Re: [calsify] Secdir last call review of draft-ietf-calext-jscalendar-26
Daniel Migault <daniel.migault@ericsson.com> Tue, 29 September 2020 12:07 UTC
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: calsify@ietfa.amsl.com
Delivered-To: calsify@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E40023A0412; Tue, 29 Sep 2020 05:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.3
X-Spam-Level:
X-Spam-Status: No, score=-3.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-_PtNYFnKwR; Tue, 29 Sep 2020 05:07:17 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2053.outbound.protection.outlook.com [40.107.243.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C08473A0410; Tue, 29 Sep 2020 05:07:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fkjeVJBDuxOl2PlM5GAJFRVpyNl9PWT8qxMDYkGPwcGacmmK3LcYNppDDJlD0N8EyuSv7pw4Qe2XW1OcNErvzM9+Ax8mhXSFmOKAJ45DutuQjXYfiDIfcw4vAr08lKbGIA6Zv1cqNnZWkBd1HWJGE5NTg7wOSRnYZpQ9y3sihlv08Ht5IGEIvXtllb75nCvcp/9hv5NiJQSsu0U+w45GwZK5GRu8V0siy5VIXKmVp1vwqjm5E3/O7Ori/2sIgggcSIVdv8inCB90FAE+/pgxRCt+qrIwXDhMUTQFb4YH+hMad7WMSGTsMNHquTYNSk//83RP4auHeRyIsJexwkQUMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mNMefdXLQGPu2zFoDrMmDZJzZui8hbotWTCBsifnNl0=; b=lNFICvJC9S3VYNAPSd4++eHCJ2+kiYYgVc3cc+T0t5BTp2ypEQ7aR41U02BrBA93uO2A4siHKo7TklWpOoX3yLwvXhFcXk8XO+nfqqAWO9BHvRCF4YU33rRCCFuWdx/I0Nll1XnVxb7e7UlpD0bA2aJGm2TJkHjIxNxQwToEHLPquaNMXiiSdPA4/9Jm/NYoo/r0jw+NlphdNi5e9TCbtBkT6lflzLUt34I98rJme16U4A14vKv/Yxx04CxglY3PL2qqWH5Fv0GBV34IrieeNSfF43eWpuXGOGpbrN6BRKRkD//7xDwMCCW4UM/3SzwxGLr8YIUL/Visv7vGp1odGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mNMefdXLQGPu2zFoDrMmDZJzZui8hbotWTCBsifnNl0=; b=vWVHfkPbi0GOgGSZ4l02YMgDTXbDfSwo5cEjqckg2FUwBUYcIYoY55lN9qT8pfnSBD/E0c0bu3QVrs7sKScpX1DpE3ezXvDdCKVhi8uQCxEurBJVSbC9VdNOlslvq/DgKSkamo1XEAcNUNblCDmgQSeIwBBQYii0LbEWp1W6ZTQ=
Received: from SA0PR15MB3791.namprd15.prod.outlook.com (2603:10b6:806:8d::10) by SA0PR15MB3853.namprd15.prod.outlook.com (2603:10b6:806:84::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.20; Tue, 29 Sep 2020 12:07:10 +0000
Received: from SA0PR15MB3791.namprd15.prod.outlook.com ([fe80::b13f:64b1:b76c:4650]) by SA0PR15MB3791.namprd15.prod.outlook.com ([fe80::b13f:64b1:b76c:4650%9]) with mapi id 15.20.3433.032; Tue, 29 Sep 2020 12:07:10 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Neil Jenkins <neilj@fastmailteam.com>, Phillip Hallam-Baker <hallam@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-calext-jscalendar.all@ietf.org" <draft-ietf-calext-jscalendar.all@ietf.org>, "calsify@ietf.org" <calsify@ietf.org>
Thread-Topic: [calsify] Secdir last call review of draft-ietf-calext-jscalendar-26
Thread-Index: AQHV9ug4c3iZkcrB1U+c01Ajnj3Ax6hLB5kAgTW7U9k=
Date: Tue, 29 Sep 2020 12:07:10 +0000
Message-ID: <SA0PR15MB37910F779239FA49591D61D8E3320@SA0PR15MB3791.namprd15.prod.outlook.com>
References: <158385051998.15836.4770030164750320016@ietfa.amsl.com>, <857a3426-bda6-47cb-9b73-b9db8e596a2d@beta.fastmail.com>
In-Reply-To: <857a3426-bda6-47cb-9b73-b9db8e596a2d@beta.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: fastmailteam.com; dkim=none (message not signed) header.d=none;fastmailteam.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ae7c9ead-05ff-401b-d6f1-08d8647031a9
x-ms-traffictypediagnostic: SA0PR15MB3853:
