IETF Logo Mail Archive

Re: [calsify] draft-douglass-subscription-upgrade / Re: Client "Bootstrapping" Procedures for CalDAV/CardDAV for passwordless access

Michael Douglass <mikeadouglass@gmail.com> Fri, 12 October 2018 03:41 UTC

Return-Path: <mikeadouglass@gmail.com>
X-Original-To: calsify@ietfa.amsl.com
Delivered-To: calsify@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3153D130DF0 for <calsify@ietfa.amsl.com>; Thu, 11 Oct 2018 20:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nBbCR9qO77x for <calsify@ietfa.amsl.com>; Thu, 11 Oct 2018 20:41:21 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 034A4130DCE for <calsify@ietf.org>; Thu, 11 Oct 2018 20:41:21 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id d14-v6so12494956qto.4 for <calsify@ietf.org>; Thu, 11 Oct 2018 20:41:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=yxBNwNEgS1S62+AdGtAbUbCFDiNH/FGN9O3AMtM/ZnI=; b=P9wCU8WIefPkSsUlYD+/v6idkEiqD5rKvoSc7m0yQRyPs7iUBaIpka79Jx1yvj+5qT akXxGMWdVX2DGjlzR3pRUvaSWEwn4/VCSrbjLu38Zd9peybSEtEDYcqAfqoBcpaG/2PV ByL1R2l5lMed14dhuvHSH3SmnPGfTyXziGs7tyfxxDpzr89dn4gkA6vXLHHT8EVAyMW9 TFpnp3kzd9FwARuKKEmkKh1FTbrSJxmjNBvprsVl1la9mgbFGEQBnzDFNZ4eJifdDsgF +tBfnnm16/JiK+jlUqxKg1fZkT60C0Q7N8lUML92SbGSlXVyZDb25EyMUfKSGpa9G6NR EhaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=yxBNwNEgS1S62+AdGtAbUbCFDiNH/FGN9O3AMtM/ZnI=; b=rUCtcFZCsRynbCMe+nguod42OJ6Ns3fpNFLasmxZVhC7ykoPFBiVUOUoNVpanneScK Ogihd/JKSwG+HBk54WnJaT3881g01QObw4g3CGBmugL/6UbQBnYzV8LdYsXxGPm7vRJ0 ECzxFYEPgoY6t2a9ZwGFesgJFxmk9NPncSc0f4jE/QaXE4rvmGuzOpsqUfzPeOGmpB1N HQbYjBHh6EqoK8FJPWbICXasUHZTmwOADeZ6cVIgm+dYXwVwZf3EADVl1nWz+bmzjaEB DIGANLKAh/hr8FdKJn2dYlx2upoj3r47Xg816xMXKZD4AOhq2YXScrnJdckiIGBK1mN6 ySTQ==
X-Gm-Message-State: ABuFfohi6jSuK5s1J64OuExyHZEB07sKGN6+phUpP5dV96AQNYUp0+1X Z/WF6IpbDGvwV8b57wf0VWUrnJSh
X-Google-Smtp-Source: ACcGV63BmjvcZiYS6CtD6gZlikX9W1ErlqNSCS9pYMgWB6020iGE3St+oI9svu9r+vrE7Hf6NrFdkw==
X-Received: by 2002:ac8:2595:: with SMTP id e21-v6mr4178380qte.233.1539315679778; Thu, 11 Oct 2018 20:41:19 -0700 (PDT)
Received: from Michaels-MacBook-Pro.local (cpe-74-70-80-66.nycap.res.rr.com. [74.70.80.66]) by smtp.googlemail.com with ESMTPSA id f44-v6sm307961qtc.42.2018.10.11.20.41.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Oct 2018 20:41:19 -0700 (PDT)
To: Дилян Палаузов <dilyan.palauzov@aegee.org>
Cc: calsify@ietf.org
References: <20180818233752.Horde.esUJKQWOiboWHLScyO3X6Rq@webmail.aegee.org> <821258b3-8eb0-fc80-e023-ef2c8e8f68ef@gmail.com> <20180819030918.Horde.QhV2Wf7cFO4nBkr4bCOLKvj@webmail.aegee.org> <c70feab7a2a2983f16e1842e5522b37972d23d16.camel@aegee.org>
From: Michael Douglass <mikeadouglass@gmail.com>
Message-ID: <8ab0a3dc-dea5-b36a-8912-8e69b44591f4@gmail.com>
Date: Thu, 11 Oct 2018 23:41:18 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <c70feab7a2a2983f16e1842e5522b37972d23d16.camel@aegee.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/calsify/XBMiQ_S7M_8MSeB_DVoCyYLaCbI>
Subject: Re: [calsify] draft-douglass-subscription-upgrade / Re: Client "Bootstrapping" Procedures for CalDAV/CardDAV for passwordless access
X-BeenThere: calsify@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <calsify.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/calsify>, <mailto:calsify-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/calsify/>
List-Post: <mailto:calsify@ietf.org>
List-Help: <mailto:calsify-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/calsify>, <mailto:calsify-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 03:41:24 -0000

I'm pretty much opposed to the mixing of authenticated and 
unauthenticated resources on any given context.

If the context /caldav/<anything> always challenges and the context 
/pubcaldav/<anything> never challenges there's not much confusion.

I think that was where I was heading anyway.

It might be worth considering flipping it and advertising a noauth 
option which will never require authentication

On 10/10/18 03:30, Дилян Палаузов wrote:
> Hello,
>
> the passwordless CalDAV access can be reflected also in
> https://tools.ietf.org/html/draft-douglass-subscription-upgrade-03 :
>
> One CalDAV collection can be accessed in two ways: anonymously (without
> login) and with login.  In the former case the client cannot make
> modifications, in the latter the client probably can.
>
> The use case is that any user can edit the ACLs of its own calendar and
> can say that anybody can read it.
>
> Should OPTIONS following draft-douglass-subscription-upgrade publish
> Link: subscribe-caldav or Link: subscribe-caldav-auth for that
> resource?
>
> The current problem with the CalDAV clients is, that some of them
> insist on having a username before making a request and others only
> send the username, if they get 401.  For a calendar that can be
> accessed in two modes, the server does not return 401 and the clients
> are stuck.  The only thing a server can do is to send 401 when no user
> name is provided and accept for a user “anonymous@domain” any password.
>
> draft-douglass-subscription-upgrade doesn’t say that for Link:
> subscribe-caldav when the server returns 401 the client shall retry
> with user anonymous@domain and it shouldn’t.
>
> My proposal is to remove subscribe-caldav-auth from the draft and ask
> the user, whether she wants to authenticate for the CalDAV collection.
>
> Greetings
>    Дилян
>
> On Sun, 2018-08-19 at 03:09 +0000, Dilyan Palauzov wrote:
>> Hello Michael,
>>
>> where precisely is HTTP Basic Authentication required for
>> CalDAV/CardDAV and what is the purpose of this requirement?
>>
>> https://tools.ietf.org/html/rfc4918#section-20.1  [WebDAV core RFC]
>> requires support for Digest authentication, permitting other
>> authentications, but appendix E states
>>      Note that the results of
>>      some requests might vary according to whether or not the client is
>>      authenticated -- a PROPFIND might return more visible resources if
>>      the client is authenticated, yet not fail if the client is anonymous.
>>
>> so WebDAV does not require authentication.
>>
>> In RFC4791 CalDAV I cannot find such requirements, too.
>>
>> What do you mean by putting authenticated and unauthenticated
>> resources in different context?  Do you suggest to use different
>> domains, which allow the bootstrapping process to find different URLs?
>>    This will help with clients which send passwords only after
>> receiving 401, but will not help with clients which insist on having a
>> password before performing the bootstrapping.
>>
>> https://tools.ietf.org/html/rfc6352#section-9.3 [CardDAV, Client
>> Configuration] adds:
>>      Given support for SRV records (Section 11) and DAV:current-user-
>>      principal-URL [RFC5397], users only need enter a user identifier,
>>      host name, and password to configure their client.  The client would
>>      take the host name and do an SRV lookup to locate the CardDAV server,
>>      then execute an authenticated PROPFIND on the root/resource looking
>>      for the DAV:current-user-principal-URL property.
>>
>> So clients waiting for 401 before authenticating on performing this
>> PROPFIND are indeed formally wrong.
>>
>> But are CalDAV/CardDAV clients required to authenticate on purpose,
>> was this an oversight, not to state clearer that unauthenticated
>> accesses is bad idea, and what what speaks against clarifying this now?
>>
>> Greetings
>>     Дилян
>>
>> ----- Message from Michael Douglass <mikeadouglass@gmail.com> ---------
>>      Date: Sat, 18 Aug 2018 21:55:41 -0400
>>      From: Michael Douglass <mikeadouglass@gmail.com>
>> Subject: Re: [calsify] Client "Bootstrapping" Procedures for
>> CalDAV/CardDAV for passwordless access
>>        To: calsify@ietf.org
>>
>>
>>> On 8/18/18 19:37, Dilyan Palauzov wrote:
>>>> Hello,
>>>>
>>>> RFC6764 "Locating Services for Calendaring Extensions to WebDAV
>>>> (CalDAV) and vCard Extensions to WebDAV (CardDAV)", Section 6.
>>>> Client "Bootstrapping" Procedures suggests asking the user for
>>>> minimal amount of data - email address or URL and a password, to
>>>> complete the configuration.
>>>>
>>>> RFC 4918 "HTTP Extensions for Web Distributed Authoring and
>>>> Versioning (WebDAV)" - Appendix E.  Guidance for Clients Desiring
>>>> to Authenticate says:
>>>>
>>>>     Thus, the WebDAV client would be able to authenticate
>>>>     with its first couple requests to the server, provided it had a way
>>>>     to get the authentication challenge from the server with realm name,
>>>>     nonce, and other challenge information.  Note that the results of
>>>>     some requests might vary according to whether or not the client is
>>>>     authenticated -- a PROPFIND might return more visible resources if
>>>>     the client is authenticated, yet not fail if the client is
>>>> anonymous. [...]
>>>>
>>>> My understanding is, that a CalDAV server can offer public and
>>>> private calendars.  When users authenticate, they see the own,
>>>> internal and public calendars, but if they don't authenticate
>>>> (=anybody on the globe) can see the public calendar.  In
>>>> particular, for the same requests the server can return different
>>>> answers, depending on whether the user is authenticated, but never
>>>> return 401 to force user authentication.
>>>>
>>>> How shall the bootstraping work for public calendars?  Entering
>>>> anonomous@domain with any password would work, but this is
>>>> unnecessary complicated and any user using this mechanism would ask
>>>> herself how can be software engineers so stupid to require users to
>>>> enter useless information.
>>> Bedework offers authenticated and unauthenticated CalDAV.
>>> Unauthenticated is actually not part of the spec as the spec
>>> mandates basic auth. Most other forms of auth don't work with CalDAV
>>> (as specified).
>>>
>>> For basic auth it's quite easy. Put authenticated on one context and
>>> unauth on another. Then the server can challenge on the first
>>> request to the authenticated context. Never chanllenge on the unauth.
>>>> What about closing the gap by writing one more bootstraping scenario:
>>>> * for a CalDAV server:
>>>>    (modify first bullet, by inserting *possibly*; inject more bullets)
>>>>            +  Minimal input from a user would consist of a calendar user
>>>>               address and possibly a password.  A calendar user
>>>> address is defined
>>>>               by iCalendar [RFC5545] to be a URI [RFC3986]. Provided a
>>>>               user identifier and a domain name can be extracted from the
>>>>               URI, this simple "bootstrapping" configuration can be done.
>>>>
>>>>         + When no password is provided by the user, the client shall
>>>> assume that the server offers anonymous access and should try the
>>>> bootraping without a password, before forcing the user to enter one
>>>> on 401 Unauthenticated response
>>>>         + When password is provided by the user, the client must
>>>> send WWW-Authenticate when obtaining the DAV:current-user-principal
>>>> and all subsequent reqeusts, even if the server has not returned
>>>> 401 Unauthenticated
>>>>
>>>> The explicit "password" is a little bit funny, as the client can
>>>> use WWW-Authenticate: Negotiate/GSSAPI-SPNEGO/KerberosV without any
>>>> password, but I cannot think on a better wording.
>>>>
>>>> Greetings
>>>>    Дилян
>>>>
>>>> _______________________________________________
>>>> calsify mailing list
>>>> calsify@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/calsify
>>> _______________________________________________
>>> calsify mailing list
>>> calsify@ietf.org
>>> https://www.ietf.org/mailman/listinfo/calsify
>> ----- End message from Michael Douglass <mikeadouglass@gmail.com> -----
>>
>>
>> _______________________________________________
>> calsify mailing list
>> calsify@ietf.org
>> https://www.ietf.org/mailman/listinfo/calsify

v2.23.0 | Report a Bug | By Email