[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Users and Authentication Ids in CAP
Alex reponded with:
>I think that having an authorization command would be easier
>than proxy rights in the VCAR. The VCAR can then grant rights
>to the identity to which you authorized.
There is a disconnect between an AUTHORIZATION command in CAP and using the VCAR info to decide what rights the specified identity has. _HOW_ does the CS 'know' that I am authorized to use "AUTHORIZE email@example.com" command when all it may know about me is my UPN is firstname.lastname@example.org?? There has to be some OOB or other mechanism for the CS to use to decide "Can email@example.com become firstname.lastname@example.org?".
A new AUTHORIZATION/AUTHENTICATE command may not solve this. Here is why not: email@example.com tells the CS that firstname.lastname@example.org is able to re-authorize as email@example.com. This effectively would give firstname.lastname@example.org the same access rights to ALL calendars in the CS. This could provide me a _big_ backdoor (hanger door size backdoor!) into the other calendars in that CS. Just how would this 'proxy' ability be scoped to avoid this problem? The other side of the coin is that for Admin types, this scoping is exactly what they would want so now we could have CS policies that conflict w/the individual scopes.
This becomes a giant rat hole (elephant sized rat hole!!) balancing the the security issues w/the usage desires...
How about some suggestions from other folks out there!?! (Im off to get more caffine and catch up on all the threads Ive missed in the past 2 weeks...)
Bruce Kahn INet: Bruce_Kahn@iris.com
Iris Associates Phone: 978.392.5335
Westford, MA, USA 01886 FAX: and nothing but the FAX...
Standard disclaimers apply, even where prohibited by law...