x-microsoft-antispam-prvs: <SA0PR15MB3853F749467EA1E28F2D78EFE3320@SA0PR15MB3853.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XAIijdoP/JYOmcS8q+52DrIvX8vzbg0pwsd+mLpIhG1oyaLCITxcLSZPoQLTlaqBybz9Pf8bdswnAmVu++tnFLgv9bylH7gZPZk4g5tbPcajhY0hdPAaRQz4kZEWyEcCR6lIFBXuejhA+O2lEdm3xIKxPZrNjVwENaaZF05SbI4iOv0oQ8CZJ9r9D4YbH4CAVgHxaVMZLFPCI3My/6qyVdLAIpQ0xFMBpnLNHMDMRwaGjcK2DwUz/+ZlEKS+7KX90yNTHQs+ABFxKmrrBY60cSknEl4WCigo2L5SLUpo+wIAbfr7aeJJ3OLEEQtLzyR7NUTgvWg3tJPzW73Atw5JBOOR+Av97az/riBd86SqtI5x/18kftknzgjwJOTeO6A3
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA0PR15MB3791.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(39860400002)(396003)(346002)(376002)(478600001)(8676002)(52536014)(33656002)(8936002)(71200400001)(9686003)(86362001)(6506007)(26005)(53546011)(4326008)(186003)(2906002)(7696005)(316002)(55016002)(64756008)(66446008)(83380400001)(110136005)(19627405001)(54906003)(66556008)(66476007)(76116006)(91956017)(66946007)(5660300002)(44832011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Wr0c3zheYYrBuKsULTfP713QvhdSHHDx0Ossbc2epVyhrBobUbpFF53zXJSACrOE/lO+Bjam71iXZnWoooXZmDqP6ZZb+QsWTM+6nBBe7xw88MYMsR6dHdQ50iaLFCCDB/VkOEpERb4eBOYdLHRwbiCB9iDf/PIq7H+azwdIXU9fnIyxh6S68xZzz++sx+j6N95m5TbsfZKpqGEzTgdaLpabRAo8M725x3vk97yP86fw77s6oAD9YthH36ilnQebRrQcpWaBGnQlBmqhUkm5auPudoE1EhS/92Cw4mpTbQUCIWkZqzkJP0iII9HIjT3Uul5bvPLeC/VWozVoHQoZdntqphv/avSit+ezCmhSXQrkJYDK4862BE0f4G0kqOYP+G1zKY1JljClOXNxWFu703PmGiFlVETkcd5w9LntmWDCvxcA01P+JrqLIkILBOpIEcFo7xS0p+dA68p/Pez1PZHieoz7pKDl8gT7sbsb/Y1t5IXHIrfbdkH7aI4VtIIy/IpIXl/0dya1nLdvRCpbrSjY92A57trZkxMsO5QWD4bHaJ5uCyxtzIg13HyKwGIwfAtAKUSUhT7juPV5GfOGpV/8Z/R5OjyCxfjCYDhy6Y9kyLSPJVDIaWOcjJLzyKOKJguiSDxh+kepfu2JWapK/w==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SA0PR15MB37910F779239FA49591D61D8E3320SA0PR15MB3791namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA0PR15MB3791.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ae7c9ead-05ff-401b-d6f1-08d8647031a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Sep 2020 12:07:10.3113 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: k5f1zIr0AcJRy5MQoFEQOVVNDqHoTrSDlFiifPpkilpodNjxyp0g3eLrJW58EOag+pH22oK8s4OJRtDhK1GVQZu3xdGuNQmBMrtKSnboQ38=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR15MB3853
Archived-At: <https://mailarchive.ietf.org/arch/msg/calsify/uSCj-oJEDjIJo9HHygpoeHg4wcc>
Subject: Re: [calsify] Secdir last call review of draft-ietf-calext-jscalendar-26
X-BeenThere: calsify@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <calsify.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/calsify>, <mailto:calsify-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/calsify/>
List-Post: <mailto:calsify@ietf.org>
List-Help: <mailto:calsify-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/calsify>, <mailto:calsify-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 12:07:19 -0000
Thanks Phil for the review. This is a useful review with related experience. Thanks Neil for addressing the these comments. Yours, Daniel ________________________________ From: Neil Jenkins <neilj@fastmailteam.com> Sent: Monday, March 16, 2020 6:07 AM To: Phillip Hallam-Baker <hallam@gmail.com>; secdir@ietf.org <secdir@ietf.org> Cc: last-call@ietf.org <last-call@ietf.org>; draft-ietf-calext-jscalendar.all@ietf.org <draft-ietf-calext-jscalendar.all@ietf.org>; calsify@ietf.org <calsify@ietf.org> Subject: Re: [calsify] Secdir last call review of draft-ietf-calext-jscalendar-26 Hi Phillip, Thank you for the review and apologies for the late reply; I have been on leave. 