Skip to main content

Last Call Review of draft-ietf-calext-jscalendar-26
review-ietf-calext-jscalendar-26-secdir-lc-hallam-baker-2020-03-10-00

Request Review of draft-ietf-calext-jscalendar
Requested revision No specific revision (document currently at 32)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-03-09
Requested 2020-02-24
Authors Neil Jenkins , Robert Stepanek
Draft last updated 2020-03-10
Completed reviews Secdir Last Call review of -26 by Phillip Hallam-Baker (diff)
Genart Last Call review of -25 by Robert Sparks (diff)
Secdir Telechat review of -32 by Phillip Hallam-Baker
Assignment Reviewer Phillip Hallam-Baker
State Completed
Review review-ietf-calext-jscalendar-26-secdir-lc-hallam-baker-2020-03-10
Posted at https://mailarchive.ietf.org/arch/msg/secdir/ULqVdlaPXN8br0cFpmUKP3qEv5I
Reviewed revision 26 (document currently at 32)
Result Has Issues
Completed 2020-03-10
review-ietf-calext-jscalendar-26-secdir-lc-hallam-baker-2020-03-10-00
The Security Considerations need to be substantially expanded to address:

1) Spam
2) Duplication
3) Time Zones
4) Authentication

The first issue is a major problem with ical attachments, applications assume
that these are authentic and create entries. It is stupid but it is ubiquitous.
There should be note of this as it is a very common channel exploited by
spamers.

Duplication is a related problem. Calendar entries should have a unique
persistent ID and clients should check these so that updates on multiple
devices don't end up resulting in a dozen calendar entries which happens to me
repeatedly.

Time Zones are a related problem it is important to make sure that the time
zone of recurring entries is correctly set. Why is this a security issue?
Because I have been in a situation where a meeting secretary deliberately sent
out a maliciously crafted meeting announcement to make sure the 'wrong people'
didn't attend.

Authentication is my main concern though as my entire home automation system
runs off a a task database that is based on a JSON calendar format which is not
this format _yet_. My plan being to let you folk do the work and then wrap
authentication round it.

So when I am done, the calendar will drive the selection of what happens in the
house. The school calendars will be loaded and these will cause the alarms for
myself and the kids to come on when it is a school day and not otherwise. Same
for heating etc. If one of us is traveling, there will be adjustments etc.

This is obviously a stretch goal but it is clearly something that will be
commonplace at some point. Calendaring systems are going to be about more than
just work appointments. And that means we need authentication. The draft does
not need to say HOW this is done but it does need to say you need to do it.

A related concern is that many companies set up accounts for each meeting room
and you reserve the room for your meeting by 'inviting' it to the meeting. Now
consider doing the same in a serviced office scenario, you want the convenience
but there is also going to be a payments interface because you pay for the
meeting room by the hour.

In the general body of the text, the treatment of recurring events MUST address
time zones and daylight savings. This is the stuff iCal didn't get right at
first and that lead to pain.