IETF Logo Mail Archive

Re: [art] Auto-configuring Email Clients via WebFinger

"John Levine" <johnl@taugh.com> Wed, 17 July 2019 15:41 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 184111205FA for <art@ietfa.amsl.com>; Wed, 17 Jul 2019 08:41:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=gSirbtY6; dkim=pass (1536-bit key) header.d=taugh.com header.b=QKf4Phsj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8vQ7iB6D3KgS for <art@ietfa.amsl.com>; Wed, 17 Jul 2019 08:41:36 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1F04120105 for <art@ietf.org>; Wed, 17 Jul 2019 08:41:35 -0700 (PDT)
Received: (qmail 1883 invoked from network); 17 Jul 2019 15:41:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=758.5d2f41ae.k1907; i=johnl-iecc.com@submit.iecc.com; bh=Nwnm560VbyBKo7VsE5IO3NZQC99ZvT8rPD8As0o54no=; b=gSirbtY6Ay/SnEzqV1ckIX25qVveo8sCtX6503b2jTGWRf/RRky5+A33gM+yc89mLmaBG6lRs2v+I4aFo3yyNEVOdlw7jvXRIZQlJARgkaJ1gn8zIhO+ajayH2wUuVWnryfDN70P3sotup4myFg8tz4NKyjhe3f1bJbF35dvgRBVv6/OSChNBZ/9A+n+F9EKXY3b65RRHuYIqR1UINqjZ0JvkYEMeAU03yNgcAjD+smsKgEGzok+eucs9y9aWcSv
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=758.5d2f41ae.k1907; olt=johnl-iecc.com@submit.iecc.com; bh=Nwnm560VbyBKo7VsE5IO3NZQC99ZvT8rPD8As0o54no=; b=QKf4PhsjL7R61dX9CZLuuaU2TZTkFkzJTDmk9376u+VIrHJhL3LyWOHhR7Lo3KFQZdvv7DtjbGVznhOvh8uS1fkx4R0QAcek6OhgeWHNGc42xzJF755omu0sAjnRiuhzmYMhF9Tu6FefI8xpoTWFpmJNrbUDHBRGnsfbjwld/95Zzi3PbXlJbDjfXeCqiKYG2pV4PZNN9vaUw9nxd1QEU1ipFULErhQhZPiINi3nxB+16XP7BT9rsGr3OvocaUer
Received: from ary.qy ([64.246.232.221]) by imap.iecc.com ([64.57.183.75]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP; 17 Jul 2019 15:41:33 -0000
Received: by ary.qy (Postfix, from userid 501) id 928D850B9EE; Wed, 17 Jul 2019 11:41:33 -0400 (EDT)
Date: Wed, 17 Jul 2019 11:41:33 -0400
Message-Id: <20190717154133.928D850B9EE@ary.qy>
From: John Levine <johnl@taugh.com>
To: art@ietf.org
Cc: aaa@bzfx.net
In-Reply-To: <3A04338D-CE01-4693-92AF-4AE5CB70A68F@bzfx.net>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/H_-YPizRDybyylT7zUJm8tm97R0>
Subject: Re: [art] Auto-configuring Email Clients via WebFinger
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 15:41:37 -0000

In article <3A04338D-CE01-4693-92AF-4AE5CB70A68F@bzfx.net> you write:
>>>> Putting passwords in cleartext in the request uri is ill advised because many servers keep logs of requests, caches, etc
>> 
>> Good point.
>> 
>> Plan A: if the server needs the user name and password, it sends back
>> a 401 response and the MUA sends them via RFC 7617 basic
>> authentication.  That seems largely backward compatible and invents a
>> minimum of new stuff.
>> 
>> Plan B: do it as a POST like most web password entries.  I realize
>> this has backward compatibility issues with the current GET.
>> 
>
>What are the risks if the mail server and HTTP server are maintained by different authorities?

I suppose there might be administrative issues giving the web people
access to the mail passwords but that's hardly a new issue.  I see
that Apache has a module that does authentication via LDAP, which
would often be enough to solve that particular problem.

One of the reasons Mozilla checks https://autoconfig.<domain>/ is exactly this:
it lets the mail department run a small special purpose web server separate from
the main web servers.

v2.23.0 | Report a Bug | By Email