[Kroupware] Kolab IMAP -> iCal
Diego Rivera
lrivera at racsa.co.cr
Fri May 30 15:09:00 CEST 2003
On Fri, 2003-05-30 at 13:07, Jason A. Pattie wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > I'm going to assume the use of a single "proxy user" that only has read
> > access to the users' Calendar folders is OK'd by everyone. I'll do this
> > using ACL's so that access can also be denied to particular users.
>
> But I just found out yesterday how to authenticate using mod_perl to the
> webserver so you can use the username and password credentials to
> authenticate to the IMAP server.
That's where I don't see a need to use a particular user's own
credentials to obtain their free/busy status. This is an operation that
other users could utilize to retrieve the free/busy information for the
user WITHOUT access to any special set of credentials.
Think of it as the equivalent of a publicly available <user>.vcf that
can be obtained by https://freebusy:xxxx@server.com/freebusy/<user>.vcf
- except it's (potentially) dynamically generated every time.
> Also, if we go the route that the user of the data has to be used, there
> isn't that added administration of setting up the ACL for the "special"
> user, and I would hope, it increases the security of the process
> overall. You should hopefully only be able to mess with one person's
> data if security is compromised rather than every person's data.
The setting/clearing of the ACL is not a big worry in my mind, since
that can easily be scripted onto a button on a webpage, or a
button/checkbox in the client.
It's using the user's credentials when I don't need to that I want to
avoid. That's why I think using a proxy user for READ access is a good
idea - it keeps the user's credentials as secret as possible, and gives
anonymous users access to publicly available calendaring information.
I realize this access is already defined to go through the "freebusy"
user's FTP/HTTP access, but think of this as the capability of
supporting "publish free/busy" even when the client can't publish such
info directly.
I see nothing wrong with this approach, whereas requiring a user's
credentials for reading their calendar info might not be the way to go.
I can just imagine a schmuck or two giving away their credentials when
somebody asks them where they publish their free/busy information!
--
===========================================================
* Diego Rivera *
* *
* "The Disease: Windows, the cure: Linux" *
* *
* E-mail: lrivera<AT>racsa<DOT>co<DOT>cr *
* Replace: <AT>='@', <DOT>='.' *
* *
* GPG: BE59 5469 C696 C80D FF5C 5926 0B36 F8FF DA98 62AD *
* GPG Public Key avaliable at: http://pgp.mit.edu *
===========================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.kde.org/pipermail/kroupware/attachments/20030530/323e3c36/attachment.bin
More information about the Kroupware
mailing list