1) Spam 2) Duplication 3) Time Zones 4) Authentication I have expanded the introduction to the security considerations to mention (4) and added sections for (1)-(3); I include the additions and alterations below. Please let me know if you believe this is insufficient: 7. Security Considerations Calendaring and scheduling information is very privacy-sensitive. Its transmission must be done carefully to protect it from possible threats, such as eavesdropping, replay, message insertion, deletion, modification, and man-in-the-middle attacks. The data being stored and transmitted may be used in systems with real world consequences. For example, a home automation system may turn an alarm on and off. Or a coworking space may charge money to the organiser of an event that books one of their meeting rooms. Such systems must be careful to authenticate all data they receive to prevent them from being subverted. This document just defines the data format; such considerations are primarily the concern of the API or method of storage and transmission of such files. … 7.1-7.3 as before … 7.4. Spam Calendar systems may receive JSCalendar files from untrusted sources, in particular as attachments to emails. This can be a vector for an attacker to inject spam into a user's calendar. This may confuse, annoy, and mislead users, or overwhelm their calendar with bogus events, preventing them from seeing legitimate ones. Heuristic, statistical or machine-learning-based filters can be effective in filtering out spam. Authentication mechanisms such as DKIM [RFC6376] can help establish the source of messages and associate the data with existing relationships (such as an address book contact). Misclassifications are always possible however, and providing a feedback mechanism for users to quickly correct this is advised. 7.5. Duplication It is important for calendar systems to maintain the UID of an event when updating it to avoid unexpected duplication of events. When the UID changes, consumers of the data may not remove the previous version of the event if it has a different UID. This can lead to a confusing situation for the user, with many variations of the event and no indication of which one is correct. Care must be taken by consumers of the data to remove old events where possible to avoid an accidental denial-of-service attack due to the volume of data. 7.6. Time Zones Events recur in a particular time zone. When this differs from the user's current time zone, it may unexpectedly cause an occurrence to shift in time for that user due to a daylight savings change in the event's time zone. A maliciously crafted event could attempt to confuse users with such an event to ensure a meeting is missed. In the general body of the text, the treatment of recurring events MUST address time zones and daylight savings. This is the stuff iCal didn't get right at first and that lead to pain. Can you clarify a bit what change you are looking for here, if any? Do you believe the current text in JSCalendar is ambiguous? A recurrence applies to the "start" property of the event, which is a local date-time. All other properties (including "timeZone") are inherited unless overridden for a specific instance. So an event will essentially recur in its time zone; if you need to translate this into UTC you'll of course need time zone information and to account for daylight savings etc. Cheers, Neil.
- [calsify] Secdir last call review of draft-ietf-c… Phillip Hallam-Baker via Datatracker
- Re: [calsify] Secdir last call review of draft-ie… Neil Jenkins
- Re: [calsify] Secdir last call review of draft-ie… Daniel Migault