Re: [webfinger] [apps-discuss] Mail client configuration via WebFinger

["Paul E. Jones" <paulej@packetizer.com>]

Marten,

Sorry to just be coming back to this after a whole month passed.

What current draft?  Did you write one that I missed?  Or are these 
requirements for the draft you would like to see?

Paul

------ Original Message ------
From: "Marten Gajda" <marten@dmfs.org>
To: "webfinger@ietf.org" <webfinger@ietf.org>
Sent: 6/8/2016 3:35:05 PM
Subject: Re: [webfinger] [apps-discuss] Mail client configuration via 
WebFinger

>All,
>
>I've created a GitHub repository to track open issues with the current 
>draft, see https://github.com/CalConnect/AUTODISCOVERY/issues
>You're welcome to contribute to the discussion, either by creating a 
>new issue or by commenting on an existing one.
>
>Thanks,
>
>Marten
>
>Am 05.06.2016 um 23:00 schrieb Marten Gajda:
>>I think OpenID Connect already covers the discovery of everything you 
>>need to do OAuth2. That involves Webfinger, but there is no need to 
>>protect this request, because it doesn't contain personal information.
>>So we don't need to reinvent the OAuth2 bootstrapping sequence.
>>The only minor issue I see is that you may have to ask the user twice 
>>to grant access. Once to authorize the client to access the 
>>configuration document and another time to authorize the client to 
>>access the individual services. The second step is necessary, because 
>>the scope tokens of these services are not known when the first 
>>authorization request is presented to the user. The problem with that 
>>is, there doesn't seem to be a mechanism to broaden scope, without 
>>allowing the user to switch to a different account. To get access to 
>>the individual services, the client needs to start another 
>>authorization code grant. But the user is always free to log out and 
>>log in with a different account before granting access.
>>
>>Marten
>>
>>Am 03.06.2016 um 20:13 schrieb George Fletcher:
>>>Did a quick scan of the draft document. Given that more and more 
>>>systems are trying to remove the need for passwords, it seems like 
>>>the final solution needs to support 2FA and biometric mechanisms for 
>>>"HTTP authentication". I definitely would not want the webfinger 
>>>instance releasing my config data without my "authentication". I 
>>>suppose OAuth2 could be used to protect the webfinger APIs though 
>>>there is a bit of a chicken-and-egg here:)
>>>
>>>I kind of like the suggestion around returning a 401 with data in the 
>>>WWW-Authenticate header on where to get a token to use with the API. 
>>>This would allow the client to start and OAuth2 flow with the 
>>>Authorization Server specified and that would give the user a clear 
>>>indication of what password/credentials are being requested. Once the 
>>>client gets the token, it uses it with the webfinger call and now the 
>>>service-configuration data is returned because the token is the 
>>>authorization for the specified id.
>>>
>>>Thanks,
>>>George
>>>
>>>On 6/3/16 10:44 AM, Marten Gajda wrote:
>>>>Note that the idea behind 
>>>>https://tools.ietf.org/html/draft-daboo-aggregated-service-discovery-03 
>>>>is to put the service configuration for all services of a provider 
>>>>into a single document.
>>>>
>>>>So you would receive something like this:
>>>>
>>>>{
>>>>     "rel " :  "service-configuration",
>>>>     "href " : "https://example.com/service-configuration"
>>>>}
>>>>
>>>>If a user uses the same account identifier at another provider the 
>>>>Webfinger request could return their configuration too (given there 
>>>>is some mechanism to add it and the provider actually supports 
>>>>that).
>>>>
>>>>{
>>>>     "rel " :  "service-configuration",
>>>>     "href " : "https://example.com/service-configuration"
>>>>},
>>>>{
>>>>     "rel " :  "service-configuration",
>>>>     "href " : "https://acme-calendar.com/service-configuration"
>>>>}
>>>>
>>>>Without that it would be more difficult to setup your account at 
>>>>acme-calendar.com with your login "user@example.com". 
>>>>acme-calendar.com would have to issue some kind of user-identifier 
>>>>like user@acme-calendar.com for auto-configuration purposes, even 
>>>>though you don't use it for authentication (because you use 
>>>>user@exampe.com for authentication). I think that's the idea behind 
>>>>the `acct:` URI scheme, but I don't think that you can explain to 
