IETF Logo Mail Archive

Re: [calsify] draft-douglass-subscription-upgrade / Re: Client "Bootstrapping" Procedures for CalDAV/CardDAV for passwordless access

Дилян Палаузов <dilyan.palauzov@aegee.org> Fri, 12 October 2018 11:24 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: calsify@ietfa.amsl.com
Delivered-To: calsify@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD8B012F1A6 for <calsify@ietfa.amsl.com>; Fri, 12 Oct 2018 04:24:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iR5ktTD0oPPr for <calsify@ietfa.amsl.com>; Fri, 12 Oct 2018 04:24:16 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3082D1293FB for <calsify@ietf.org>; Fri, 12 Oct 2018 04:24:15 -0700 (PDT)
Authentication-Results: mail.aegee.org/w9CBOBb8011016; auth=pass (LOGIN) smtp.auth=didopalauzov@AEGEE.ORG
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1539343452; i=dkim+MSA-tls@aegee.org; r=y; bh=S3WJJ/q7wEOZkfpjTvVnT7y3xfXXx6lWVtp2zVVheYI=; h=Subject:From:To:Date:In-Reply-To:References; b=GyoK1F82Jb8b89uaif67vfdlzVAVF/ZWFSW6+6b0EQcfK+GptuVjbBM4lxUstcH1I CVY/ulhahY0D8ghI2d4OBBOTRc+h1R6AUiCKL44u4doIFUOaQotgU+u1cQ51lJbPjb ZC2QAJCnG9yynEvCRCsg6ZsL3WclYzw0+ZZel4P9Of2ttBLwyokjTVIQQRYOPlM/vk gPKIglUve+sRphWUeyUbaaf8T5LC6BAPixTGU4TwqCTNYiN+9FYW7CVhilwSRyou2L lsx6wMi+b7SMFB0yBKYUdTR29aSiES983MOmlyT7BJbxjbYNtVplra/Kk3+P6xebxm xaeWkE1jhyjbYpVhZObG9GMurVnQOIfh/aUpU+mxumf5K/ftM+0D8dhZNb95d1UaLr 5vAwuaeTaMPPAYR9aj2b8e2Xq/2G7YZacfkW75mGK/xiAZWgbLFAXBaKau5OtpMCIV PSBoCSugKYEJkMo3vPxKLm5oYzsu0iS4YJy5E9QPq+OKxzUnWGbpB8IPdFNfDV9Ssi QSa749l5N/aMGMRURNJGTZ+H22RBCanUdXHhgf+E26zh+2t6LCMxEbWJnf1iPt0HR9 sbcrBK8fGkd6VjVloI7M1DNrGO0gb76NY3PSisP1Hpz2bU5Az/HA1xClxhCjHf6hdy /7WLJWug6V0SnRD0NqI69z7g=
Authentication-Results: mail.aegee.org/w9CBOBb8011016; dkim=none
Received: from Tylan (87-118-146-153.ip.btc-net.bg [87.118.146.153]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id w9CBOBb8011016 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <calsify@ietf.org>; Fri, 12 Oct 2018 11:24:12 GMT
Message-ID: <a9b19a482e57afb603b443bc42f048603ab76904.camel@aegee.org>
From: Дилян Палаузов <dilyan.palauzov@aegee.org>
To: calsify@ietf.org
Date: Fri, 12 Oct 2018 11:24:11 +0000
In-Reply-To: <1768b3793d656d01f9ad178660c1527ae9106b39.camel@aegee.org>
References: <20180818233752.Horde.esUJKQWOiboWHLScyO3X6Rq@webmail.aegee.org> <821258b3-8eb0-fc80-e023-ef2c8e8f68ef@gmail.com> <20180819030918.Horde.QhV2Wf7cFO4nBkr4bCOLKvj@webmail.aegee.org> <c70feab7a2a2983f16e1842e5522b37972d23d16.camel@aegee.org> <8ab0a3dc-dea5-b36a-8912-8e69b44591f4@gmail.com> <1768b3793d656d01f9ad178660c1527ae9106b39.camel@aegee.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.31.2
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.100.2 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/calsify/GgrsVrI4Ih4dIDXddiO4rdQrQJs>
Subject: Re: [calsify] draft-douglass-subscription-upgrade / Re: Client "Bootstrapping" Procedures for CalDAV/CardDAV for passwordless access
X-BeenThere: calsify@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <calsify.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/calsify>, <mailto:calsify-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/calsify/>
List-Post: <mailto:calsify@ietf.org>
List-Help: <mailto:calsify-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/calsify>, <mailto:calsify-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 11:24:20 -0000

