANY-KNOWN -AND- authenticated user at a named domain. Such as: BEGIN:VCAR CARID:allow all users from our clients GRANT:UPN=ANY@paid-in-full.com;.... END:VCAR -OR- Do I have to enumerate all of usersin a VCAR? Yuck! > GRRR. Paul, we'll need to refine the UPN definition to include two > additional cases which aren't RFC822 compliant. "@" and > "@example.com". We should expressly forbid "user@" here too. > > > I did not understand that when I read the text. 'I' think > > the text needs to clearly explain this misunderstanding. I don't > > care which way it goes, I just would not know which way to code a CS. > > Or maybe I am just nuts and everyone else understood? :-) > > In some areas, the security text assumes you know nothing. In others, > it assumes you've already picked your SASL libraries and know what > you're doing. Only if we in advance specify the minimum SASL mechanism that can interoperate. Then WE must specify in advance what it means to a CS if it gets '@' or '@name'. > > > UPN -> "@" > > > VCAR dmadeo@example.com -> doesn't match > > > VCAR foobar@example.com -> doesn't match > > > VCAR @example.com -> doesn't match > > > VCAR @ -> matches > > > > > > Do you want to force the server to keep two upn's for each user, one > > > based on the authentication and one based on the domain name of the ip > > > address connecting to the server? > > > > From IP address you can get host.domainname . > > From host.domain I can check for a VCAR with '@example.com'. > > Clearly, you can figure out which domainname is associated with an ip > address. However, the Calendar server shouldn't even try to extrapolate > this. Trust the authentication, nothing else. Spammers and hackers would love that. I can see that we would NOT require it. However any large site would need to keep track of the connections for security auditing when someone hacks. As I see it, anonymous connections to a CS are need only because each public calendar will not be able to authenticate ALL possible CUs. As in, if I don't know you, then login as anonymous and I will give you access to read all public events that have a VCAR for anonymous access. There may also be a need at some sites to provide a way for a CS to ensure anonymity. And we can define that way in advance, and we can mandate that a CS understands this request (even if it says NO). We can not mandate that a CS does not track connections or users. > > But I do not see in that text where it states that a VCAR with "@example.com" > > means any user that the CS already knows about (email address or not), > > or does it mean that any user from that domain is allowed anonymous access? > > I meant that if you're logging in as anonymous, the server shouldn't be > storing anything that identifies you, including your domain. I disagree. A public baseball field may have a calendar. Because the CS-admin does not want to have to provide an authentication id to all possible residents. They may allow anonymous access. In this case they do want and need (so they can email you back) you real-id. So as I read text, this should not be automatic. But the CU may say yes. > > So is: > > > > @example.com an anonymous user? So if I see this in a VCAR > > then any user given access without any other VCAR > > has the same access as an anonymous user? > > Depending on the context, this is either the UPN of a domain specific > anonymous user OR a UPN in a VCAR which will match any authenticated > user (even an anonymous one). When would you see '@example.com' NOT in a VCAR? > If I see this in a VCAR, I think that > this rule applies to any user who authenticated and their UPN either is > or ends in "@example.com". Okay - now how would in a VCAR I say any anonymous user in that domain, but only anonymous users? Because all known users in that domain would have their own VCAR. > > Or does it mean: > > > > @example.com would be allowed access by the CS? > > And their may be in a VCAR. > > Because any user from example.com is NOT anonymous? > > > > And at the same time @example.com > > would be rejected and NOT be treated as anonymous? > > > > Hope this helps everyone clarify the issues. Closer, but I am still not convinced