>>>>users why they need another user identifier and when to use one or 
>>>>the other.
>>>>But that also raises the privacy concerns I mentioned earlier. If 
>>>>the request is not authenticated, everyone could see that you have 
>>>>an account at acme-calendar.com.
>>>>
>>>>Regarding SSO: There is an RFC that extends SASL based 
>>>>authentication to support the token authentication mechanisms as 
>>>>used by OAuth1 and OAuth2, see https://tools.ietf.org/html/rfc7628
>>>>So SSO already works with IMAP, POP3 and SMTP.
>>>>
>>>>Cheers
>>>>
>>>>Marten
>>>>
>>>>
>>>>
>>>>Am 03.06.2016 um 15:40 schrieb Paul E. Jones:
>>>>>Marten,
>>>>>
>>>>>
>>>>>>So how would the UI work?
>>>>>>
>>>>>>1) User enters user identifier, most likely an email address, like 
>>>>>>mailto:user@example.com and hits "next"
>>>>>>
>>>>>>2) Client sends a Webfinger request to 
>>>>>>https://exampe.com/.well-known/webfinger?... to see if there is a 
>>>>>>configuration document
>>>>>>
>>>>>>   -> response 404 Not Found
>>>>>>    a) Client falls back to "manual setup" or another 
>>>>>>auto-configuration mechanism
>>>>>>
>>>>>>   -> response 401 Unauthorized
>>>>>
>>>>>One should not get 401 querying the WebFinger information for the 
>>>>>user.  What should happen is that the server should return a JSON 
>>>>>object that contains a link relation that might look like this:
>>>>>{
>>>>>     "rel " :  "mail-config",
>>>>>     "href " : 
>>>>>"https://mailserver.example.com/config?user=paulej%40packetizer.com"
>>>>>}
>>>>>
>>>>>Or something like that.  The mail client should query that URI it 
>>>>>is that one that should result in a potential 401.  The JSON format 
>>>>>that would come back here would need to be something we define.  It 
>>>>>could be based on JRD, but would not have to be.
>>>>>
>>>>>Otherwise, I think the flow looks right.
>>>>>
>>>>>
>>>>>>
>>>>>>    b) Client asks for password at "example.com" and goes back to 
>>>>>>step 2 (this time with authentication)
>>>>>>
>>>>>>   -> response 200 Ok
>>>>>>    c) client moves on to next step
>>>>>>
>>>>>>3) (optional) Client presents found services to the user to let 
>>>>>>him select the services to set up
>>>>>>
>>>>>>4) Client runs the setup handler for each selected service
>>>>>>
>>>>>>
>>>>>>I think in general that could work but it raises two questions:
>>>>>>
>>>>>>1) How to make sure the user really understands that he's 
>>>>>>authenticating at example.com in step 2b? If the user tries to 
>>>>>>configure calendar sync with "acme-calendar.com" where his login 
>>>>>>happens to be mailto:user@example.com he might not be prepared to 
>>>>>>being asked for his example.com password. Maybe I'm just paranoid 
>>>>>>or overcautious, but I think that it might easily happen that the 
>>>>>>users sends his acme-calendar.com password to example.com in that 
>>>>>>case (since Basic authentication is still the most common 
>>>>>>mechanism, the client basically sends the password in plain text).
>>>>>
>>>>>Yeah, that's a valid concern.  The only thing I can suggest is that 
>>>>>the Subject CN from the certificate is presented to the user.  
>>>>>Alternatively, there could be two passwords: one that is the 
>>>>>"configuration password" and one that is the email password.  
>>>>>However, I don't think two passwords will help us.  If I want to 
>>>>>hack somebody and can gain access to their WF config, I can 
>>>>>auto-config their email client to point to my own IMAP server and 
>>>>>just retrieve the password that way.
>>>>>
>>>>>So, I think we have to rely on the certificate presented to the 
>>>>>mail client and the user will have to know to trust it.  The mail 
>>>>>provider can tell the user "when configuring email, ensure that the 
>>>>>configuration server is mailconfig.example.com and do not provide a 
>>>>>password if that is not the name of the configuration server 
>>>>>indicated."
>>>>>
>>>>>If the mail config information is not protected with a password, we 
>>>>>probably would want the customer to verify that the SMTP server 
>>>>>information is correct before the password is provided.  These 
>>>>>would be the steps users would take if performing manual 
>>>>>configuration, but the software presents that information to the 
>>>>>user without the user having to enter it.
>>>>>
>>>>>
>>>>>>
>>>>>>2) How does the client know which credentials to use to set up the 
