Re: [webfinger] [apps-discuss] Mail client configuration via WebFinger

"Paul E. Jones" <paulej@packetizer.com> Mon, 08 February 2016 01:56 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: webfinger@ietfa.amsl.com
Delivered-To: webfinger@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 643CB1A89FD; Sun, 7 Feb 2016 17:56:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qtMkU0e4kb21; Sun, 7 Feb 2016 17:56:03 -0800 (PST)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31E251A8872; Sun, 7 Feb 2016 17:56:03 -0800 (PST)
Received: from [192.168.1.20] (cpe-098-122-181-215.nc.res.rr.com [98.122.181.215] (may be forged)) (authenticated bits=0) by dublin.packetizer.com (8.15.2/8.15.2) with ESMTPSA id u181txaX020054 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 7 Feb 2016 20:56:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetizer.com; s=dublin; t=1454896560; bh=N6seHTmtDd6J3hF2vP1dDCeMOGuiPIxWNC/kjIF838E=; h=From:To:Subject:Date:In-Reply-To:Reply-To; b=OYxeAJP7RJkoovu4ZIzuWlml/9oe9Ia75EKdQvM4l9Mw/WTMmEOSsnw5JWrbYnNP0 OLUnb2DcktpHxFedsqw1WX45RjHQA4Bqb+lzYKuonPwYxF9pHNoFihEG/+VB7zl0tz iEkNTOnEGQi2lvvvkRpqZSfVPcBuS9H90lZJ8Pj4=
From: "Paul E. Jones" <paulej@packetizer.com>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "John C Klensin" <john-ietf@jck.com>, apps-discuss@ietf.org, webfinger@ietf.org
Date: Mon, 08 Feb 2016 01:56:28 +0000
Message-Id: <em509d6af4-51d0-4f8e-a905-31cc4b32adae@sydney>
In-Reply-To: <56B7F345.9060505@cs.tcd.ie>
User-Agent: eM_Client/6.0.24316.0
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.14 (dublin.packetizer.com [10.109.150.103]); Sun, 07 Feb 2016 20:56:00 -0500 (EST)
Archived-At: <http://mailarchive.ietf.org/arch/msg/webfinger/Ea8dJf3AAhrLVvC_3I_YzPAaprA>
Subject: Re: [webfinger] [apps-discuss] Mail client configuration via WebFinger
X-BeenThere: webfinger@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: "Paul E. Jones" <paulej@packetizer.com>
List-Id: Discussion of the Webfinger protocol proposal in the Applications Area <webfinger.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webfinger>, <mailto:webfinger-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webfinger/>
List-Post: <mailto:webfinger@ietf.org>
List-Help: <mailto:webfinger-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webfinger>, <mailto:webfinger-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2016 01:56:04 -0000

Stephen,


>On 08/02/16 00:45, Paul E. Jones wrote:
>>
>>  If ACAP was going to take off, I think it would have by now.
>
>That seems correct to me.
>
>I think solving this problem in isolation would be worthwhile
>if folks deployed a solution. (IOW, let's not generalise too
>much.)
>
>My own ask here is that the user not be expected to enter a
>password until after whatever automatable checks can be done,
>have been done. I really hate entering a password into a new
>device before I've gotten any feedback that that device is not
>going to send the password in clear over the network. And yes
>that may be a minority concern, but it is still I think one
>we ought not ignore, esp. as it should be quite possible to
>encourage good behaviour here (it's as easy as encouraging
>bad behaviour;-)

In the case of WebFinger, all requests go over HTTPS only.  That said, I 
think your suggestion is a good one.  It's entirely possible that the 
authentication mechanism might not be password based and we won't know 
what that is until the query is made to the server hosting the 
configuration document.

Paul