Handling of private/confidential groupware objects

[Joon Radley]

Hi Martin,

> Actually further investigation into OL/EX showed that MS 
> actually does exactly that. On the wire the "private" 
> information is fully available and it is only hidden in the OL GUI!
> 
> This seems to be known in the OL community.
> 
> see also: http://www.slipstick.com/emo/2006/up060105.htm#private

Found this is the same section, which just goes back to server access
control:

"Whether another user can see if you have private items during a search
depends on the permissions the user has on the mailbox, so this is actually
a configuration problem. In this case, the administrator gave users too many
permissions on the Security tab of the shared account's property sheets in
Active Directory User and Computers."

> Due to the fact that our data format is not as obscure as MS 
> Exchange we would need further "protection". A trivial means 
> for providing this kind of obscurity could be a shared key. 
> This key would be shared by all "Kolab.org approved" clients.
>
> We would then use copyright in order to prevent other clients 
> to use our key ;-)

This fails on a number of levels:
A) Is Kolab-XML and Kolab server now a closed entity? Who will determine
what or who is a "Kolab.org approved" client? Who will have the power to
revoke the right to use the key?
B) We are back at obfuscation instead of real access control. What real
protection will this provide as the key will be open source?
C) This also has bearing on your "hidden private subfolder". Private objects
are not totally hidden. The objects are only partially displayed, e.g. the
start and end times, so that the shared user can see when the main user has
an appointment, but cannot see details about the appointment. The important
thing is that the server only provides certain parts of the information.

Best regards

Joon Radley
Radley Network Technologies CC
Cell: +27 (0)83 368 8557
Fax: +27 (0)12 998 4346
E-mail: joon at radleys.co.za