Several of the new properties or parameters defined by this specification allow reference to "external" URIs. Care MUST be taken when accessing data at external URIs as malicious content could be present. Clients SHOULD ensure that suitable permission is granted by calendar users before such URIs are dereferenced.
The "REFRESH-INTERVAL" property could be used by an attacker to make a client carry out rapid requests to the server hosting the calendar by specifying a very short duration (e.g., one second). This could lead to resource consumption on the client or server and to denial- of-service attacks against the server. Clients MUST ensure that they throttle requests to the server to a reasonable rate. In most cases, updating a public calendar once per day would suffice. If the "REFRESH-INTERVAL" is any less than that, clients SHOULD warn the calendar user and allow them to override it with a longer value.
The "CONFERENCE" property can include a "FEATURE" property parameter with a "MODERATOR" value. In some cases, the access code used by the owner/initiator of a conference might be private to an individual, and clients and servers MUST ensure that such properties are not sent to attendees of a scheduled component.
Both the "COLOR" and "IMAGE" properties are likely to be used by calendar users to express their own personal view of the calendar data. In addition, these properties could be used by attackers to produce a confusing display in a calendar user agent. When such properties are encountered in calendar data that has come from other calendar users (e.g., via a scheduling message, "public" calendar subscription, etc.), it is advisable for the client to give the receiving calendar user the option to remove (or adjust) these properties as the data is imported into their calendar system.
This specification changes the recommendations on how "UID" property values are constructed to minimize leaking any information that might be security sensitive.
Security considerations in [RFC5545] and [RFC5546] MUST also be adhered to.