Re: Latest in-process draft

[Doug Royer <doug@xxxxxxxxxxxxxx>]

David Madeo wrote:
> 
> Doug Royer wrote:
> >
> > Richard Shusterman wrote:
> > >
> > > Doug,
> > >
> > > I quickly scanned this draft and did not see any of the text that was generated
> > > at the Boston meeting and sent to this list included in this latest draft. Can
> > > you please update this draft with that text. I realize there are some discussions
> > > that still need to be made around some of this text but a number of us did spend
> > > 2 full days working on this text AND I didn't see any major objections to it's
> > > inclusion. If you need me to point you to emails with the relevant text, I can do
> > > that.
> >
> > As steve pointed out it is in the works.
> >
> > Also, I still do not understand some of the text as I still have unanswered
> > questions that I have posted. In summary (with respect to trying to generate
> > a VCAR for an anonymous UPN):
> >
> >         Anonymous - looked ambiguous in the text. What is an anonymous UPN?
> >         Anonymous from any domain or any @specifc-domain. I could not tell which.
> 
> A totally anonymous UPN is "@".   It may be possible to authenticate
> using a SASL method, but obtain the "domain anonymous" UPN such as
> "@example.com".  This means you can be identified as someone from
> example.com, but we're not sure which person.

How does a CAP CUA 'obtain' it over the wire?

> It's important to distinguish between UPN's and ACL pattern matches.
> ACL's currently require a UPN.  We've also discussed putting pattern
> matches into ACL rules as well as definitive UPN's.  So I may choose to
> let "@" see my freebusy time, "@example.com" see certain types of data
> and "mybestfriend@xxxxxxxxxxx" see everything.  This translates to
> anyone can see my freebusy.  Anyone who can authenticate at example.com
> can see certain types of data and that specific UPN can see everything.

I would be for that.

> A simple example:
> Using SASL, I can authenticate as me and get my normal UPN
> "dmadeo@xxxxxxxxxxx".  Or I could authenticate as me and ask for another
> UPN.

How does a CAP CUR ask for 'another UPN'?

>  Whichever authentication method I use can look up to see if I'm
> allowed to ask for that particular UPN and either allow or disallow it.

With UPNEXPAND I can expand one UPN into multiple.

How does a CAP CUA ask to use a particularly UPN?
How does a CS or a CAP CUA allow or disallow it (I assume you mean access to
use the selected UPN)?

> The CU trusts the SASL methods to only give it UPN's that are properly
> authorized. 

I assume 'it' is the CU? Is this via UPNEXPAND? Or as part
of the AUTHENTICATE reply?

> I ask to see the calendar  calid://example.com/a9dfhj23jf
> which has an ACL which says "dmadeo@xxxxxxxxxxx" is an owner.  I can
> modify the calendar as much as I'd like.  I then ask to see
> calid://example.com/89jadf77adf which has an ACL saying "@example.com"
> has full read access.  Because my UPN is "dmadeo@xxxxxxxxxxx", and the
> ACL says "@example.com", I should then have full read access.

Okay so that's how you could do wild card matches.

How do you use/select another UPN?

-Doug

begin:vcard 
n:Royer;Doug
tel;pager:650-274-8960 or pager@xxxxxxxxx
tel;cell:650-274-8960
tel;home:650-274-8960
tel;work:805-957-1790 x541
x-mozilla-html:FALSE
url:http://Royer.com/People/Doug
version:2.1
email;internet:doug@xxxxxxxxxxxxxx
adr;quoted-printable:;;801 Woodside Rd. #14=0D=0ASuite 244;Redwood City;CA;94061;USA
x-mozilla-cpt:;0
fn:Doug Royer
end:vcard