Re: [caldav] draft-desruisseaux-caldav-sched-09 / question concerning Security

Bernie Hoeneisen <bernie@ietf.hoeneisen.ch> Mon, 07 February 2011 12:27 UTC

Return-Path: <bernie@ietf.hoeneisen.ch>
X-Original-To: caldav@core3.amsl.com
Delivered-To: caldav@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 018563A6D6B for <caldav@core3.amsl.com>; Mon, 7 Feb 2011 04:27:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.669
X-Spam-Level:
X-Spam-Status: No, score=-101.669 tagged_above=-999 required=5 tests=[AWL=0.930, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 861H-z6qhpho for <caldav@core3.amsl.com>; Mon, 7 Feb 2011 04:27:25 -0800 (PST)
Received: from softronics.hoeneisen.ch (softronics.hoeneisen.ch [62.2.86.178]) by core3.amsl.com (Postfix) with ESMTP id 05A5C3A68AD for <caldav@ietf.org>; Mon, 7 Feb 2011 04:27:24 -0800 (PST)
Received: from localhost ([127.0.0.1]) by softronics.hoeneisen.ch with esmtp (Exim 4.71) (envelope-from <bernie@ietf.hoeneisen.ch>) id 1PmQBi-0005Nw-I0; Mon, 07 Feb 2011 13:27:26 +0100
Date: Mon, 7 Feb 2011 13:27:26 +0100 (CET)
From: Bernie Hoeneisen <bernie@ietf.hoeneisen.ch>
X-X-Sender: bhoeneis@softronics.hoeneisen.ch
To: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <4D4FD6C3.8030206@gmx.de>
Message-ID: <alpine.DEB.2.00.1102071308330.18675@softronics.hoeneisen.ch>
References: <alpine.DEB.2.00.1102071123510.18675@softronics.hoeneisen.ch> <4D4FD6C3.8030206@gmx.de>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: bernie@ietf.hoeneisen.ch
X-SA-Exim-Scanned: No (on softronics.hoeneisen.ch); SAEximRunCond expanded to false
Cc: draft-desruisseaux-caldav-sched@tools.ietf.org, caldav@ietf.org
Subject: Re: [caldav] draft-desruisseaux-caldav-sched-09 / question concerning Security
X-BeenThere: caldav@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <caldav.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/caldav>, <mailto:caldav-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/caldav>
List-Post: <mailto:caldav@ietf.org>
List-Help: <mailto:caldav-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/caldav>, <mailto:caldav-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2011 12:27:26 -0000

Hi Julian

Thanks for your fast reply.
My comments inline.

On Mon, 7 Feb 2011, Julian Reschke wrote:

> On 07.02.2011 11:56, Bernie Hoeneisen wrote:
>> Dear authors of draft-desruisseaux-caldav-sched
>> 
>> I was going through draft-desruisseaux-caldav-sched and came across
>> something rather confusing:
>> 
>> - In the Security Considerations of draft-desruisseaux-caldav-sched, the
>> following is specified:
>> 
>> "Servers and clients MUST use an HTTP connection protected with
>> TLS as defined in [RFC2818] for all scheduling transactions."
>> 
>> - RFC 2818 requires:
>> 
>> "2.4. URI Format
>> HTTP/TLS is differentiated from HTTP URIs by using the 'https'
>> protocol identifier in place of the 'http' protocol identifier."
>> 
>> - However, in the IANA Considerations section 16.1 (only) "http" is
>> requested for IANA registration:
>> 
>> "Applicable protocol: http"
>> 
>> 
>> This appears rather contradictionary to me. Can you please enlight me
>> regarding this matter? I assume that some correction (or at least
>> clarification) is needed in draft-desruisseaux-caldav-sched.
>> ...
>
> Although the spec requires use of HTTPS, the base protocol is still "http". 
> There is no separate header field registry for "https" (and that would really 
> be bad).

I see. This explains at least part of the confusion.


The actual question I need an answer to is:

If someone advertises a URI for Internet Calendar scheduling, which URI 
Schemes are permitted in said URI?

Besides 'mailto', I see at least 'https'.
But would 'http' also be permitted? (I guess not.)
Any further URI Schemes used for Internet Calendaring?

If this has been specified somewhere, I'd be glad to receive some 
pointers.

cheers,
  Bernie