[Owncloud] Questions regarding the implementation of the SyncML feature for syncing PIM data

Antonio José Gallo Sánchez antoniojgallo at gmail.com
Sun Jul 10 20:01:31 UTC 2011 

I've researching a little bit about how the PHP SyncML
server<http://phpsyncml.sourceforge.net/>works and about the SyncML
protocol itself.

Here are a few questions about how integrating it, and more:


   - How that PIM data should be stored? I made that question yesterday on
   #owncloud. Many people said that in files rather than in the database.
   Maybe, a mixed solution (plain files and also storing the info in the
   database for other purposes) is the best. But also I have another question.
   Should that files be stored in the user's data directory, or in another
   directory?
   - How the feature should be implemented? I've thought on a owncloud app.
   With the web interface, you should configure the SyncML server parameters
   and so. Also, an interface for viewing and editing them would be great. When
   I refer to PIM data, I'm always speaking about vCard and iCalendar files!
   - The last part is about security-authenticating issues
      - What credentials should be used for the SyncML server
      authentication? The same as for the owncloud authentication? We
should allow
      the user to make as many accounts as he wants?
      - PHPSyncML server doesn't support MD5, so, by now, all the passwords
      are transmitted in plain text. You can see them with wireshark. I'm sure
      that the passwords are stored encrypted in the owncloud database. So, a
      couple of solutions come to my mind. (I know that MD5 is no
longer secure,
      but it's still a standard, and at least is something...)
      - Implement the feature of handling MD5 passwords by the PHPSyncML
         server somehow
         - As far as I know, if the connection itself is encrypted (HTTPS),
         it should not matter if the passwords are transmitted in
plain text. The
         main drawback of this solution is that the owncloud server
MUST have enabled
         the HTTPS feature to use SyncML feature, and having HTTPS
enabled it's not
         so trivial. (I mean, maybe some of the standard hosting
services doesn't
         support it, I don't know)
         - I think that the best solution is both. Being able to support
         HTTPS connections, and also transmit the passwords encrypted,
but I've to
         start by something, and I don't know how harder any of the
solutions to
         implement will be.


What do you think about that? What are the best solutions in your opinion?

Kunal, you're working also with SyncML, how do you plan to manage that
security issues?

PD: Sorry for my bad english

-- 
Antonio J. Gallo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20110710/e65c4bd6/attachment.html>

More information about the Owncloud mailing list