[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Latest in-process draft

To: IETF CALSCH WG <ietf-calendar@xxxxxxx>
Subject: Re: Latest in-process draft
From: David Madeo <David.Madeo@xxxxxxxx>
Date: Tue, 22 Feb 2000 12:11:29 -0500
List-archive: <http://www.imc.org/ietf-calendar/mail-archive/>
List-id: <ietf-calendar.imc.org>
List-unsubscribe: <mailto:ietf-calendar-request@imc.org?body=unsubscribe>
Organization: Morgan Stanley Dean Witter & Co.
References: <> <> <>
Reply-to: David.Madeo@xxxxxxxx
Sender: owner-ietf-calendar@xxxxxxx

Doug Royer wrote:
> 
> Richard Shusterman wrote:
> >
> > Doug,
> >
> > I quickly scanned this draft and did not see any of the text that was generated
> > at the Boston meeting and sent to this list included in this latest draft. Can
> > you please update this draft with that text. I realize there are some discussions
> > that still need to be made around some of this text but a number of us did spend
> > 2 full days working on this text AND I didn't see any major objections to it's
> > inclusion. If you need me to point you to emails with the relevant text, I can do
> > that.
> 
> As steve pointed out it is in the works.
> 
> Also, I still do not understand some of the text as I still have unanswered
> questions that I have posted. In summary (with respect to trying to generate
> a VCAR for an anonymous UPN):
> 
>         Anonymous - looked ambiguous in the text. What is an anonymous UPN?
>         Anonymous from any domain or any @specifc-domain. I could not tell which.

A totally anonymous UPN is "@".   It may be possible to authenticate
using a SASL method, but obtain the "domain anonymous" UPN such as
"@example.com".  This means you can be identified as someone from
example.com, but we're not sure which person.

It's important to distinguish between UPN's and ACL pattern matches. 
ACL's currently require a UPN.  We've also discussed putting pattern
matches into ACL rules as well as definitive UPN's.  So I may choose to
let "@" see my freebusy time, "@example.com" see certain types of data
and "mybestfriend@xxxxxxxxxxx" see everything.  This translates to
anyone can see my freebusy.  Anyone who can authenticate at example.com
can see certain types of data and that specific UPN can see everything.

A simple example:
Using SASL, I can authenticate as me and get my normal UPN
"dmadeo@xxxxxxxxxxx".  Or I could authenticate as me and ask for another
UPN.  Whichever authentication method I use can look up to see if I'm
allowed to ask for that particular UPN and either allow or disallow it. 
The CU trusts the SASL methods to only give it UPN's that are properly
authorized.  I ask to see the calendar  calid://example.com/a9dfhj23jf
which has an ACL which says "dmadeo@xxxxxxxxxxx" is an owner.  I can
modify the calendar as much as I'd like.  I then ask to see
calid://example.com/89jadf77adf which has an ACL saying "@example.com"
has full read access.  Because my UPN is "dmadeo@xxxxxxxxxxx", and the
ACL says "@example.com", I should then have full read access.

Hope this clarifies things.

dmadeo

>         There may have been more.
> 
> Also, some ABNF or examples needs to be updated to show how to use them.
> 
> -Doug

Follow-Ups:
- Re: Latest in-process draft
  - From: Doug Royer

References:
- Latest in-process draft
  - From: Doug Royer
- Re: Latest in-process draft
  - From: Richard Shusterman
- Re: Latest in-process draft
  - From: Doug Royer

Prev by Date: Re: Clarification on W-19 CAP Group Definitions
Next by Date: Re: What/Where is ICAP
Previous by thread: Re: Latest in-process draft
Next by thread: Re: Latest in-process draft
Index(es):
- Date
- Thread