Re: [webfinger] [apps-discuss] Mail client configuration via WebFinger

"Paul E. Jones" <> Fri, 03 June 2016 13:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A59F312D1A4 for <>; Fri, 3 Jun 2016 06:40:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.427
X-Spam-Status: No, score=-3.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UbOGOr_g9fgQ for <>; Fri, 3 Jun 2016 06:40:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B9AF012D19B for <>; Fri, 3 Jun 2016 06:40:22 -0700 (PDT)
Received: from [] ([]) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id u53DeHa5007684 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 3 Jun 2016 09:40:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dublin; t=1464961219; bh=hzM4q7m4kokR+FauhPUY+koTl1TccLUWCNxqbw3B7OY=; h=From:To:Subject:Date:In-Reply-To:Reply-To; b=XXmR7hfBDyOKESJmx84JpjKHcKekbQh/CIjBe9mFUftnpzzL83mU8AD5SA1MRRDxb XEX9/lBYopDkCrBFmUcxX8nNrrxI6FRGIbhlHQCKdZ4KWxHJvtFfLaWXvfqacyjEeQ PnWSI+5BR+pj7gbjXQTlO+qz9h34+xJUUbWZ5+v8=
From: "Paul E. Jones" <>
To: Marten Gajda <>, "" <>
Date: Fri, 03 Jun 2016 13:40:20 +0000
Message-Id: <em44c60c65-2d14-46a0-adb3-a52d38d160ed@helsinki>
In-Reply-To: <>
User-Agent: eM_Client/6.0.24928.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MBB7BB5188-A9E4-4C2D-B0FC-89C96C086F43"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.16 ( []); Fri, 03 Jun 2016 09:40:19 -0400 (EDT)
Archived-At: <>
Subject: Re: [webfinger] [apps-discuss] Mail client configuration via WebFinger
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Paul E. Jones" <>
List-Id: Discussion of the Webfinger protocol proposal in the Applications Area <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Jun 2016 13:40:26 -0000


>So how would the UI work?
>1) User enters user identifier, most likely an email address, like 
> and hits "next"
>2) Client sends a Webfinger request to 
> to see if there is a 
>configuration document
>   -> response 404 Not Found
>    a) Client falls back to "manual setup" or another auto-configuration 
>   -> response 401 Unauthorized

One should not get 401 querying the WebFinger information for the user.  
What should happen is that the server should return a JSON object that 
contains a link relation that might look like this:
     "rel " :  "mail-config",
     "href " : 

Or something like that.  The mail client should query that URI it is 
that one that should result in a potential 401.  The JSON format that 
would come back here would need to be something we define.  It could be 
based on JRD, but would not have to be.

Otherwise, I think the flow looks right.

>    b) Client asks for password at "" and goes back to step 2 
>(this time with authentication)
>   -> response 200 Ok
>    c) client moves on to next step
>3) (optional) Client presents found services to the user to let him 
>select the services to set up
>4) Client runs the setup handler for each selected service
>I think in general that could work but it raises two questions:
>1) How to make sure the user really understands that he's 
>authenticating at in step 2b? If the user tries to 
>configure calendar sync with "" where his login 
>happens to be he might not be prepared to being 
>asked for his password. Maybe I'm just paranoid or 
>overcautious, but I think that it might easily happen that the users 
>sends his password to in that case (since 
>Basic authentication is still the most common mechanism, the client 
>basically sends the password in plain text).

Yeah, that's a valid concern.  The only thing I can suggest is that the 
Subject CN from the certificate is presented to the user.  
Alternatively, there could be two passwords: one that is the 
"configuration password" and one that is the email password.  However, I 
don't think two passwords will help us.  If I want to hack somebody and 
can gain access to their WF config, I can auto-config their email client 
to point to my own IMAP server and just retrieve the password that way.

So, I think we have to rely on the certificate presented to the mail 
client and the user will have to know to trust it.  The mail provider 
can tell the user "when configuring email, ensure that the configuration 
server is and do not provide a password if that 
is not the name of the configuration server indicated."

If the mail config information is not protected with a password, we 
probably would want the customer to verify that the SMTP server 
information is correct before the password is provided.  These would be 
the steps users would take if performing manual configuration, but the 
software presents that information to the user without the user having 
to enter it.

>2) How does the client know which credentials to use to set up the 
>individual services in step 4? Should the client ask the user for the 
>credentials for each service or can it assume that some of them share 
>the same credentials? Is that something an auto-configuration document 
>can help with?

It would be nice if there is a config indicator that says "SMTP server 
and IMAP server passwords are the same", so the client does not have to 

If we use a "config password" then we could even have the server tell 
the client the password for services, which would transparently allow 
those to be different.  Alternatively, the client will have to ask each 
about each one.

For calendaring services, then yes: the client would have to ask the 
user.  It could ask if it's the same or different than the email 
password or the config password.  For some services, the authentication 
mechanisms will be entirely different (like Google Calendar).  The mail 
client will just have to know how to access the service.  For that 
reason, I'm a little hesitant to suggest including calendaring service 
config along with the email config data.  We could have each of those 
services listed in the users' WebFinger document.  For example, I might 
have this entry in my WF document:
     "rel" : "calendar"
     "href" : "urn:whatever:google"

Note I did not provide a URL.  The reason is that this is an entirely 
different service that has an entirely different access method.  Maybe 
the client can ask the user "is our user ID for 
your Google calendar?"  In my case, I don't think it is.  Certainly, 
it's not my gmail ID.  And, I would not want to advertise that to the 
world, necessarily.  Anyway, I think we should limit the scope of what 
we try to do to things that are standard OR we define a generic URN that 
a client will just have to know how to deal with.

>Ideally the server supports some kind of SSO mechanism like OpenID 
>Connect, so you don't need to enter your password multiple times. But a 
>working auto-configuration is really the precondition for this, because 
>an OpenID Connect implementations needs a way to discover the OAuth2 
>scope tokens to request from the server and auto-configuration is 
>really the way to do that, IMO. For this it would be helpful to have 
>some mechanism to request a broader scope from the user (without 
>allowing him to switch to a different account), but that's a different 
>topic I guess.

I definitely like the idea of SSO.  But, I struggle to see how we would 
use this in practice with mail autoconfig since SMTP, IMAP, and POP 
servers require a password, anyway.  If we use that as a means to have 
those passwords provided behind the scenes (as I indicated above), that 
might be a good argument for using OpenID Connect.  In that way, the ISP 
can also ensure that passwords are REALLY complex and unknown even to 
the user.  Not a bad practice, in that we can view those passwords as 
complex tokens.

Would that kind of use of OpenID Connect to retrieve the password be 
workable?  (I'll admit I don't have so much experience with OpenID 
Connect.  I implemented OpenID 2.0, but that's not ideal for what we'd 
want to accomplish here.  I don't have a good feel for how Connect might 
make this better.)