CodaMail CalDAV/CardDAV Server — Dual Auth Architecture

CodaMail’s privacy preserving CalDAV/CardDAV platform represents a complete rethinking of secure, standards-compliant calendar and contact synchronization. Built entirely around WebDAV/CalDAV/CardDAV RFC standards, it introduces a modern, database-driven architecture with dynamic permissions, tokenless access control, zero-knowledge resource access, and full compatibility with all major DAV clients.

Overview

The CodaMail DAV system is a fully RFC-compliant CalDAV/CardDAV/WebDAV server that integrates directly with webmail’s calendar and contact management. It offers seamless interoperability while replacing traditional static authentication and ACL models with a dynamic, database-backed permission framework.

At the heart of this system is Dual Auth, a mechanism that uses an auth pair to uniquely and securely identify access sessions without relying on static usernames, passwords, or tokens.

Dual Auth: The Auth Pair Model

The Dual Auth system introduces a combined authentication pair: a randomly generated login and password, hashed together and stored only as a single hash entry in the database. The actual login and password values are never stored or recoverable, even by the system itself.

• Each user can generate multiple auth pairs, each with independent permissions and expiration times.
• Each pair maps to a randomized principal ID (Base32 format, to ensure a standard length and proper character control) used internally for client compatibility and zero-knowledge resource access, additionally protecting from replay attacks.
• Authentication occurs by hashing the provided credentials together and comparing that hash to the stored hash, eliminating any reversible secrets as well as utilizing the login field for additional entropy.

Database-Backed, Method-Level Permission Control

Unlike traditional ACL models that apply static permissions at the resource or collection level, the CodaMail DAV system enforces CRUD-level (Create, Read, Update, Delete) permissions at the HTTP method level. This allows dynamic changes in access rights to take effect immediately without requiring reauthentication, token invalidation, or re-issue.

Each auth pair defines specific allowed operations. These permissions can be changed in real time, offering precise control over what each client or integration can do.

Dynamic Expiration and Revocation

Auth pairs are issued with optional expiration policies. They can be automatically or manually revoked, immediately preventing any further access. Because all permission checks occur per-request, revocation takes effect instantly, ensuring robust control in sensitive environments.

RFC Compliance and Client Compatibility

Despite its advanced security model, the system maintains compliance with all relevant standards, including, but not limited to:

• RFC 3253 — WebDAV Versioning (expand-property REPORT, protected properties)
• RFC 3744 — WebDAV ACL (Access control, privileges, owner, acl properties)
• RFC 4791 — CalDAV (Calendar properties, REPORT, calendar-query, free-busy)
• RFC 4918 — WebDAV (Core properties, PROPFIND, PROPPATCH, collections, COPY, MOVE, Class 1/2/3 compliance)
• RFC 5397 — WebDAV Current Principal (current-user-principal discovery)
• RFC 5545 — iCalendar (ICS/VCS format for events/tasks, ORGANIZER/ATTENDEE, CATEGORIES)
• RFC 5689 — Extended MKCOL for WebDAV (creating collections with properties in single request)
• RFC 5842 — WebDAV Bindings (resource-id for unique resource identification)
• RFC 6350 — vCard Format (VERSION property ordering, REV property injection, property preservation)
• RFC 6352 — CardDAV (Addressbook properties, vCard handling, addressbook-query, addressbook-multiget)
• RFC 6578 — WebDAV Sync (sync-token, sync-collection REPORT with allprop compatibility)
• RFC 6638 — CalDAV Scheduling (calendar-user-address-set, schedule-inbox-URL, schedule-outbox-URL)
• RFC 7617 — HTTP Basic Authentication (proper realm and credential caching)
• RFC 7809 — CalDAV Time Zones by Reference (calendar-timezone property with UTC default)
• RFC 8144 — Use of the Prefer Header Field in WebDAV (return-minimal for PROPPATCH optimization)
• RFC 9110 — HTTP Semantics (ETag, If-None-Match, 304 Not Modified, conditional requests)
• CalendarServer Extensions (calendar-proxy, notification-URL, dropbox-home-set, email-address-set, getctag)
• Apple Extensions (calendar-color with 8-char ARGB alpha channel preservation, calendar-order, calendar-enabled, calendar-transparency with PROPPATCH support)

The above properties which would normally contain identifying information are returned with privatized data. Randomized principals properly map. ACLs also properly map to our own unique method level dynamic permissions.

This ensures out-of-the-box compatibility with clients such as Apple Calendar, iOS, macOS Contacts, Thunderbird, DAVx5 with Android, Outlook with DAV plugins, and others — all without requiring protocol extensions or proprietary modifications.

Integration with webmail

The CodaMail DAV server integrates tightly with the webmail’s calendar and contacts, providing a unified interface for web and native client synchronization. Users can create, manage, and revoke auth pairs directly from their webmail environment, streamlining security management.

Key Advantages

• Zero persistent credentials: No recoverable logins, passwords, or tokens are stored.
• Fine-grained, real-time permissions: Access can be dynamically changed or revoked.
• Multi-credential users: Users can maintain multiple concurrent auth pairs for different devices or apps.
• Immediate revocation: No token invalidation delay, changes take effect instantly.
• Zero-Knowledge: Randomized principal IDs provide for zero-knowledge resource access.
• Seamless client compatibility: Works transparently with any standards-compliant DAV client.

Conclusion

The CodaMail CalDAV/CardDAV server represents a major evolution in privacy-first, RFC-compliant groupware. Its Dual Auth architecture combines the security of zero-trust design with the usability of standard DAV protocols, enabling a modern, scalable, and resilient approach to personal and organizational data synchronization.

• Author: Stephen K. Gielda
• Organization: Packetderm, LLC - CodaMail
• Contact: skg@packetderm.com
• Date: 2025-07-05
• This document revised: 2025-11-02
• Revised to include further RFC and property support

This privacy-preserving WebDAV system is protected by:

1. U.S. Provisional Patent Application No. 63/838,770 filed July 4, 2025, titled "System and Method for Dual-Random Component Authentication"

   • Covers the fundamental dual-random authentication method
   • Establishes the cryptographic foundation

2. U.S. Provisional Patent Application No. 63/838,831 filed July 4, 2025, titled "System and Method for Privacy-Preserving Resource Access Through Dynamic URL Routing"

   • Covers the dynamic URL derivation from credentials
   • Protects the resource addressing privacy layer