Last Call Review of draft-ietf-calext-jscalendar-26
review-ietf-calext-jscalendar-26-secdir-lc-hallam-baker-2020-03-10-00

Request Review of draft-ietf-calext-jscalendar
Requested rev. no specific revision (document currently at 30)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-03-09
Requested 2020-02-24
Authors Neil Jenkins, Robert Stepanek
Draft last updated 2020-03-10
Completed reviews Secdir Last Call review of -26 by Phillip Hallam-Baker (diff)
Genart Last Call review of -25 by Robert Sparks (diff)
Assignment Reviewer Phillip Hallam-Baker
State Completed
Review review-ietf-calext-jscalendar-26-secdir-lc-hallam-baker-2020-03-10
Posted at https://mailarchive.ietf.org/arch/msg/secdir/ULqVdlaPXN8br0cFpmUKP3qEv5I
Reviewed rev. 26 (document currently at 30)
Review result Has Issues
Review completed: 2020-03-10

Review
review-ietf-calext-jscalendar-26-secdir-lc-hallam-baker-2020-03-10

The Security Considerations need to be substantially expanded to address:

1) Spam
2) Duplication
3) Time Zones
4) Authentication

The first issue is a major problem with ical attachments, applications assume that these are authentic and create entries. It is stupid but it is ubiquitous. There should be note of this as it is a very common channel exploited by spamers.

Duplication is a related problem. Calendar entries should have a unique persistent ID and clients should check these so that updates on multiple devices don't end up resulting in a dozen calendar entries which happens to me repeatedly.

Time Zones are a related problem it is important to make sure that the time zone of recurring entries is correctly set. Why is this a security issue? Because I have been in a situation where a meeting secretary deliberately sent out a maliciously crafted meeting announcement to make sure the 'wrong people' didn't attend. 

Authentication is my main concern though as my entire home automation system runs off a a task database that is based on a JSON calendar format which is not this format _yet_. My plan being to let you folk do the work and then wrap authentication round it.

So when I am done, the calendar will drive the selection of what happens in the house. The school calendars will be loaded and these will cause the alarms for myself and the kids to come on when it is a school day and not otherwise. Same for heating etc. If one of us is traveling, there will be adjustments etc. 

This is obviously a stretch goal but it is clearly something that will be commonplace at some point. Calendaring systems are going to be about more than just work appointments. And that means we need authentication. The draft does not need to say HOW this is done but it does need to say you need to do it.

A related concern is that many companies set up accounts for each meeting room and you reserve the room for your meeting by 'inviting' it to the meeting. Now consider doing the same in a serviced office scenario, you want the convenience but there is also going to be a payments interface because you pay for the meeting room by the hour.


In the general body of the text, the treatment of recurring events MUST address time zones and daylight savings. This is the stuff iCal didn't get right at first and that lead to pain.