Message19

Issues
Show Unassigned
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Author aamel
Recipients
Date 2006-07-09.15:07:12
Content
draft-ietf-calsify-rfc2447bis-02.txt says in Section 3 ("Security Considerations"):

   It is possible to receive iMIP messages sent by someone working on
   behalf of another "Calendar User". This is determined by examining
   the "sent-by" parameter in the relevant "ORGANIZER" or "ATTENDEE"
   property.  [iCAL] and [iTIP] provide no mechanism to verify that a
   "Calendar User" has authorized someone else to work on their behalf.
   To address this security issue, implementations MUST provide
   mechanisms for the "Calendar Users" to make that decision before
   applying changes from someone working on behalf of a "Calendar
   User".

This is hand waving, as the document doesn't describe any way of achieving this
MUST. So the text should either be changed to remove normative requirement, or
at least give some pointers on how to do this.
History
Date User Action Args
2006-07-09 15:07:12aamellinkissue17 messages
2006-07-09 15:07:12aamelcreate