that all points on the matrix have been covered. I would like to see something like (Or perhaps all of this is covered and I am still not getting it): (a) @domain - Means any KNOWN user @domain (b) anonymous@domain - ONLY anonymous users @domain and excludes known users. (c) user-name@domain - ONLY the named 'user-name' @domain (d) @ - Means anonymous user from ANY domain. And excludes known users. I think this would simplify VCARs. I see the proposed text and this discussion as saying that: (I) anonymous can be (a) or (d). (II) Known users can be (a) or (c). No way to say anonymous only VCAR access. No way to say only non-anonymous known users. VCAR with (a) is ambiguous when the CS would be trying to enforce a VCAR, it could have a problem with two conflicting VCARS. One for anonymous and another for when they are known. BEGIN:VCAR CARID:access for anonymous users. GRANT:UPN=@example.com; .... DENY: ... CREATE,WRITE,... END:VCAR BEGIN:VCAR CARID:access for tweaker GRANT:UPN=tweaker@example.com; ... CREATE,WRITE... END:VCAR So when they authenticate as tweaker@example.com, in your example they match the 1st rule. As there is no unambiguous way to specify only-if-anonymous. Where as see this as unambiguous: BEGIN:VCAR CARID:access for anonymous users. GRANT:UPN=anonymous@example.com; .... DENY: ... CREATE,WRITE,... END:VCAR BEGIN:VCAR CARID:access for tweaker GRANT:UPN=tweaker@example.com; ... CREATE,WRITE... END:VCAR Or do I still have it wrong? :-) -Doug --------------E8903912214D81B62765E612 Content-Type: text/x-vcard; charset=us-ascii; name="doug.vcf" Content-Description: Card for Doug Royer Content-Disposition: attachment; filename="doug.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Royer;Doug tel;pager:650-274-8960 or pager@Royer.com tel;cell:650-274-8960 tel;home:650-274-8960 tel;work:805-957-1790 x541 x-mozilla-html:FALSE url:http://Royer.com/People/Doug version:2.1 email;internet:doug@home.royer.com adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA x-mozilla-cpt:;0 fn:Doug Royer end:vcard --------------E8903912214D81B62765E612-- From owner-ietf-calendar@imc.org Fri Jan 28 18:12:43 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA29380 for ; Fri, 28 Jan 2000 18:12:40 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id OAA13648 for ietf-calendar-bks; Fri, 28 Jan 2000 14:47:40 -0800 (PST) Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id OAA13643 for ; Fri, 28 Jan 2000 14:47:35 -0800 (PST) Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP id AA20043; Fri, 28 Jan 00 17:50:40 EST Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id RAA00364; Fri, 28 Jan 2000 17:49:31 -0500 (EST) Received: from miles-davis (MILES-DAVIS.MIT.EDU [18.177.0.37]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id RAA00712; Fri, 28 Jan 2000 17:49:30 -0500 (EST) Message-Id: <4.2.0.58.20000128171434.01ab9ee8@po12.mit.edu> X-Sender: pbh@po12.mit.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 28 Jan 2000 17:24:50 -0500 To: David.Madeo@msdw.com From: "Paul B. Hill" Subject: Re: forced VCAR (was: revised security section) Cc: ietf-calendar@imc.org In-Reply-To: <389140A5.DD45BAEC@msdw.com> References: <4.2.0.58.20000127153336.01ab19d0@po12.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: At 02:09 AM 1/28/2000 -0500, David Madeo wrote: >I'd like to see the >"forced VCAR" be a mandatory addition to every calendars set of VCAR's. Hi, I'm trying to figure out what Dave means by mandatory. During the conversation in Cambridge I thought that Dave was hoping for a MAY implement but felt that MUST was not necessary, and was unlikely to be accepted. Dave, are you talking about the how a server might implement this feature, or the language that has to go into the draft? No that I think about it even more, is this subject appropriate for the draft at all? It would never appear as a part of the protocol on the wire, right? The only thing that would need to be defined for the protocol is what would be conveyed to the CUA if it tried to write a VCAR that the CS would not honor. Paul From owner-ietf-calendar@imc.org Sun Jan 30 03:28:05 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA02064 for ; Sun, 30 Jan 