Re: [calsify] draft-douglass-subscription-upgrade / Re: Client "Bootstrapping" Procedures for CalDAV/CardDAV for passwordless access
Michael Douglass <mikeadouglass@gmail.com> Fri, 12 October 2018 03:41 UTC
Return-Path: <mikeadouglass@gmail.com>
X-Original-To: calsify@ietfa.amsl.com
Delivered-To: calsify@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3153D130DF0 for <calsify@ietfa.amsl.com>; Thu, 11 Oct 2018 20:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nBbCR9qO77x for <calsify@ietfa.amsl.com>; Thu, 11 Oct 2018 20:41:21 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 034A4130DCE for <calsify@ietf.org>; Thu, 11 Oct 2018 20:41:21 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id d14-v6so12494956qto.4 for <calsify@ietf.org>; Thu, 11 Oct 2018 20:41:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=yxBNwNEgS1S62+AdGtAbUbCFDiNH/FGN9O3AMtM/ZnI=; b=P9wCU8WIefPkSsUlYD+/v6idkEiqD5rKvoSc7m0yQRyPs7iUBaIpka79Jx1yvj+5qT akXxGMWdVX2DGjlzR3pRUvaSWEwn4/VCSrbjLu38Zd9peybSEtEDYcqAfqoBcpaG/2PV ByL1R2l5lMed14dhuvHSH3SmnPGfTyXziGs7tyfxxDpzr89dn4gkA6vXLHHT8EVAyMW9 TFpnp3kzd9FwARuKKEmkKh1FTbrSJxmjNBvprsVl1la9mgbFGEQBnzDFNZ4eJifdDsgF +tBfnnm16/JiK+jlUqxKg1fZkT60C0Q7N8lUML92SbGSlXVyZDb25EyMUfKSGpa9G6NR EhaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=yxBNwNEgS1S62+AdGtAbUbCFDiNH/FGN9O3AMtM/ZnI=; b=rUCtcFZCsRynbCMe+nguod42OJ6Ns3fpNFLasmxZVhC7ykoPFBiVUOUoNVpanneScK Ogihd/JKSwG+HBk54WnJaT3881g01QObw4g3CGBmugL/6UbQBnYzV8LdYsXxGPm7vRJ0 ECzxFYEPgoY6t2a9ZwGFesgJFxmk9NPncSc0f4jE/QaXE4rvmGuzOpsqUfzPeOGmpB1N HQbYjBHh6EqoK8FJPWbICXasUHZTmwOADeZ6cVIgm+dYXwVwZf3EADVl1nWz+bmzjaEB DIGANLKAh/hr8FdKJn2dYlx2upoj3r47Xg816xMXKZD4AOhq2YXScrnJdckiIGBK1mN6 ySTQ==
X-Gm-Message-State: ABuFfohi6jSuK5s1J64OuExyHZEB07sKGN6+phUpP5dV96AQNYUp0+1X Z/WF6IpbDGvwV8b57wf0VWUrnJSh
X-Google-Smtp-Source: ACcGV63BmjvcZiYS6CtD6gZlikX9W1ErlqNSCS9pYMgWB6020iGE3St+oI9svu9r+vrE7Hf6NrFdkw==
X-Received: by 2002:ac8:2595:: with SMTP id e21-v6mr4178380qte.233.1539315679778; Thu, 11 Oct 2018 20:41:19 -0700 (PDT)
Received: from Michaels-MacBook-Pro.local (cpe-74-70-80-66.nycap.res.rr.com. [74.70.80.66]) by smtp.googlemail.com with ESMTPSA id f44-v6sm307961qtc.42.2018.10.11.20.41.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Oct 2018 20:41:19 -0700 (PDT)
To: Дилян Палаузов <dilyan.palauzov@aegee.org>
Cc: calsify@ietf.org
References: <20180818233752.Horde.esUJKQWOiboWHLScyO3X6Rq@webmail.aegee.org> <821258b3-8eb0-fc80-e023-ef2c8e8f68ef@gmail.com> <20180819030918.Horde.QhV2Wf7cFO4nBkr4bCOLKvj@webmail.aegee.org> <c70feab7a2a2983f16e1842e5522b37972d23d16.camel@aegee.org>
From: Michael Douglass <mikeadouglass@gmail.com>
Message-ID: <8ab0a3dc-dea5-b36a-8912-8e69b44591f4@gmail.com>
Date: Thu, 11 Oct 2018 23:41:18 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <c70feab7a2a2983f16e1842e5522b37972d23d16.camel@aegee.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/calsify/XBMiQ_S7M_8MSeB_DVoCyYLaCbI>
Subject: Re: [calsify] draft-douglass-subscription-upgrade / Re: Client "Bootstrapping" Procedures for CalDAV/CardDAV for passwordless access
X-BeenThere: calsify@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <calsify.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/calsify>, <mailto:calsify-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/calsify/>
List-Post: <mailto:calsify@ietf.org>
List-Help: <mailto:calsify-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/calsify>, <mailto:calsify-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 03:41:24 -0000
