Re: [apps-discuss] Mail client configuration via WebFinger

"John Levine" <johnl@taugh.com> Mon, 08 February 2016 03:00 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02BA61A8A99 for <apps-discuss@ietfa.amsl.com>; Sun, 7 Feb 2016 19:00:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.873
X-Spam-Level:
X-Spam-Status: No, score=0.873 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, KHOP_DYNAMIC=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6Ur3klqjOSH for <apps-discuss@ietfa.amsl.com>; Sun, 7 Feb 2016 19:00:34 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 943141A8A9B for <apps-discuss@ietf.org>; Sun, 7 Feb 2016 19:00:34 -0800 (PST)
Received: (qmail 89252 invoked from network); 8 Feb 2016 03:00:32 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 8 Feb 2016 03:00:32 -0000
Date: 8 Feb 2016 03:00:10 -0000
Message-ID: <20160208030010.88340.qmail@ary.lan>
From: "John Levine" <johnl@taugh.com>
To: apps-discuss@ietf.org
In-Reply-To: <EE5D283AC957E10DA443AA15@JcK-HP8200.jck.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/apps-discuss/nuGdsq0WTkp342HyDFgCdKoP0Jw>
Subject: Re: [apps-discuss] Mail client configuration via WebFinger
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/apps-discuss/>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2016 03:00:36 -0000

>Paul, I wonder whether it is time to revisit ACAP. 

I see your point, but I think the answer is no.  The only ACAP
implementation I can find is one that Dave Cridland put on github in
2014, with a note saying it's work he did a decade earlier and it was
extremely difficult to implement.  There might be one in the
commercial Communigate MTA which wouldn't surprise me because Mr.
Communigate is the kind of guy who implements everything just to be
complete, but if it exists, it's proprietary.  I don't see any ACAP
client libraries other than one that looks like an abandoned Java
implementation from 2007.

>> The idea is basically this:
>>   * User enters paulej@example.com into the email client and email password
>>   * Email client queries
>> https://example.com/.well-known/webfinger?resource=acct%3Apaulej%40example.com

Looking at the success of RDAP, it seems to be a good idea to put
together pieces that people already have implemented.  RDAP is easy
because we already have https query libraries and JSON decoding
libraries, and I'd say this would be too. 

For this application, I'd put in an extra level of indirection with an
SRV or URI lookup, since many (most?) domains have their mail servers
far away from the web servers, and the SRV or URI would give you some
confidence that the server you were talking to would understand the
question you were asking.

I think the security issues are manageable.  An https request with
some sort of verification of the server certificate is more secure
than what nearly all MUAs do to verify their imap and pop servers now.

R's,
John