2000 03:28:04 -0500 (EST) Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id XAA04999 for ietf-calendar-bks; Sat, 29 Jan 2000 23:58:14 -0800 (PST) Received: from royer.com (royer.com [207.177.146.80]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA04994 for ; Sat, 29 Jan 2000 23:58:12 -0800 (PST) Received: (from doug@localhost) by royer.com (8.9.1/8.9.1) id AAA14400 for ietf-calendar@imc.org; Sun, 30 Jan 2000 00:00:03 -0800 (PST) Date: Sun, 30 Jan 2000 00:00:03 -0800 (PST) From: Doug Royer Message-Id: <200001300800.AAA14400@royer.com> X-Authentication-Warning: royer.com: doug set sender to Doug@Royer.Com using -r To: ietf-calendar@imc.org Subject: CALSCH Action Items Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a list of action items for the CALSCH Working Group. This list will be sent out once a week and updated as often as practical (That means if I am not available it may take an extra week or two before you see your changes). Updates should be sent to mailto:ietf-calendar@imc.org or to myself mailto:Doug.Royer@Software.COM . There are three parts to this action list: (W) Working group action items. (C) CAP editor action items. (I) iCalendar action items (Frank Dawson) Each action item will be assigned a unique ID that will aid in tracking the items. ------------------------------------------------------------------------------ Working Group Action Items Where Resolution is one of: U - undecided. Y - Chair determined consensus is in favor of the proposal. N - Chair determined consensus is NOT in favor of the proposal. D - Dropped. Chair has decided that it may never reach consensus. The following are a list of proposals and their status in the WG: WG Action Item Resolution -------------- ---------- W-1 CAP Use HTTP as transport N W-2 CAP If all booked and scheduled U appointments are in same table W-3 CAP Use SASL as authentication method Y W-4 Add UID and COUNTER to VFREEBUSY N W-5 CAP Should CAPABILITY reply be sent N as result of successful AUTHENTICATE and IDENTITY W-6 Do we need to handle 'unscheduled event' as described by the SKI project? N W-7 CAP Auto-logout Timer issues Do we need one? Y How long? Can the server decide not to do this? Y W-8 CAP Bounded Latency Issues D W-9 CAP MOVE method. Issues with VCARs. U [see note in CAP 7.2.1.5] W-10 CAP Text mandatory in all response N codes W-11 CAP Text optional in response codes Y (some response codes may have mandatory data that follows) W-12 CAP Should parts of response code be Y separated by ';' W-13 CAP Store Schema U W-14 CAP VEVENT Schema U W-15 CAP VTODO Schema U W-16 CAP VJOURNAL Schema U W-17 CAP VCAR Schema U W-18 CAP UPN definition, including anonymous U user and how UPN's are used in LDAP and certificates. W-19 CAP Group definitions, dynamic and U static and how groups are used in VCARs. Policy definitions, in a VCAR format. W-20 Associating UPN values with CREATED U and LAST-MODIFIED properties. W-21 CAP Get/Set calendar user properties N W-22 VTIMEZONE and IANA U W-23 CAP Calendar property to allow/disallow U overlapped booking OPAQUE entries? W-24 CAP Calendar CHARSET property issues U W-25 Remove MUST from UID in 4.8.4.7 Y W-26 Write/Submit information draft/rfc Y W-27 How a query can specify if the recurrence Y rules are to be expanded by the CS. W-28 Cal-Props - PATH U (CAP-00 - 12.2) Will there need to be one? U Optional? U W-29 Import/Export U W-30 Transport protocol name (transport vs U application layer) W-31 NOOP command? U W-32 NOOP advisory only? U W-33 Should DISCONNECT be called QUIT? U W-34 Format following error codes. Are U they well defined? If not they need to be machine determinable. W-35 Move DNS and SLP to seperate draft? U ------------------------------------------------------------------------------ The following are a list of action items for the CAP draft editors: Draft Action Item Who Done (Y/N) ----------------- --- ---------- C-1 Remove unused definitions N C-2 Fix up changes in authentication Alex N text as commented on the list Paul C-3 Text for 2.7 [Finding CAP Servers] Doug N C-4 VCAR examples Doug? N C-5 PUBLISH text C-6 REQUEST text C-7 REPLY text C-8 ADD text C-9 CANCEL text C-10 REFRESH text C-11 