[Cosmo-dev] Thoughts on sharing

[Brian Moseley]

On 7/10/06, Charles Mattair <cmattair at simdeskcorp.com> wrote:

> Actually, in looking at the problem a little longer, this is less a
> CalDAV problem than a WebDAV one.

right, this problem is much bigger than calendars.

the basic approach is to just give access to your content to people
whom your server can authoritatively identify by credential
presentation. you can control access to specific pieces of content
through standard mechanism such as acls.

you can open the content up to everybody else by having the server
look for a token or ticket in the content request. if the ticket is
presented, the user's identify is presumed to have been validated out
of band by the person who granted the ticket on the content in the
first place. but of course that's a much weaker form of security.

one compromise is to delegate security decisions to an external
trusted service. this is similar to the ticket scenario in that the
content server gets a request with a token in it that asserts the
requestor has authenticated himself to the service that "owns" his
identity. the assertion is validated by the content server, tho, which
contacts the external service and presents the token for confirmation.
this also allows the content server to request any identity
information about the requestor that may be available. one
implementation of such a federated identity system is shibboleth.
here's a good article on the subject:
<http://www.educause.edu/apps/eq/eqm04/eqm0442.asp?bhcp=1>

eventually cosmo will support shibboleth and will track other identity
management work. having each content server be authoritative wrt
identity is a relic of an age that is rapidly passing us by.