[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: iTIP REPLY question
I got news for you I will NEVER EVER allow anonymous access to my
calendar for ANY PURPOSE (reading or writing!).
Unlike mail which has pretty well understood processes/needs and does
not require exposing internal networks/servers directly to outsiders,
CAP has an implic limitation that every CS involved must be directly
reachable by the CUAs involved (remember, we took out 'fan out' and
this is one side effect of that).
Right. As I recall, we took out fan-out in part because we didn't want
to cope with the complexities of proxying requests with authentication.
So we've replaced the difficulties of domain-to-domain authentication
with the much larger difficulties of user-to-foreign-domain
authentication. Since this is a problem that's essentially unsolvable
without a PKI, we've wound up with a mechanism that's unacceptable
between domains, so people are going to have to drop back to
email--where you still don't have any authentication, but at least your
request has to look plausible to the user.
Actually, if we *require* the CUA to use the CS to do fan-out, we can
get a fairly simple interdomain authentication mechanism. If I get a
message from a foreign CS, claiming to be from foo@xxxxxxxxxxx (never
mind the syntax for now), I do the SRV lookup to verify that the source
address is a CS for example.com. (For an extra level of protection, I
can actually connect to the CS specified in the SRV, and do some sort of
cookie exchange to verify that I'm talking to the same entity that
contacted me, instead of J. Random Process on the same host.) Now, in
theory, it is possible for someone to crack the CS for example.com and
send messages masquerading as foo@xxxxxxxxxxxx But, if they crack the
CS, then they can do that no matter *what* authentication system we come
This is an idea that came out of the IMPP discussions in 1999; the key
point is that the owner of a domain is the ultimate authority on names
allocated from that domain's namespace, and there is no point trying to
gainsay that authority. If I get a message that I can verify as being
from the designated CS for example.com, and that designated CS asserts
that the message is from foo@xxxxxxxxxxx, that assertion is a tautology.
Of course, if you want assurances that a message is from a specific
*person*, then you need a PKI; but this simple proxy authentication is
good enough to prevent most types of spoofing (e.g., sending an ACCEPT
that purports to be from foo@xxxxxxxxxxx but isn't), and to ensure
accountability for spamming. Better than iMIP, anyway.
|John Stracke |jstracke@xxxxxxxxxxx |
|Principal Engineer|http://www.centive.com |
|Centive |My opinions are my own.|
|You buttered your bread, now lie in it. |