New Properties for iCalendar (RFC 7986)

Parameter Name

LABEL

Purpose

To provide a human-readable label.

Format Definition

This property parameter is defined by the following notation:

 labelparam = "LABEL" "=" param-value

Description

This property parameter MAY be specified on the "CONFERENCE" property. It is anticipated that other extensions to iCalendar will reuse this property parameter on new properties that they define. As a result, clients MUST expect to find this property parameter present on many different properties. It provides a human-readable label that can be presented to calendar users to allow them to discriminate between properties that might be similar or provide additional information for properties that are not self-describing. The "LANGUAGE" property parameter can be used to specify the language of the text in the parameter value (as per Section 3.2.10 of [RFC5545]).

Example

 CONFERENCE;VALUE=URI;FEATURE=VIDEO;
  LABEL="Web video chat, access code=76543";
  :https://video-chat.example.com/;group-id=1234

Several of the new properties or parameters defined by this specification allow reference to "external" URIs. Care MUST be taken when accessing data at external URIs as malicious content could be present. Clients SHOULD ensure that suitable permission is granted by calendar users before such URIs are dereferenced.

The "REFRESH-INTERVAL" property could be used by an attacker to make a client carry out rapid requests to the server hosting the calendar by specifying a very short duration (e.g., one second). This could lead to resource consumption on the client or server and to denial- of-service attacks against the server. Clients MUST ensure that they throttle requests to the server to a reasonable rate. In most cases, updating a public calendar once per day would suffice. If the "REFRESH-INTERVAL" is any less than that, clients SHOULD warn the calendar user and allow them to override it with a longer value.

The "CONFERENCE" property can include a "FEATURE" property parameter with a "MODERATOR" value. In some cases, the access code used by the owner/initiator of a conference might be private to an individual, and clients and servers MUST ensure that such properties are not sent to attendees of a scheduled component.

Both the "COLOR" and "IMAGE" properties are likely to be used by calendar users to express their own personal view of the calendar data. In addition, these properties could be used by attackers to produce a confusing display in a calendar user agent. When such properties are encountered in calendar data that has come from other calendar users (e.g., via a scheduling message, "public" calendar subscription, etc.), it is advisable for the client to give the receiving calendar user the option to remove (or adjust) these properties as the data is imported into their calendar system.

This specification changes the recommendations on how "UID" property values are constructed to minimize leaking any information that might be security sensitive.

Security considerations in [RFC5545] and [RFC5546] MUST also be adhered to.

Several of the new properties or parameters defined by this specification allow reference to "external" URIs. Access to those URIs could be tracked, leading to loss of privacy. Clients SHOULD ensure that suitable permission is granted by calendar users before such URIs are dereferenced. In particular, calendar publishers wishing to help protect the privacy of their subscribers MUST use HTTP with Transport Layer Security [RFC7230] ("https:" URIs instead of "http:" URIs) for access to calendar data or ancillary data such as images.

In general, for their own privacy protection, users have to rely on the privacy policies of any conferencing system being accessed via the "CONFERENCE" property. It is entirely possible for such systems to uniquely identify and log the activity and participation (or lack thereof) of calendar users in the conference. Calendar user agents SHOULD track which conferencing systems are used and warn users the first time a new one is about to be used. This is particularly important if the client automatically "dials in" to the conference when the event start time occurs.

By giving different calendar users different values for the "REFRESH- INTERVAL" property, it is possible for a publisher of calendar data to uniquely identify each refresh from each calendar users' clients and thereby track user activity and IP address over time. To address this, clients SHOULD add or subtract some random amount of time from the published "REFRESH-INTERVAL" value when doing actual refreshes.

This specification changes the recommendations on how "UID" property values are constructed to minimize leaking any information that might be privacy sensitive.

Privacy considerations in [RFC5545] and [RFC5546] MUST also be adhered to.