I've researching a little bit about how the<a href="http://phpsyncml.sourceforge.net/"> PHP SyncML server</a> works and about the SyncML protocol itself.<br><br>Here are a few questions about how integrating it, and more:<br>
<br><ul><li>How that PIM data should be stored? I made that question yesterday on #owncloud. Many people said that in files rather than in the database. Maybe, a mixed solution (plain files and also storing the info in the database for other purposes) is the best. But also I have another question. Should that files be stored in the user's data directory, or in another directory?</li>
<li>How the feature should be implemented? I've thought on a owncloud app. With the web interface, you should configure the SyncML server parameters and so. Also, an interface for viewing and editing them would be great. When I refer to PIM data, I'm always speaking about vCard and iCalendar files!</li>
<li>The last part is about security-authenticating issues</li><ul><li>What credentials should be used for the SyncML server authentication? The same as for the owncloud authentication? We should allow the user to make as many accounts as he wants?<br>
</li><li>PHPSyncML server doesn't support MD5, so, by now, all the passwords are transmitted in plain text. You can see them with wireshark. I'm sure that the passwords are stored encrypted in the owncloud database. So, a couple of solutions come to my mind. (I know that MD5 is no longer secure, but it's still a standard, and at least is something...)<br>
</li><ul><li>Implement the feature of handling MD5 passwords by the PHPSyncML server somehow</li><li>As far as I know, if the connection itself is encrypted (HTTPS), it should not matter if the passwords are transmitted in plain text. The main drawback of this solution is that the owncloud server MUST have enabled the HTTPS feature to use SyncML feature, and having HTTPS enabled it's not so trivial. (I mean, maybe some of the standard hosting services doesn't support it, I don't know)</li>
<li>I think that the best solution is both. Being able to support HTTPS connections, and also transmit the passwords encrypted, but I've to start by something, and I don't know how harder any of the solutions to implement will be.<br>
</li></ul></ul></ul><br>What do you think about that? What are the best solutions in your opinion?<br><br>Kunal, you're working also with SyncML, how do you plan to manage that security issues?<br><br>PD: Sorry for my bad english<br>
<br>-- <br>Antonio J. Gallo<br><br>