iCalendar Transport-Independent Interoperability Protocol (iTIP)
RFC 5546

Document Type RFC - Proposed Standard (December 2009) Errata
Updated by RFC 6638
Obsoletes RFC 2446
Updates RFC 5545
Author Cyrus Daboo
Last updated 2020-01-21
RFC stream Internet Engineering Task Force (IETF)
Formats
txt html pdf htmlized w/errata bibtex
Additional resources Mailing list discussion
IESG Responsible AD Lisa M. Dusseault
Send notices to (None)
Email authors Email WG IPR References Referenced by Search Lists
RFC 5546 
quot;VTODO", or "VJOURNAL" calendar component and republish it
   or redistribute updates to the "Attendees".  An iCalendar object that
   maliciously changes or cancels an existing "VEVENT", "VTODO", or
   "VJOURNAL" calendar component may be constructed by someone other
   than the "Organizer" and republished or sent to the "Attendees".

6.1.2.  Spoofing the Attendee

   In iTIP, an "Attendee" of a "VEVENT" or "VTODO" calendar component
   (or someone working on the "Attendee's" behalf) is the only person
   authorized to update any parameter associated with their "ATTENDEE"

Daboo                       Standards Track                   [Page 124]
RFC 5546                          iTIP                     December 2009

   property and send it to the "Organizer".  An iCalendar object that
   maliciously changes the "ATTENDEE" parameters may be constructed by
   someone other than the real "Attendee" and sent to the "Organizer".

6.1.3.  Unauthorized Replacement of the Organizer

   There will be circumstances when "Attendees" of an event or to-do
   decide, using out-of-band mechanisms, that the "Organizer" must be
   replaced.  When the new "Organizer" sends out the updated "VEVENT" or
   "VTODO", the "Attendee's" CUA will detect that the "Organizer" has
   been changed, but it has no way of knowing whether or not the change
   was mutually agreed upon.

6.1.4.  Eavesdropping and Data Integrity

   The iCalendar object is constructed with human-readable clear text.
   Any information contained in an iCalendar object may be read and/or
   changed by unauthorized persons while the object is in transit.

6.1.5.  Flooding a Calendar

   Implementations could provide a means to automatically incorporate
   "REQUEST" methods into a calendar.  This presents the opportunity for
   a calendar to be flooded with requests, which effectively blocks all
   the calendar's free time.

6.1.6.  Unauthorized REFRESH Requests

   It is possible for an "Organizer" to receive a "REFRESH" request from
   someone who is not an "Attendee" of an event or to-do.  Only
   "Attendees" of an event or to-do are authorized to receive replies to
   "REFRESH" requests.  Replying to such requests to anyone who is not
   an "Attendee" may be a security problem.

6.2.  Recommendations

   For an application where the information is sensitive or critical and
   the network is subject to a high probability of attack, iTIP
   transactions SHOULD be encrypted and authenticated.  This helps
   mitigate the threats of spoofing, eavesdropping, and malicious
   changes in transit.

6.2.1.  Securing iTIP transactions

   iTIP transport bindings MUST provide a mechanism to enable
   authentication of the sender's identity as well as privacy and
   integrity of the data being transmitted.  This allows the receiver of
   a signed iCalendar object to verify the identity of the sender.  This

Daboo                       Standards Track                   [Page 125]
RFC 5546                          iTIP                     December 2009

   sender may then be correlated to an "ATTENDEE" property in the
   iCalendar object.  If the correlation is made and the sender is
   authorized to make the requested change or update, then the operation
   may proceed.  It also allows the message to be encrypted to prevent
   unauthorized reading of the message contents in transit. iTIP
   transport binding documents describe this process in detail.

6.2.2.  Implementation Controls

   The threat of unauthorized replacement of the "Organizer" SHOULD be
   mitigated by a calendar system that uses this protocol by providing
   controls or alerts that make "Calendar Users" aware of such
   "Organizer" changes and allowing them to decide whether or not the
   request should be honored.

   The threat of flooding a calendar SHOULD be mitigated by a calendar
   system that uses this protocol by providing controls that may be used
   to limit the acceptable sources for iTIP transactions, and perhaps
   the size of messages and volume of traffic, by source.

   The threat of unauthorized "REFRESH" requests SHOULD be mitigated by
   a calendar system that uses this protocol by providing controls or
   alerts that allow "Calendar Users" to decide whether or not the
   request should be honored.  An implementation MAY decide to maintain,
   for audit or historical purposes, "Calendar Users" who were part of
   an "Attendee" list and who were subsequently uninvited.  Similar
   controls or alerts should be provided when a "REFRESH" request is
   received from these "Calendar Users" as well.

6.2.3.  Access Controls and Filtering

   In many environments, there could be restrictions on who is allowed
   to schedule with whom and who the allowed delegates are for
   particular "Calendar Users".

   iTIP transport bindings SHOULD provide mechanisms for implementing
   access controls or filtering to ensure iTIP transactions only take
   place between authorized "Calendar Users".  That would include
   preventing one "Calendar User" from scheduling with another or one
   "Calendar User" delegating to another.

