One of the more frustrating aspects of calendaring systems is that the freebusy lookups are all proprietary. Meeting invitations can be sent from one system to another (assuming you know a time to meet). However, it is not possible to lookup when someone from Lotuslive, someone from gmail and someone from Yahoo are all available to meet. In the corporate space this type of scheduling is invaluable.
The format for looking up someone’s freebusy time is included in a standard that was completed in 1998, but they punted on all the hard stuff. The hard bit, as I have mentioned before, is working out where someone’s freebusy is stored on the web and then authenticating with that store in a manner that can be verified. WebFinger and OAuth are now putting the complete round trip within spitting distance.
Below I’ll propose an approach to scheduling a meeting with my mom (who uses gmail) from LotusLive (which I use). I will be firstname.lastname@example.org (but using LotusLive for my calendaring service) and my mom is email@example.com. We’ll also assume that my mom has told google that it can share her calendar free time data with any one in her contact list and that I am in her contact list.
- I head into my calendar service (on lotuslive), click on Add Event and type firstname.lastname@example.org into the invitees list.
- LotusLive now uses WebFinger to lookup the different api services that google provides for access to my mom’s data along with the corresponding URL for the service. The details on how this works are outlined here on Eran’s blog. At the end of this, LotusLive gets back a XRD document that looks something like the following.
<?xml version='1.0' encoding='UTF-8'?>
From this LotusLive can now determine that my mom’s freebusy endpoint is at https://google.com/api/calendar/mom/freebusy/. It concludes this by looking for the link with a rel attribute of http://ietf.org/icalendar/freebusy
- If my mom had made her freetime calendar data public then LotusLive can simply retrieve the data from the URL, but to add to the complexity let’s assume that it requires authentication i.e. LotusLive needs to prove to Google that it has email@example.com at the browser and then Google checks that firstname.lastname@example.org is in my mom’s contact list. We’ll do something here very similar to what signed fetches do in opensocial i.e. lotuslive will use OAuth to assert that it has email@example.com at the browser. What we’ll end up with is a url that looks something like
LotusLive has here claimed that it has firstname.lastname@example.org at the browser and using OAuth has signed the request with a private key. It has also indicated where the public key is to validate the signature.
- Google receives the request, retrieves the public key and verifies the signature. If it trusts signatures and keys from LotusLive (verifiable by retrieving certs from an https url with a lotuslive.com domain) then it is done at this point. However that is a fairly large amount of trust to place on LotusLive as LotusLive could assert on behalf of any identity. Google really needs to check that LotusLive can assert email@example.com’s identity. Here we’ll use webfinger again.
- Google now does a WebFinger lookup on firstname.lastname@example.org and gets an XRD document such as the one below
<?xml version='1.0' encoding='UTF-8'?>
<Link rel='IDP' href='
Google now sees that lotuslive.com is a valid Identity Provider for email@example.com and so accepts the assertion.
- Google checks that firstname.lastname@example.org is in my mom’s list of contacts and as I am returns her freebusy.
- Finally, LotusLive gets a response from Google outlining my mom’s free time and displays it in a nice calendar. I can choose a time that she is free and send her an invite.
I know this is not perfect and I know there are probably a fair amount of changes that are needed, but I wanted to jot down something that, I think, is fairly close to a workable solution. Am very interested in other’s thoughts.
p.s. WebFinger on email addresses does provide a means of discovering valid email addresses, but no where near as much as this does. The fight against spam can’t center on not making email addresses discoverable.