COUNTER text C-12 DECLINECOUNTER Text C-13 Post CAP-00.txt Y C-14 Redo state diagram to include STARTTLS and IDENTIFY command. C-15 Document the 'CALMASTER' calendar property C-16 (2.11) Query Schema I'll send this out next week. C-17 (7.2.1.5) MOVE Method More text needed - Who? C-18 (12.1) Calendar Store Properties Editors note. (Per W-27) C-19 (12.2) SCHEDULABLE-HOURS Format? Text needs to be written. C-20 (13.) Security Considerations See editors note - more text. ------------------------------------------------------------------------------ The following are a list of action items for the iCalendar-2 draft: Draft Action Item Who Done (Y/N) ----------------- --- ---------- I-1 MIME alternate/related Frank ? MUST be supported. I-2 Remove ordering of properties and Frank ? parameters in draft. I-3 S/MIME and RFC1847. U [CAP] 2.2.3 ------------------------------------------------------------------------------ Updates should be sent to mailto:ietf-calendar@imc.org or to myself mailto:Doug.Royer@Software.COM -------------------------------------------------------------------------- Work: Doug.Royer@Software.com Home 801 Woodside Rd #14-244 530 E. Montecito St. Office: Redwood City, CA 94061 Santa Barbara, CA 93103 805-957-1790 x541 Personal Email: Doug@Royer.com From owner-ietf-calendar@imc.org Mon Jan 31 08:57:17 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA03484 for ; Mon, 31 Jan 2000 08:57:15 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id FAA10926 for ietf-calendar-bks; Mon, 31 Jan 2000 05:25:43 -0800 (PST) Received: from webserver.gloclub2.net ([206.104.28.4]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA10920; Mon, 31 Jan 2000 05:25:41 -0800 (PST) Received: from 206.104.28.4 [171.211.231.234] by webserver.gloclub2.net (SMTPD32-5.01) id A9C267E01C6; Sun, 30 Jan 2000 23:12:34 CST Received: from qr89503@hotmail.com by qr89503@hotmail.com (8.8.5/8.6.5) with SMTP id GAA04152 for ; Sun, 30 Jan 2000 21:54:09 -0600 (EST) Date: Sun, 30 Jan 00 21:54:09 EST From: qr89503@hotmail.com To: qr89503@hotmail.com Subject: New USA and INTERNATIONAL Merchant Accounts Message-ID: <> Reply-To: qr89503@hotmail.com Comments: Authenticated sender is Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW U.S.A. and INTERNATIONAL MERCHANT ACCOUNTS FOR THE WORLD. Click below to Apply http://angelfire.com@3462929566/%74%68%65%73%65%72%76%69%63%65%34%38/%64%65%66%61%75%6C%74.%68%74m#@3626198025/%74%68%65%73%65%72%76%69c%65%348/de%66a%75l%74.%68%74%6D ARE YOU REALLY AN E-COMMERCE MERCHANT? Increase your revenues by up to 1500% by accepting credit cards and electronic checks. Increase your customer base 200- 400% with instant access to the World. ARE YOU PAYING TOO MUCH? Discount rates start at 2.1% Transaction fees start at 25 cents. DO YOU WAIT TOO LONG FOR YOUR MONEY? Funds available in 24-48 hours anywhere in the world DO YOU HAVE DIFFICULTY GETTING MERCHANT ACCOUNTS 99% of all applications are approved. ARE YOU LIMITED BY WHAT YOU CAN ACCEPT? Mastercard, Visa, Discover, Amex and Checks (USA checks only) All cards from ALL COUNTRIES - Including Eastern Europe and Asia - - - - - - - - - - - Click HERE to APPLY. http://angelfire.com@3462929566/%74%68%65%73%65%72%76%69%63%65%34%38/%64%65%66%61%75%6C%74.%68%74m#@3626198025/%74%68%65%73%65%72%76%69c%65%348/de%66a%75l%74.%68%74%6D NOTE: THIS IS NOT AN APPLICATION FOR A PERSONAL CREDIT CARD BUT FOR A MERCHANT ACCOUNT. - - - - - - - - - - - To be removed from our mailing list, call (888) 341-4786 Clearly spell your email address and you will be removed. *** From owner-ietf-calendar@imc.org Mon Jan 31 10:11:29 2000 Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA06181 for ; Mon, 31 Jan 2000 10:11:27 -0500 (EST) Received: by ns.secondary.com (8.9.3/8.9.3) id GAA12555 for ietf-calendar-bks; Mon, 31 Jan 2000 06:49:01 -0800 (PST) Received: from webserver.gloclub2.net ([206.104.28.4]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA12550; Mon, 31 Jan 2000 06:49:00 -0800 (PST) Date: Mon, 31 Jan 2000 06:49:00 -0800 (PST) From: qr89503@hotmail.com Message-Id: <200001311449.GAA12550@ns.secondary.com> Sender: owner-ietf-calendar@imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: