IETF Logo Mail Archive

Re: [calsify] Barry Leiba's Discuss on draft-ietf-calext-eventpub-extensions-12: (with DISCUSS and COMMENT)

Michael Douglass <mikeadouglass@gmail.com> Tue, 24 September 2019 03:02 UTC

Return-Path: <mikeadouglass@gmail.com>
X-Original-To: calsify@ietfa.amsl.com
Delivered-To: calsify@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9ED21200F4; Mon, 23 Sep 2019 20:02:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OxgLQVUno56t; Mon, 23 Sep 2019 20:02:54 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A493B1200F1; Mon, 23 Sep 2019 20:02:51 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id n7so430330qtb.6; Mon, 23 Sep 2019 20:02:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=puq4Mw8ZItE5F5Rs0QeDwY4y+CAowS2u6FvLqQuG5Xg=; b=keWf4U+LTIaP/jRyqj7X30jjA9fOs9Z2nen0CU1UqHwbaEo7RnZA8loWWAQqNuWz86 2ryFIneIP08GcPG3QzOUBsRCH8rpZIK1jf493VZLGSUM3wOFketXWz6gIX98spNokVsF WvmIp7OB5kONeN0Do/xGTJCNWKWNjnjVzRgpKdGAKRoEmup1id/BCAIGu8jHVuoALoK2 zv22Ftci+batgH7RrC0a7uBqqHN8n2BDNEUj7D5JUakt8RHUF7Vab49O0TbpI+Ba0+4/ oIYqLjFZ6bWN4cxWIwEiot5YIWvVzUXJNA5GGxzAY8sBPuczbPgFL0O2lLOQYWC5ldAN jLtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=puq4Mw8ZItE5F5Rs0QeDwY4y+CAowS2u6FvLqQuG5Xg=; b=kYAcFm45x9M+VW5z0akchu/k6V0v0E/xVwHqL5crO1oy72XurJJJ2QoNsWgHNG3RUg YyaWoySRKUKxBcHZXv1rIN/1alLLJPY4gmYE4AF6BdJiFIgcrH/Ju3j851Q9qQXDYrWA It5ov3SuCFCj83tCz9W0b/0XNXsKxmp61C4DQBJQARA9UEWKf/r9XjZHrsrh9nzUokOQ MqAYXJS+Rw4UUayrJ5A2Ljz3m57GLEsBhZtYavvsfdlSfWzy60D4BQKKB5g/ZPfHVheQ s43Bg5rzLoNY70e+O//hkNuGkAZkx4WOZNAtmuzjc1JatxER3m5N0Hxa7qfZCCY/arSN lJpA==
X-Gm-Message-State: APjAAAVnw9l7k2dyPND6COWAFVzkIdzTfXU1OxIrlzcPnIIzQTPEi7N6 y7TDiMVMj1xXrGRrboN2QkdrMxEMUNg=
X-Google-Smtp-Source: APXvYqwGW/X79qApcuLZRoFHWfAduIv08AGiW6l/YwTOdcZUvYAY2iN114wGJGHI7RYFJTr3w4vK1A==
X-Received: by 2002:a05:6214:1590:: with SMTP id m16mr722725qvw.20.1569294170519; Mon, 23 Sep 2019 20:02:50 -0700 (PDT)
Received: from Michaels-MacBook-Pro.local (cpe-74-70-80-66.nycap.res.rr.com. [74.70.80.66]) by smtp.googlemail.com with ESMTPSA id c25sm187477qtv.71.2019.09.23.20.02.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Sep 2019 20:02:49 -0700 (PDT)
To: Barry Leiba <barryleiba@computer.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-calext-eventpub-extensions@ietf.org, calext-chairs@ietf.org, calsify@ietf.org
References: <155799446016.19593.5421721957765362252.idtracker@ietfa.amsl.com> <309a7ae1-09fb-137b-a639-f0b04328aeed@gmail.com> <CALaySJJ0_7B3RW1uPWnK=0UsQpLrZJ3Or2OmeXJY6UDNeJL9JQ@mail.gmail.com> <CALaySJKn3TXZaxrCc4suVa-mwARofb0OWgqkmmwu0Z4SGFz1Nw@mail.gmail.com>
From: Michael Douglass <mikeadouglass@gmail.com>
Message-ID: <e701ff89-2a44-01c4-382b-4caca0424855@gmail.com>
Date: Mon, 23 Sep 2019 23:02:48 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CALaySJKn3TXZaxrCc4suVa-mwARofb0OWgqkmmwu0Z4SGFz1Nw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/calsify/wvqCNSPbGWzNpcnojgtvSeUI6zY>
Subject: Re: [calsify] Barry Leiba's Discuss on draft-ietf-calext-eventpub-extensions-12: (with DISCUSS and COMMENT)
X-BeenThere: calsify@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <calsify.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/calsify>, <mailto:calsify-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/calsify/>
List-Post: <mailto:calsify@ietf.org>
List-Help: <mailto:calsify-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/calsify>, <mailto:calsify-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 03:02:58 -0000

On 6/26/19 10:41, Barry Leiba wrote:
>>>> — Section 10 —
>>>> It’s good to refer to RFC 3986 for URI-related security considerations, and all
>>>> of them do apply here.
>>>>
>>>> Something else that comes to mind that comes along with a set of new URIs is
>>>> whether they actually point to what they say they do.  I don’t see that there’s
>>>> any way to verify that they do, and I’m very skeptical about the effectiveness
>>>> of warning an end user about this sort of thing, for many reasons.  I can see
>>>> why allowing URIs is convenient and compelling, but I’m very heavily concerned
>>>> about tracking and other privacy leaks, malicious and deceptive content, and
>>>> other such problems, especially considering the prevalence of abusive calendar
>>>> invitations these days.
>>>>
>>>> I’m not sure what the answer is here, but let’s have a discussion about it and
>>>> see where we can go with it.

I'm not sure where to go with this one but I'd like to suggest it's not 
specific to the eventpub extensions spec.

I certainly agree there are a number of privacy and security concerns we 
should highlight but I'd rather see that done as a separate document 
which we can refer to in future. I think it's fair to say that the issue 
of tracking or following bogus URIs is not specific to this draft or to 
calendars in general. There are http headers, links in content etc etc.

I do think it's probably a good time to come up with at least a best 
practices document. There's also the privacy by design work going on in 
the ISO to which we can and probably should provide some input.

Unless we come up with such a document we have no choice but to re-raise 
the concerns every time a new spec comes out.

I do have some privacy issues I'd like to see covered - e.g. attendee or 
recipient information can be used to infer relationships between people 
(sometimes incorrectly).

We do have another CalConnect/IETF call coming up. Perhaps we can spend 
a bit if time on th etopic then (as we manged to not do so last time)


>>> Maybe a brief discussion at CalConect/IETF meeting?
>> Yes, that sounds like a good idea.  We'll hold this until then.
> I see the notes from the meeting, and all I see about this document is:
>
>> Eventpub:
>> - https://datatracker.ietf.org/doc/draft-ietf-calext-eventpub-extensions/
>> - Discussion about the SOURCE property (drop it)
>> - Need to define “social calendaring”.
> Was the URI issue I raised discussed?  If not, when can we discuss it
> and clear this up?
>
> Barry

v2.23.0 | Report a Bug | By Email