6.3.  Privacy Issues

   The "Organizer" might want to keep "Attendees" from knowing which
   other "Attendees" are participating in an event or to-do.  The
   "Organizer" has the choice of sending single iTIP messages with a
   full list of "Attendees" or sending iTIP messages to each "Attendee"
   with only that "Attendee" listed.

Daboo                       Standards Track                   [Page 126]
RFC 5546                          iTIP                     December 2009

7.  IANA Considerations

7.1.  Registration Template for REQUEST-STATUS Values

   This specification updates [RFC5545] by adding a "REQUEST-STATUS"
   value registry to the iCalendar Elements registry.

   A "REQUEST-STATUS" value is defined by completing the following
   template.

      Status Code:  Hierarchical, numeric return status code, following
         the rules defined in Section 3.8.8.3 of [RFC5545].

      Status Description:  Textual status description.  A short but
         clear description of the error.

      Status Exception Data:  Textual exception data.  A short but clear
         description of what might appear in this field.

      Description:  Describe the underlying cause for this status code
         value.

7.2.  Additions to iCalendar METHOD Registry

   This document defines the following values for the iCalendar "METHOD"
   property, using the values template from Section 8.2.6 of [RFC5545].
   These should be added to the Methods Registry defined in Section
   8.3.12 of [RFC5545]:

7.2.1.  METHOD:PUBLISH

   Value:  PUBLISH

   Purpose:  Standard iTIP "METHOD" value.

   Conformance:  Only used with the "METHOD" property.

   Examples:  See this RFC.

7.2.2.  METHOD:REQUEST

   Value:  REQUEST

   Purpose:  Standard iTIP "METHOD" value.

   Conformance:  Only used with the "METHOD" property.

   Examples:  See this RFC.

Daboo                       Standards Track                   [Page 127]
RFC 5546                          iTIP                     December 2009

7.2.3.  METHOD:REPLY

   Value:  REPLY

   Purpose:  Standard iTIP "METHOD" value.

   Conformance:  Only used with the "METHOD" property.

   Examples:  See this RFC.

7.2.4.  METHOD:ADD

   Value:  ADD

   Purpose:  Standard iTIP "METHOD" value.

   Conformance:  Only used with the "METHOD" property.

   Examples:  See this RFC.

7.2.5.  METHOD:CANCEL

   Value:  CANCEL

   Purpose:  Standard iTIP "METHOD" value.

   Conformance:  Only used with the "METHOD" property.

   Examples:  See this RFC.

7.2.6.  METHOD:REFRESH

   Value:  REFRESH

   Purpose:  Standard iTIP "METHOD" value.

   Conformance:  Only used with the "METHOD" property.

   Examples:  See this RFC.

7.2.7.  METHOD:COUNTER

   Value:  COUNTER

   Purpose:  Standard iTIP "METHOD" value.

   Conformance:  Only used with the "METHOD" property.

Daboo                       Standards Track                   [Page 128]
RFC 5546                          iTIP                     December 2009

   Examples:  See this RFC.

7.2.8.  METHOD:DECLINECOUNTER

   Value:  DECLINECOUNTER

   Purpose:  Standard iTIP "METHOD" value.

   Conformance:  Only used with the "METHOD" property.

   Examples:  See this RFC.

7.3.  REQUEST-STATUS Value Registry

   New "REQUEST-STATUS" values can be registered using the process
   described in Section 8.2.1 of [RFC5545].

   The following table is to be used to initialize the "REQUEST-STATUS"
   value registry.

Daboo                       Standards Track                   [Page 129]
RFC 5546                          iTIP                     December 2009

           +-------------+---------+--------------------------+
           | Status Code | Status  | Reference                |
           +-------------+---------+--------------------------+
           | 2.0         | Current | RFC 5546, Section 3.6.1  |
           | 2.1         | Current | RFC 5546, Section 3.6.2  |
           | 2.2         | Current | RFC 5546, Section 3.6.3  |
           | 2.3         | Current | RFC 5546, Section 3.6.4  |
           | 2.4         | Current | RFC 5546, Section 3.6.5  |
           | 2.5         | Current | RFC 5546, Section 3.6.6  |
           | 2.6         | Current | RFC 5546, Section 3.6.7  |
           | 2.7         | Current | RFC 5546, Section 3.6.8  |
           | 2.8         | Current | RFC 5546, Section 3.6.9  |
           | 2.9         | Current | RFC 5546, Section 3.6.10 |
           | 2.10        | Current | RFC 5546, Section 3.6.11 |
           | 2.11        | Current | RFC 5546, Section 3.6.12 |
           | 3.0         | Current | RFC 5546, Section 3.6.13 |
           | 3.1         | Current | RFC 5546, Section 3.6.14 |
           | 3.2         | Current | RFC 5546, Section 3.6.15 |
           | 3.3         | Current | RFC 5546, Section 3.6.16 |
           | 3.4         | Current | RFC 5546, Section 3.6.17 |
           | 3.5         | Current | RFC 5546, Section 3.6.18 |
           | 3.6         | Current | RFC 5546, Section 3.6.19 |
           | 3.7         | Current | RFC 5546, Section 3.6.20 |
           | 3.8         | Current | RFC 5546, Section 3.6.21 |
           | 3.9         | Current | RFC 5546, Section 3.6.22 |
           | 3.10        | Current | RFC 5546, Section 3.6.23 |
           | 3.11        | Current | RFC 5546, Section 3.6.24 |
           | 3.12        | Current | RFC 5546, Section 3.6.25 |
           | 3.13        | Current | RFC 5546, Section 3.6.26 |
           | 3.14        | Current | RFC 5546, Section 3.6.27 |
           | 4.0         | Current | RFC 5546, Section 3.6.28 |
           | 5.0         | Current | RFC 5546, Section 3.6.29 |
           | 5.1         | Current | RFC 5546, Section 3.6.30 |
           | 5.2         | Current | RFC 5546, Section 3.6.31 |
           | 5.3         | Current | RFC 5546, Section 3.6.32 |
           +-------------+---------+--------------------------+

8.  Acknowledgments

   This is an update to the original iTIP document authored by S.
   Silverberg, S. Mansour, F. Dawson, and R. Hopson.

   This revision is the product of the Calsify IETF Working Group, and
   several participants have made important contributions to this
   specification, including Oliver Block, Bernard Desruisseaux, Mike
   Douglass, Tim Hare, Ciny Joy, Bruce Kahn, Reinhold Kainhofer, Eliot
   Lear, Jonathan Lennox, Andy Mabbett, Aki Niemi, John W. Noerenberg
   II, Robert Ransdell, and Caleb Richardson.

Daboo                       Standards Track                   [Page 130]
RFC 5546                          iTIP                     December 2009

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2368]  Hoffman, P., Masinter, L., and J. Zawinski, "The mailto
              URL scheme", RFC 2368, July 1998.

   [RFC5545]  Desruisseaux, B., "Internet Calendaring and Scheduling
              Core Object Specification (iCalendar)", RFC 5545,
              September 2009.

9.2.  Informative References

   [iMIP]     Melnikov, A., Ed., "iCalendar Message-Based
              Interoperability Protocol (iMIP)", Work in Progress,
              October 2009.

Daboo                       Standards Track                   [Page 131]
RFC 5546                          iTIP                     December 2009

Appendix A.  Differences from RFC 2446

A.1.  Changed Restrictions

   This specification now defines an allowed combination of "REQUEST-
   STATUS" codes when multiple iCalendar components are included in an
   iTIP message.

   This specification now restricts "RECURRENCE-ID" to only a single
   occurrence in any one iCalendar component in an iTIP message, as
   required by [RFC5545].

   Changed the "RECURRENCE-ID" entry in the component restriction table
   to "0 or 1" from "0+", to fall in line with [RFC5545].

   Changed the "FREEBUSY" entry in the "VFREEBUSY", "PUBLISH", and
   "REPLY" restriction tables to "0+" from "1+", to fall in line with
   [RFC5545].

   Changed the "FREEBUSY" description in the "VFREEBUSY" and "REPLY"
   restriction tables to indicate that different "FBTYPE" ranges MUST
   NOT overlap.

   Changed the "TZNAME" entry in the "VTIMEZONE" restriction table to
   "0+" from "0 or 1", to fall in line with [RFC5545].

   Changed the "COMMENT" entry in the component restriction tables to
   "0+" from "0 or 1", to fall in line with [RFC5545].

   Added the "ATTENDEE" entry in the "VALARM" restriction table to match
   the email alarm type in [RFC5545].

   Changed the "CATEGORIES" entry in the component restriction tables to
   "0+" from "0 or 1", to fall in line with [RFC5545].

   Changed the "RESOURCES" entry in the component restriction tables to
   "0+" from "0 or 1", to fall in line with [RFC5545].

   Changed the "CONTACT" entry in the "VFREEBUSY" restriction table to
   "0 or 1" from "0+", to fall in line with [RFC5545].

   Changed the "UID" entry in the "VFREEBUSY" and "PUBLISH" restriction
   tables to "1" from "0", to fall in line with [RFC5545].

   Added the "COMPLETED" entry in the "VTODO" restriction tables to fall
   in line with [RFC5545].

Daboo                       Standards Track                   [Page 132]
RFC 5546                          iTIP                     December 2009

   Added the "REQUEST-STATUS" entry in the "VJOURNAL" restriction tables
   to fall in line with [RFC5545].

A.2.  Deprecated Features

   The "EXRULE" property was removed in [RFC5545] and references to that
   have been removed in this document too.

   The "PROCEDURE" value for the "ACTION" property was removed in
   [RFC5545] and references to that have been removed in this document
   too.

   The "THISANDPRIOR" option for the "RANGE" parameter was removed in
   [RFC5545] and references to that have been removed in this document
   too.

Author's Address

   Cyrus Daboo (editor)
   Apple Inc.
   1 Infinite Loop
   Cupertino, CA  95014
   USA

   EMail: cyrus@daboo.name
   URI:   http://www.apple.com/

Daboo                       Standards Track                   [Page 133]