https://bugs.freedesktop.org/show_bug.cgi?id=56240
--- Comment #5 from Tobias Mueller <[email protected]> --- (In reply to comment #4) > The rationale was that no-one would ever use WebDAV over an unencrypted > channel, because otherwise the equally sensitive private data would be > visible to eavedroppers. > That's a bold assumption. If your usecase doesn't follow a Bell LaPadula security model but rather Biba, then you don't mind exposing the content but the credentials to set the content. Think announcements. I don't mind everyone reading public announcements I store via CalDAV, but I don't want everyone to be able to set or alter these. > Do you use https? > No. Not just yet. I was going step by step. > Sending the credentials in advance could (should?!) be limited to https. > Hm. Maybe. I see usecases for sending credentials besides the server being okay with no credentials. I.e. the announcements scenario where it's perfectly fine to read a calendar, but if you are authorized, you get a different calendar. > I'm out of ideas. Can you recompile from source with the Basic > authentication disabled? yes. Give me a couple of days and feel free to nag me. > In the meantime I'll try to reproduce this with my own setup of > Apache+DAViCal. > Note that Apache is enough. In fact, any webserver that requires Digest Auth should do. I haven't checked whether there is a simple Python implementation but there should be one. -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.
_______________________________________________ Syncevolution-issues mailing list [email protected] http://lists.syncevolution.org/listinfo/syncevolution-issues
