Re: [art] Auto-configuring Email Clients via WebFinger

["Paul E. Jones" <paulej@packetizer.com>]

John,

The scheme you show is very similar to the WebFinger proposal.  
Essentially, the client queries a well-known address and is given a JSON 
document inside of which is the URL of the config file.  That config 
could easily be put into the initial query, but folks did not want to do 
that back then.  I do have an old example of how to do that, though, but 
it's not in this draft (since security concerns were expressed back 
then).

Another thing to consider is migration.  When a service provider needs 
to move a bunch of users from one server cluster to another, would it 
make more sense to write configs into the customer's /autoconfig/ 
directories or update config files they maintain separately?

Given the push-back I got about XML back then, too, it's probably best 
this is in JSON format (though, again, I have no strong preference).

I think a standard needs to exist so that client developers can adhere 
to something and I think it's unfortunate all we have a vendor-specific 
solutions.

Do others agree?  Or am I one of the few who has this frustration?  I 
suspect I'm not. :)

Paul

------ Original Message ------
From: "John Levine" <johnl@taugh.com>
To: art@ietf.org
Cc: paulej@packetizer.com
Sent: 7/16/2019 1:05:06 AM
Subject: Re: [art] Auto-configuring Email Clients via WebFinger

>In article <em20c214d4-507e-4859-99fc-460e3919ac55@sydney> you write:
>>I have no strong preference for how we solve the problem, but I think we
>>need a standard for this.  I also think we should take into
>>consideration the privacy concerns that were raised when I first talked
>>in context of WebFinger several years ago.  Specifically, people wanted
>>a way to ensure access to the config file was protected.  (I do not
>>recall now why people wanted to keep that private, but they did and were
>>insistent on it.)
>
>Probably to make it harder to enumerate e-mail addresses.  I don't have much
>sympathy for that argument, since bad guys already have more addresses to
>spam than they know what to do with, but it's not a big deal.
>
>More concretely, it seems to me that it would be better to make this a
>profile of the existing autoconfigure scheme, which some MUAs
>implement, rather than webfinger, which no MUAs implement.
>
>The Mozilla design (over-design, really) looks up the configuration
>for alice@example.com at
>https://example.com/.well-known/autoconfig/mail/config-v1.1.xml or
>https://autoconfig.example.com/mail/config-v1.1.xml?emailaddress=alice@example.com
>
>On the theory that web servers generally ignore GET parameters that they don't
>understand, we can look up
>
>https://example.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=alice@example.dom&password=swordfish
>
>and it returns Alice's mail setup, possibly ignoring the address and password and returning a common
>setup for all the mailboxes at example.com.  The password makes it harder for people who aren't
>Alice to snoop on her mail setup.
>
>This doesn't give you the extra Personal/Business level of
>indirection, but I have no idea what it would mean to have two
>different mail configurations for the same e-mail address.  I have
>personal and business mail addresses, but they're different addresses
>which I presumably know and configure either or both as needed.
>
>R's,
>John
>