Amendment:

I think the RFC6764 discovery is applicable both for unauthenticated
and authenticated access.  First the user agent asks for domain and
whether and how the user wants to auhtenticate, then does DNS
SRV/TXT/.well-known work.  If the credentials do not match, when the
user wants to authenticate, the server answers with 401
Unauthenticated.

If RFC 6764 in not suitable for discovering collections for
unauthenticated access, then what shall be the procedure to unveil
them?

On Fri, 2018-10-12 at 10:52 +0000, Дилян Палаузов wrote:
> Hello Michael,
> 
> WebDAV ACL (RFC 3744 5.5.1.  ACE Principal) defines
> <DAV:authenticated/> and <DAV:unauthenticated/> as disjoint sets.
> 
> If for an URL the <DAV:unauthenticated/> principal are granted some
> privileges, what shall be the behaviour of that URL for unauthenticated
> requests?
> 
> Exposing an alias of the URL under a slightly different namespace is an
> option, but for me the behaviour of the original URL is unclear.  The
> clients follow procedures to obtain an URL, possibly also its ACEs, the
> exact namespace of the URLs is meaningless for the clients.  With
> procedures I do not mean copying an address from a web page/newsletter,
> but RFC6764 Locating Services for Calendaring Extensions… -discovery.
> 
> On the other side in RFC 5397 WebDAV Current Principal Extension
> section 3.  DAV:current-user-principal is written:
> Value:  A single DAV:href or DAV:unauthenticated element.
> 
> Description:  The DAV:current-user-principal property contains either
>       a DAV:href or DAV:unauthenticated XML element.  The DAV:href
>       element contains a URL to a principal resource corresponding to
>       the currently authenticated user…  When authentication has not
>       been done or has failed, this property MUST contain the 
>       DAV:unauthenticated pseudo-principal.
> 
> Was it on purpose prohibiting for unauthenticated users to return a
> valid DAV:href, from which home-sets can be extracted?  A better
> wording would be: “… When authentication was required, but was not
> successful, this property MUST contain the DAV:unauthenticeted pseudo-
> principal”.
> 
> Speaking about WebDAV: with username and domain provided, a client
> (CUA) can get the DAV:current-user-principal and from it obtain 
> CARDDAV:addressbook-home-set and CALDAV:calendar-home-set.  Is there
> any standard way to retrieve WebDAV URLs for the principal, that are
> not CalDAV or CardDAV related and where the principal can manage files?
> 
> Greetings
>   Дилян
> 
> On Thu, 2018-10-11 at 23:41 -0400, Michael Douglass wrote:
> > I'm pretty much opposed to the mixing of authenticated and 
> > unauthenticated resources on any given context.
> > 
> > If the context /caldav/<anything> always challenges and the context 
> > /pubcaldav/<anything> never challenges there's not much confusion.
> > 
> > I think that was where I was heading anyway.
> > 
> > It might be worth considering flipping it and advertising a noauth 
> > option which will never require authentication
> > 
> > On 10/10/18 03:30, Дилян Палаузов wrote:
> > > Hello,
> > > 
> > > the passwordless CalDAV access can be reflected also in
> > > https://tools.ietf.org/html/draft-douglass-subscription-upgrade-03 :
> > > 
> > > One CalDAV collection can be accessed in two ways: anonymously (without
> > > login) and with login.  In the former case the client cannot make
> > > modifications, in the latter the client probably can.
> > > 
> > > The use case is that any user can edit the ACLs of its own calendar and
> > > can say that anybody can read it.
> > > 
> > > Should OPTIONS following draft-douglass-subscription-upgrade publish
> > > Link: subscribe-caldav or Link: subscribe-caldav-auth for that
> > > resource?
> > > 
> > > The current problem with the CalDAV clients is, that some of them
> > > insist on having a username before making a request and others only
> > > send the username, if they get 401.  For a calendar that can be
> > > accessed in two modes, the server does not return 401 and the clients
