Re: [art] Auto-configuring Email Clients via WebFinger
Steffen Nurpmeso <steffen@sdaoden.eu> Wed, 17 July 2019 22:31 UTC
Return-Path: <steffen@sdaoden.eu>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2240F1200D8 for <art@ietfa.amsl.com>; Wed, 17 Jul 2019 15:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LgVpkr1yMuX for <art@ietfa.amsl.com>; Wed, 17 Jul 2019 15:31:19 -0700 (PDT)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF9FD12006A for <art@ietf.org>; Wed, 17 Jul 2019 15:31:18 -0700 (PDT)
Received: by sdaoden.eu (Postfix, from userid 1000) id DAF5B16054; Thu, 18 Jul 2019 00:31:15 +0200 (CEST)
Date: Thu, 18 Jul 2019 00:31:14 +0200
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: John Levine <johnl@taugh.com>
Cc: art@ietf.org, aaa@bzfx.net
Message-ID: <20190717223114.cO5Om%steffen@sdaoden.eu>
In-Reply-To: <20190717154133.928D850B9EE@ary.qy>
References: <20190717154133.928D850B9EE@ary.qy>
Mail-Followup-To: "John Levine" <johnl@taugh.com>, art@ietf.org, aaa@bzfx.net
User-Agent: s-nail v14.9.13-132-g2b425bda
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/DvTr1BtaVTm0qDgFKboj2M9fD7U>
Subject: Re: [art] Auto-configuring Email Clients via WebFinger
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 22:31:21 -0000
John Levine wrote in <20190717154133.928D850B9EE@ary.qy>: |In article <3A04338D-CE01-4693-92AF-4AE5CB70A68F@bzfx.net> you write: |>>>> Putting passwords in cleartext in the request uri is ill advised \ |>>>> because many servers keep logs of requests, caches, etc |>> |>> Good point. |>> |>> Plan A: if the server needs the user name and password, it sends back |>> a 401 response and the MUA sends them via RFC 7617 basic |>> authentication. That seems largely backward compatible and invents a |>> minimum of new stuff. Just yesterday i (currently implementing OAUTHBEARER for a BSD Mail clone) thought how easy it would be if the OAUTHBEARER request would have additional fields, like refresh-token etc. A lot of things, including password changes etc., could be done in there, protected via TLS, and managable by the mail protocol itself (SMTP, POP3, IMAP), simply by putting value in data following (on) the response code (line), instead of using a web browser. |>> Plan B: do it as a POST like most web password entries. I realize |>> this has backward compatibility issues with the current GET. |> |>What are the risks if the mail server and HTTP server are maintained \ |>by different authorities? | |I suppose there might be administrative issues giving the web people |access to the mail passwords but that's hardly a new issue. I see |that Apache has a module that does authentication via LDAP, which |would often be enough to solve that particular problem. | |One of the reasons Mozilla checks https://autoconfig.<domain>/ is exactly \ |this: |it lets the mail department run a small special purpose web server \ |separate from |the main web servers. I will never understand where the benefit of turning mail clients into fully blown browsers actually is. I know in the Microsoft world they have sophisticated integration of everything and a XML protocol for that (several years ago i had contact with a person from Microsoft who pointed me to this infrastructure, i was impressed but since have forgotten most; it was not the one who had a soapy bath on a stage). This is actually hard to do with nc / telnet. I mean, i am currently doing OAUTHBEARER: where is the benefit (compared to kinit / kdestroy, which i have local control of)? I really have to go over that immense amount of code that a browser is, and possibly the tab (even if i open an explicit window) shares runtime with other tabs, which possibly have sourced in megabytes of Javascript from who knows where, the most weird seem to come in via reading newspapers. I seem to know Chromium at least optionally separates that better (--site-per-process?). Are you trying to enforce code reuse of anyway linked-in web kits, otherwise i do not know. If that is new code then it needs to be written anyway. Mail protocols offer plenty of possibilities to send passwords, and could easily become extended with some plain text commands. It is all secured via TLS now, everywhere. Extending usage of client certificates in favour of other credentials is also interesting, moving away authentication from the protocol to the transport, and reducing round trips. And POP3 could need a SYNC for enforcing pending deletes to be fixated, and i think a body only receive command would be nice too, also. In the end i will have to implement actions aka "clickable" URLs for a text-mode mail reader. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
- [art] Auto-configuring Email Clients via WebFinger Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… John Levine
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… John Levine
- Re: [art] Auto-configuring Email Clients via WebF… Bron Gondwana
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… Larry Masinter
- Re: [art] Auto-configuring Email Clients via WebF… John R Levine
- Re: [art] Auto-configuring Email Clients via WebF… Arnt Gulbrandsen
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… John R Levine
- Re: [art] Auto-configuring Email Clients via WebF… John Levine
- Re: [art] Auto-configuring Email Clients via WebF… Austin Wright
- Re: [art] Auto-configuring Email Clients via WebF… John Levine
- Re: [art] Auto-configuring Email Clients via WebF… Steffen Nurpmeso
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… John R Levine
- Re: [art] Auto-configuring Email Clients via WebF… John Levine
- Re: [art] Auto-configuring Email Clients via WebF… Arnt Gulbrandsen
- Re: [art] Auto-configuring Email Clients via WebF… Dave Cridland
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… Phillip Hallam-Baker
- Re: [art] Auto-configuring Email Clients via WebF… John R Levine
- Re: [art] Auto-configuring Email Clients via WebF… Steffen Nurpmeso
- Re: [art] Auto-configuring Email Clients via WebF… Steffen Nurpmeso
- Re: [art] Auto-configuring Email Clients via WebF… Marten Gajda
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… John R Levine
- Re: [art] Auto-configuring Email Clients via WebF… Marten Gajda
- Re: [art] Auto-configuring Email Clients via WebF… Dave Cridland
- Re: [art] Auto-configuring Email Clients via WebF… Dave Cridland
- Re: [art] Auto-configuring Email Clients via WebF… Steffen Nurpmeso
- Re: [art] Auto-configuring Email Clients via WebF… John Levine
- Re: [art] Auto-configuring Email Clients via WebF… Marten Gajda
- Re: [art] Auto-configuring Email Clients via WebF… Dave Cridland
- Re: [art] Auto-configuring Email Clients via WebF… John R Levine
- Re: [art] Auto-configuring Email Clients via WebF… Dave Cridland
- Re: [art] Auto-configuring Email Clients via WebF… John Levine
- Re: [art] Auto-configuring Email Clients via WebF… Steffen Nurpmeso
- Re: [art] Auto-configuring Email Clients via WebF… Marten Gajda
- Re: [art] Auto-configuring Email Clients via WebF… Paul E. Jones
- Re: [art] Auto-configuring Email Clients via WebF… John Levine
- Re: [art] Auto-configuring Email Clients via WebF… Dave Cridland
- Re: [art] Auto-configuring Email Clients via WebF… Steffen Nurpmeso
- Re: [art] Auto-configuring Email Clients via WebF… John Levine