I'm pretty much opposed to the mixing of authenticated and unauthenticated resources on any given context. If the context /caldav/<anything> always challenges and the context /pubcaldav/<anything> never challenges there's not much confusion. I think that was where I was heading anyway. It might be worth considering flipping it and advertising a noauth option which will never require authentication On 10/10/18 03:30, Дилян Палаузов wrote: > Hello, > > the passwordless CalDAV access can be reflected also in > https://tools.ietf.org/html/draft-douglass-subscription-upgrade-03 : > > One CalDAV collection can be accessed in two ways: anonymously (without > login) and with login. In the former case the client cannot make > modifications, in the latter the client probably can. > > The use case is that any user can edit the ACLs of its own calendar and > can say that anybody can read it. > > Should OPTIONS following draft-douglass-subscription-upgrade publish > Link: subscribe-caldav or Link: subscribe-caldav-auth for that > resource? > > The current problem with the CalDAV clients is, that some of them > insist on having a username before making a request and others only > send the username, if they get 401. For a calendar that can be > accessed in two modes, the server does not return 401 and the clients > are stuck. The only thing a server can do is to send 401 when no user > name is provided and accept for a user “anonymous@domain” any password. > > draft-douglass-subscription-upgrade doesn’t say that for Link: > subscribe-caldav when the server returns 401 the client shall retry > with user anonymous@domain and it shouldn’t. > > My proposal is to remove subscribe-caldav-auth from the draft and ask > the user, whether she wants to authenticate for the CalDAV collection. > > Greetings > Дилян > > On Sun, 2018-08-19 at 03:09 +0000, Dilyan Palauzov wrote: >> Hello Michael, >> >> where precisely is HTTP Basic Authentication required for >> CalDAV/CardDAV and what is the purpose of this requirement? >> >> https://tools.ietf.org/html/rfc4918#section-20.1 [WebDAV core RFC] >> requires support for Digest authentication, permitting other >> authentications, but appendix E states >> Note that the results of >> some requests might vary according to whether or not the client is >> authenticated -- a PROPFIND might return more visible resources if >> the client is authenticated, yet not fail if the client is anonymous. >> >> so WebDAV does not require authentication. >> >> In RFC4791 CalDAV I cannot find such requirements, too. >> >> What do you mean by putting authenticated and unauthenticated >> resources in different context? Do you suggest to use different >> domains, which allow the bootstrapping process to find different URLs? >> This will help with clients which send passwords only after >> receiving 401, but will not help with clients which insist on having a >> password before performing the bootstrapping. >> >> https://tools.ietf.org/html/rfc6352#section-9.3 [CardDAV, Client >> Configuration] adds: >> Given support for SRV records (Section 11) and DAV:current-user- >> principal-URL [RFC5397], users only need enter a user identifier, >> host name, and password to configure their client. The client would >> take the host name and do an SRV lookup to locate the CardDAV server, >> then execute an authenticated PROPFIND on the root/resource looking >> for the DAV:current-user-principal-URL property. >> >> So clients waiting for 401 before authenticating on performing this >> PROPFIND are indeed formally wrong. >> >> But are CalDAV/CardDAV clients required to authenticate on purpose, >> was this an oversight, not to state clearer that unauthenticated >> accesses is bad idea, and what what speaks against clarifying this now? >> >> Greetings >> Дилян >> >> ----- Message from Michael Douglass <mikeadouglass@gmail.com> --------- >> Date: Sat, 18 Aug 2018 21:55:41 -0400 >> From: Michael Douglass <mikeadouglass@gmail.com> >> Subject: Re: [calsify] Client "Bootstrapping" Procedures for >> CalDAV/CardDAV for passwordless access >> To: calsify@ietf.org >> >> >>> On 8/18/18 19:37, Dilyan Palauzov wrote: >>>> Hello, >>>> >>>> RFC6764 "Locating Services for Calendaring Extensions to WebDAV >>>> (CalDAV) and vCard Extensions to WebDAV (CardDAV)", Section 6. >>>> Client "Bootstrapping" Procedures suggests asking the user for >>>> minimal amount of data - email address or URL and a password, to >>>> complete the configuration. >>>> >>>> RFC 4918 "HTTP Extensions for Web Distributed Authoring and >>>> Versioning (WebDAV)" - Appendix E. Guidance for Clients Desiring >>>> to Authenticate says: >>>> >>>> Thus, the WebDAV client would be able to authenticate >>>> with its first couple requests to the server, provided it had a way >>>> to get the authentication challenge from the server with realm name, >>>> nonce, and other challenge information. Note that the results of >>>> some requests might vary according to whether or not the client is >>>> authenticated -- a PROPFIND might return more visible resources if >>>> the client is authenticated, yet not fail if the client is >>>> anonymous. [...] >>>> >>>> My understanding is, that a CalDAV server can offer public and >>>> private calendars. When users authenticate, they see the own, >>>> internal and public calendars, but if they don't authenticate >>>> (=anybody on the globe) can see the public calendar. In >>>> particular, for the same requests the server can return different >>>> answers, depending on whether the user is authenticated, but never >>>> return 401 to force user authentication. >>>> >>>> How shall the bootstraping work for public calendars? Entering >>>> anonomous@domain with any password would work, but this is >>>> unnecessary complicated and any user using this mechanism would ask >>>> herself how can be software engineers so stupid to require users to >>>> enter useless information. >>> Bedework offers authenticated and unauthenticated CalDAV. >>> Unauthenticated is actually not part of the spec as the spec >>> mandates basic auth. Most other forms of auth don't work with CalDAV >>> (as specified). >>> >>> For basic auth it's quite easy. Put authenticated on one context and >>> unauth on another. Then the server can challenge on the first >>> request to the authenticated context. Never chanllenge on the unauth. >>>> What about closing the gap by writing one more bootstraping scenario: >>>> * for a CalDAV server: >>>> (modify first bullet, by inserting *possibly*; inject more bullets) >>>> + Minimal input from a user would consist of a calendar user >>>> address and possibly a password. A calendar user >>>> address is defined >>>> by iCalendar [RFC5545] to be a URI [RFC3986]. Provided a >>>> user identifier and a domain name can be extracted from the >>>> URI, this simple "bootstrapping" configuration can be done. >>>> >>>> + When no password is provided by the user, the client shall >>>> assume that the server offers anonymous access and should try the >>>> bootraping without a password, before forcing the user to enter one >>>> on 401 Unauthenticated response >>>> + When password is provided by the user, the client must >>>> send WWW-Authenticate when obtaining the DAV:current-user-principal >>>> and all subsequent reqeusts, even if the server has not returned >>>> 401 Unauthenticated >>>> >>>> The explicit "password" is a little bit funny, as the client can >>>> use WWW-Authenticate: Negotiate/GSSAPI-SPNEGO/KerberosV without any >>>> password, but I cannot think on a better wording. >>>> >>>> Greetings >>>> Дилян >>>> >>>> _______________________________________________ >>>> calsify mailing list >>>> calsify@ietf.org >>>> https://www.ietf.org/mailman/listinfo/calsify >>> _______________________________________________ >>> calsify mailing list >>> calsify@ietf.org >>> https://www.ietf.org/mailman/listinfo/calsify >> ----- End message from Michael Douglass <mikeadouglass@gmail.com> ----- >> >> >> _______________________________________________ >> calsify mailing list >> calsify@ietf.org >> https://www.ietf.org/mailman/listinfo/calsify
- [calsify] Client "Bootstrapping" Procedures for C… Dilyan Palauzov
- Re: [calsify] Client "Bootstrapping" Procedures f… Michael Douglass
- Re: [calsify] Client "Bootstrapping" Procedures f… Dilyan Palauzov
- [calsify] draft-douglass-subscription-upgrade / R… Дилян Палаузов
- Re: [calsify] draft-douglass-subscription-upgrade… Michael Douglass
- Re: [calsify] draft-douglass-subscription-upgrade… Дилян Палаузов
- Re: [calsify] draft-douglass-subscription-upgrade… Дилян Палаузов