> > > are stuck.  The only thing a server can do is to send 401 when no user
> > > name is provided and accept for a user “anonymous@domain” any password.
> > > 
> > > draft-douglass-subscription-upgrade doesn’t say that for Link:
> > > subscribe-caldav when the server returns 401 the client shall retry
> > > with user anonymous@domain and it shouldn’t.
> > > 
> > > My proposal is to remove subscribe-caldav-auth from the draft and ask
> > > the user, whether she wants to authenticate for the CalDAV collection.
> > > 
> > > Greetings
> > >    Дилян
> > > 
> > > On Sun, 2018-08-19 at 03:09 +0000, Dilyan Palauzov wrote:
> > > > Hello Michael,
> > > > 
> > > > where precisely is HTTP Basic Authentication required for
> > > > CalDAV/CardDAV and what is the purpose of this requirement?
> > > > 
> > > > https://tools.ietf.org/html/rfc4918#section-20.1  [WebDAV core RFC]
> > > > requires support for Digest authentication, permitting other
> > > > authentications, but appendix E states
> > > >      Note that the results of
> > > >      some requests might vary according to whether or not the client is
> > > >      authenticated -- a PROPFIND might return more visible resources if
> > > >      the client is authenticated, yet not fail if the client is anonymous.
> > > > 
> > > > so WebDAV does not require authentication.
> > > > 
> > > > In RFC4791 CalDAV I cannot find such requirements, too.
> > > > 
> > > > What do you mean by putting authenticated and unauthenticated
> > > > resources in different context?  Do you suggest to use different
> > > > domains, which allow the bootstrapping process to find different URLs?
> > > >    This will help with clients which send passwords only after
> > > > receiving 401, but will not help with clients which insist on having a
> > > > password before performing the bootstrapping.
> > > > 
> > > > https://tools.ietf.org/html/rfc6352#section-9.3 [CardDAV, Client
> > > > Configuration] adds:
> > > >      Given support for SRV records (Section 11) and DAV:current-user-
> > > >      principal-URL [RFC5397], users only need enter a user identifier,
> > > >      host name, and password to configure their client.  The client would
> > > >      take the host name and do an SRV lookup to locate the CardDAV server,
> > > >      then execute an authenticated PROPFIND on the root/resource looking
> > > >      for the DAV:current-user-principal-URL property.
> > > > 
> > > > So clients waiting for 401 before authenticating on performing this
> > > > PROPFIND are indeed formally wrong.
> > > > 
> > > > But are CalDAV/CardDAV clients required to authenticate on purpose,
> > > > was this an oversight, not to state clearer that unauthenticated
> > > > accesses is bad idea, and what what speaks against clarifying this now?
> > > > 
> > > > Greetings
> > > >     Дилян
> > > > 
> > > > ----- Message from Michael Douglass <mikeadouglass@gmail.com> ---------
> > > >      Date: Sat, 18 Aug 2018 21:55:41 -0400
> > > >      From: Michael Douglass <mikeadouglass@gmail.com>
> > > > Subject: Re: [calsify] Client "Bootstrapping" Procedures for
> > > > CalDAV/CardDAV for passwordless access
> > > >        To: calsify@ietf.org
> > > > 
> > > > 
> > > > > On 8/18/18 19:37, Dilyan Palauzov wrote:
> > > > > > Hello,
> > > > > > 
> > > > > > RFC6764 "Locating Services for Calendaring Extensions to WebDAV
> > > > > > (CalDAV) and vCard Extensions to WebDAV (CardDAV)", Section 6.
> > > > > > Client "Bootstrapping" Procedures suggests asking the user for
> > > > > > minimal amount of data - email address or URL and a password, to
> > > > > > complete the configuration.
> > > > > > 
> > > > > > RFC 4918 "HTTP Extensions for Web Distributed Authoring and
> > > > > > Versioning (WebDAV)" - Appendix E.  Guidance for Clients Desiring
> > > > > > to Authenticate says:
> > > > > > 
> > > > > >     Thus, the WebDAV client would be able to authenticate
> > > > > >     with its first couple requests to the server, provided it had a way
