Re: Users and Authentication Ids in CAP

[Bruce_Kahn@xxxxxxxx]

Alex reponded with:
>I think that having an authorization command would be easier
>than proxy rights in the VCAR.  The VCAR can then grant rights
>to the identity to which you authorized.

There is a disconnect between an AUTHORIZATION command in CAP and using the VCAR info to decide what rights the specified identity has.  _HOW_ does the CS 'know' that I am authorized to use "AUTHORIZE alext@cst.com" command when all it may know about me is my UPN is bkahn01@iris.com??  There has to be some OOB or other mechanism for the CS to use to decide "Can bkahn01@iris.com become alext@cst.com?".  

A new AUTHORIZATION/AUTHENTICATE command may not solve this.  Here is why not: alext@cst.com tells the CS that bkahn@iris.com is able to re-authorize as alext@cst.com.  This effectively would give bkahn@iris.com the same access rights to ALL calendars in the CS.  This could provide me a _big_ backdoor (hanger door size backdoor!) into the other calendars in that CS.  Just how would this 'proxy' ability be scoped to avoid this problem?  The other side of the coin is that for Admin types, this scoping is exactly what they would want so now we could have CS policies that conflict w/the individual scopes. 

This becomes a giant rat hole (elephant sized rat hole!!) balancing the the security issues w/the usage desires...

How about some suggestions from other folks out there!?!  (Im off to get more caffine and catch up on all the threads Ive missed in the past 2 weeks...)

Bruce
===========================================================================
Bruce Kahn                                INet: Bruce_Kahn@iris.com
Iris Associates                          Phone: 978.392.5335
Westford, MA, USA 01886                    FAX: and nothing but the FAX...
Standard disclaimers apply, even where prohibited by law...