[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iTIP REPLY question

To: "ietf-calendar@xxxxxxx" <ietf-calendar@xxxxxxx>
Subject: Re: iTIP REPLY question
From: John Stracke <jstracke@xxxxxxxxxxx>
Date: Fri, 16 May 2003 12:20:54 -0400
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-calendar/mail-archive/>
List-id: <ietf-calendar.imc.org>
List-unsubscribe: <mailto:ietf-calendar-request@imc.org?body=unsubscribe>
Organization: Centive
References: <>
Sender: owner-ietf-calendar@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

Bruce_Kahn@xxxxxxxxxxxxxxxx wrote:

I got news for you I will NEVER EVER allow anonymous access to my calendar for ANY PURPOSE (reading or writing!).

Agreed.

Unlike mail which has pretty well understood processes/needs and does not require exposing internal networks/servers directly to outsiders, CAP has an implic limitation that every CS involved must be directly reachable by the CUAs involved (remember, we took out 'fan out' and this is one side effect of that).

Right. As I recall, we took out fan-out in part because we didn't want to cope with the complexities of proxying requests with authentication. So we've replaced the difficulties of domain-to-domain authentication with the much larger difficulties of user-to-foreign-domain authentication. Since this is a problem that's essentially unsolvable without a PKI, we've wound up with a mechanism that's unacceptable between domains, so people are going to have to drop back to email--where you still don't have any authentication, but at least your request has to look plausible to the user.

Actually, if we *require* the CUA to use the CS to do fan-out, we can get a fairly simple interdomain authentication mechanism. If I get a message from a foreign CS, claiming to be from foo@xxxxxxxxxxx (never mind the syntax for now), I do the SRV lookup to verify that the source address is a CS for example.com. (For an extra level of protection, I can actually connect to the CS specified in the SRV, and do some sort of cookie exchange to verify that I'm talking to the same entity that contacted me, instead of J. Random Process on the same host.) Now, in theory, it is possible for someone to crack the CS for example.com and send messages masquerading as foo@xxxxxxxxxxxx But, if they crack the CS, then they can do that no matter *what* authentication system we come up with.

This is an idea that came out of the IMPP discussions in 1999; the key point is that the owner of a domain is the ultimate authority on names allocated from that domain's namespace, and there is no point trying to gainsay that authority. If I get a message that I can verify as being from the designated CS for example.com, and that designated CS asserts that the message is from foo@xxxxxxxxxxx, that assertion is a tautology.

Of course, if you want assurances that a message is from a specific *person*, then you need a PKI; but this simple proxy authentication is good enough to prevent most types of spoofing (e.g., sending an ACCEPT that purports to be from foo@xxxxxxxxxxx but isn't), and to ensure accountability for spamming. Better than iMIP, anyway.

--
/==========================================\
|John Stracke      |jstracke@xxxxxxxxxxx   |
|Principal Engineer|http://www.centive.com |
|Centive           |My opinions are my own.|
|==========================================|
|You buttered your bread, now lie in it.   |
\==========================================/

References:
- Re: iTIP REPLY question
  - From: Bruce_Kahn

Prev by Date: Re: iTIP REPLY question
Next by Date: Re: iTIP REPLY question
Previous by thread: Re: iTIP REPLY question
Next by thread: Re: iTIP REPLY question
Index(es):
- Date
- Thread