Re: [apps-discuss] Mail client configuration via WebFinger

Phillip Hallam-Baker <> Mon, 08 February 2016 20:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BEACD1B3242; Mon, 8 Feb 2016 12:22:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GMDdhKxvz1Gv; Mon, 8 Feb 2016 12:22:56 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7E63E1B32AE; Mon, 8 Feb 2016 12:22:56 -0800 (PST)
Received: by with SMTP id l143so103049479lfe.2; Mon, 08 Feb 2016 12:22:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Rl3BwJddE82/NqsqMZ3Mk7vdOMgNv62oE5CrcONew/4=; b=QEN4YTQqek0YGaEj49ZkU+aHAVsFmi3d5pdBy9iIR/9OJLfArP1CXt5bYBQsR3s/qc 9qF7tCnQwZM+vHkz1j2h4oNLSfpy2IuFedFNf+bz5PCEEUFhF8ohiCVIF4LQ19a9gKlB yItE5njzxnsawWZKQCOF50pV6Rcez3kBKpSPwfzVvYLeElmNeOt5aTSZoPI3mza/g+H5 OT9FST+9VAk+6nryYrZz5BTrgPOt7EdTK2F5o5N6kY01K+CI+onLFXsHUlbywwCZvZcy VY8DdntGTwwQjsVgviHr8+YzEmSOCEhBdYiJ1wOIsl8h77scYLBu23kGtBrKmqr92B0W k+kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Rl3BwJddE82/NqsqMZ3Mk7vdOMgNv62oE5CrcONew/4=; b=L9CdW+J1Pj/EKBFgGZLCuFcORAYFB0DMogt0MA1jKFO/h/iCkkDKeLqdSqVzREDeTH JuPrHbr6YUxBwRqNPokK1ekOFHU+s/Q/uof08303xxRFX4J3gLzfaGgXy11yQ0AkIoei 5ElKPf0vAc3scAtjRSJO49KUtN1aJwQrhyNOz3g305ogjFP1Zii4oLUZwxR802E6iGFu bY8uc4fyJnMi/7+SxiVHHZC0nPnRjrjRAWBLO9AALqaRc6QUODEA0q9R3nagqfGFkK50 hb/v6gJwwxucl6KVekfmnL4/ZAP2xIk7my00XdQ8KuTkocCSLk4HfZaqho8gpBrfi76f W+Ow==
X-Gm-Message-State: AG10YOSDiW1SCUe3XI+1NAoDEKDV7loNQTv0V3Fx8E6ZiKCLIEfaYbVc5sqYHJJk7fLtKCeH+/Z8Ucvy4HB8Xg==
MIME-Version: 1.0
X-Received: by with SMTP id d7mr4820324lfg.70.1454962974806; Mon, 08 Feb 2016 12:22:54 -0800 (PST)
Received: by with HTTP; Mon, 8 Feb 2016 12:22:54 -0800 (PST)
In-Reply-To: <>
References: <emc9b882a7-c562-43e8-9f49-588d8de9d20b@sydney> <>
Date: Mon, 8 Feb 2016 15:22:54 -0500
X-Google-Sender-Auth: t_h3vjd3BZXXX_DfZNkKXBlNOwg
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Stephen Farrell <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: General discussion of application-layer protocols <>,
Subject: Re: [apps-discuss] Mail client configuration via WebFinger
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Feb 2016 20:22:58 -0000

On Sun, Feb 7, 2016 at 8:45 PM, Stephen Farrell
<> wrote:
> On 08/02/16 00:45, Paul E. Jones wrote:
>> If ACAP was going to take off, I think it would have by now.
> That seems correct to me.
> I think solving this problem in isolation would be worthwhile
> if folks deployed a solution. (IOW, let's not generalise too
> much.)
> My own ask here is that the user not be expected to enter a
> password until after whatever automatable checks can be done,
> have been done. I really hate entering a password into a new
> device before I've gotten any feedback that that device is not
> going to send the password in clear over the network. And yes
> that may be a minority concern, but it is still I think one
> we ought not ignore, esp. as it should be quite possible to
> encourage good behaviour here (it's as easy as encouraging
> bad behaviour;-)


No more password based protocols.

Passwords are not the way to solve this problem except in the
hopefully very rare case of catastrophe recovery.

'We believe in strong cryptography and reviewed code'

The problem with passwords is that a human cannot be expected to
remember any piece of information that is secure enough to be

Remember when the requirement to have mixed case and a punctuation
mark in a password came in? That was in response to Crack published in
1991 which was a dictionary based search running on machines that
could do 35 password tests a second. Four years ago, someone lashed
together 20 GPU cards discarded by the bitcoin miners and built a
machine that could do 350 billion tests a second. It isn't a
dictionary attack and so the password restrictions actually reduce the
search space and make the problem easier.

Passwords are done, they are dead.

If we want to have an application configuration protocol it should be
capable of configuring cryptographic authentication credentials. Now
we might optionally encrypt those credentials with a PIN, but that is
a local security matter, not something that travels over the network.