> > > > > >     to get the authentication challenge from the server with realm name,
> > > > > >     nonce, and other challenge information.  Note that the results of
> > > > > >     some requests might vary according to whether or not the client is
> > > > > >     authenticated -- a PROPFIND might return more visible resources if
> > > > > >     the client is authenticated, yet not fail if the client is
> > > > > > anonymous. [...]
> > > > > > 
> > > > > > My understanding is, that a CalDAV server can offer public and
> > > > > > private calendars.  When users authenticate, they see the own,
> > > > > > internal and public calendars, but if they don't authenticate
> > > > > > (=anybody on the globe) can see the public calendar.  In
> > > > > > particular, for the same requests the server can return different
> > > > > > answers, depending on whether the user is authenticated, but never
> > > > > > return 401 to force user authentication.
> > > > > > 
> > > > > > How shall the bootstraping work for public calendars?  Entering
> > > > > > anonomous@domain with any password would work, but this is
> > > > > > unnecessary complicated and any user using this mechanism would ask
> > > > > > herself how can be software engineers so stupid to require users to
> > > > > > enter useless information.
> > > > > Bedework offers authenticated and unauthenticated CalDAV.
> > > > > Unauthenticated is actually not part of the spec as the spec
> > > > > mandates basic auth. Most other forms of auth don't work with CalDAV
> > > > > (as specified).
> > > > > 
> > > > > For basic auth it's quite easy. Put authenticated on one context and
> > > > > unauth on another. Then the server can challenge on the first
> > > > > request to the authenticated context. Never chanllenge on the unauth.
> > > > > > What about closing the gap by writing one more bootstraping scenario:
> > > > > > * for a CalDAV server:
> > > > > >    (modify first bullet, by inserting *possibly*; inject more bullets)
> > > > > >            +  Minimal input from a user would consist of a calendar user
> > > > > >               address and possibly a password.  A calendar user
> > > > > > address is defined
> > > > > >               by iCalendar [RFC5545] to be a URI [RFC3986]. Provided a
> > > > > >               user identifier and a domain name can be extracted from the
> > > > > >               URI, this simple "bootstrapping" configuration can be done.
> > > > > > 
> > > > > >         + When no password is provided by the user, the client shall
> > > > > > assume that the server offers anonymous access and should try the
> > > > > > bootraping without a password, before forcing the user to enter one
> > > > > > on 401 Unauthenticated response
> > > > > >         + When password is provided by the user, the client must
> > > > > > send WWW-Authenticate when obtaining the DAV:current-user-principal
> > > > > > and all subsequent reqeusts, even if the server has not returned
> > > > > > 401 Unauthenticated
> > > > > > 
> > > > > > The explicit "password" is a little bit funny, as the client can
> > > > > > use WWW-Authenticate: Negotiate/GSSAPI-SPNEGO/KerberosV without any
> > > > > > password, but I cannot think on a better wording.
> > > > > > 
> > > > > > Greetings
> > > > > >    Дилян
> > > > > > 
> > > > > > _______________________________________________
> > > > > > calsify mailing list
> > > > > > calsify@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/calsify
> > > > > _______________________________________________
> > > > > calsify mailing list
> > > > > calsify@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/calsify
> > > > ----- End message from Michael Douglass <mikeadouglass@gmail.com> -----
> > > > 
> > > > 
> > > > _______________________________________________
> > > > calsify mailing list
> > > > calsify@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/calsify
> 
> _______________________________________________
> calsify mailing list
> calsify@ietf.org
> https://www.ietf.org/mailman/listinfo/calsify

v2.23.0 | Report a Bug | By Email