Issue 17: iMIP: authorization to work on behalf of another calendar user

Title	iMIP: authorization to work on behalf of another calendar user
Priority	bug	Status	unread
Superseder		Nosy List	aamel
Assigned To	aamel	Topics	rfc2447bis

Created on 2006-07-09.15:07:12 by aamel, last changed 2006-10-20.13:53:44 by lear.

msg19 (view)

Author: aamel

Date: 2006-07-09.15:07:12

draft-ietf-calsify-rfc2447bis-02.txt says in Section 3 ("Security Considerations"):

   It is possible to receive iMIP messages sent by someone working on
   behalf of another "Calendar User". This is determined by examining
   the "sent-by" parameter in the relevant "ORGANIZER" or "ATTENDEE"
   property.  [iCAL] and [iTIP] provide no mechanism to verify that a
   "Calendar User" has authorized someone else to work on their behalf.
   To address this security issue, implementations MUST provide
   mechanisms for the "Calendar Users" to make that decision before
   applying changes from someone working on behalf of a "Calendar
   User".

This is hand waving, as the document doesn't describe any way of achieving this
MUST. So the text should either be changed to remove normative requirement, or
at least give some pointers on how to do this.

History
Date	User	Action	Args
2006-10-20 13:53:44	lear	set	topic: + rfc2447bis
2006-07-09 15:07:12	aamel	create

Issue17