>>>>>>individual services in step 4? Should the client ask the user for 
>>>>>>the credentials for each service or can it assume that some of 
>>>>>>them share the same credentials? Is that something an 
>>>>>>auto-configuration document can help with?
>>>>>
>>>>>It would be nice if there is a config indicator that says "SMTP 
>>>>>server and IMAP server passwords are the same", so the client does 
>>>>>not have to ask.
>>>>>
>>>>>If we use a "config password" then we could even have the server 
>>>>>tell the client the password for services, which would 
>>>>>transparently allow those to be different.  Alternatively, the 
>>>>>client will have to ask each about each one.
>>>>>
>>>>>For calendaring services, then yes: the client would have to ask 
>>>>>the user.  It could ask if it's the same or different than the 
>>>>>email password or the config password.  For some services, the 
>>>>>authentication mechanisms will be entirely different (like Google 
>>>>>Calendar).  The mail client will just have to know how to access 
>>>>>the service.  For that reason, I'm a little hesitant to suggest 
>>>>>including calendaring service config along with the email config 
>>>>>data.  We could have each of those services listed in the users' 
>>>>>WebFinger document.  For example, I might have this entry in my WF 
>>>>>document:
>>>>>{
>>>>>     "rel" : "calendar"
>>>>>     "href" : "urn:whatever:google"
>>>>>}
>>>>>
>>>>>Note I did not provide a URL.  The reason is that this is an 
>>>>>entirely different service that has an entirely different access 
>>>>>method.  Maybe the client can ask the user "is 
>>>>>paulej@packetizer.com our user ID for your Google calendar?"  In my 
>>>>>case, I don't think it is.  Certainly, it's not my gmail ID.  And, 
>>>>>I would not want to advertise that to the world, necessarily.  
>>>>>Anyway, I think we should limit the scope of what we try to do to 
>>>>>things that are standard OR we define a generic URN that a client 
>>>>>will just have to know how to deal with.
>>>>>
>>>>>
>>>>>>Ideally the server supports some kind of SSO mechanism like OpenID 
>>>>>>Connect, so you don't need to enter your password multiple times. 
>>>>>>But a working auto-configuration is really the precondition for 
>>>>>>this, because an OpenID Connect implementations needs a way to 
>>>>>>discover the OAuth2 scope tokens to request from the server and 
>>>>>>auto-configuration is really the way to do that, IMO. For this it 
>>>>>>would be helpful to have some mechanism to request a broader scope 
>>>>>>from the user (without allowing him to switch to a different 
>>>>>>account), but that's a different topic I guess.
>>>>>
>>>>>I definitely like the idea of SSO.  But, I struggle to see how we 
>>>>>would use this in practice with mail autoconfig since SMTP, IMAP, 
>>>>>and POP servers require a password, anyway.  If we use that as a 
>>>>>means to have those passwords provided behind the scenes (as I 
>>>>>indicated above), that might be a good argument for using OpenID 
>>>>>Connect.  In that way, the ISP can also ensure that passwords are 
>>>>>REALLY complex and unknown even to the user.  Not a bad practice, 
>>>>>in that we can view those passwords as complex tokens.
>>>>>
>>>>>Would that kind of use of OpenID Connect to retrieve the password 
>>>>>be workable?  (I'll admit I don't have so much experience with 
>>>>>OpenID Connect.  I implemented OpenID 2.0, but that's not ideal for 
>>>>>what we'd want to accomplish here.  I don't have a good feel for 
>>>>>how Connect might make this better.)
>>>>>
>>>>>Paul
>>>>>
>>>>>
>>>>>
>>>>>_______________________________________________ webfinger mailing 
>>>>>list 
>>>>>webfinger@ietf.orghttps://www.ietf.org/mailman/listinfo/webfinger
>>>>
>>>>
>>>>-- Marten Gajda CEO dmfs GmbH Schandauer Straße 34 01309 Dresden 
>>>>GERMANY phone: +49 177 4427167 email: marten@dmfs.org Managing 
>>>>Director: Marten Gajda Registered address: Dresden Registered No.: 
>>>>AG Dresden HRB 34881 VAT Reg. No.: DE303248743
>>>>
>>>>_______________________________________________ webfinger mailing 
>>>>list 
>>>>webfinger@ietf.orghttps://www.ietf.org/mailman/listinfo/webfinger
>>>
>>
>>-- Marten Gajda CEO dmfs GmbH Schandauer Straße 34 01309 Dresden 
>>GERMANY phone: +49 177 4427167 email: marten@dmfs.org Managing 
>>Director: Marten Gajda Registered address: Dresden Registered No.: AG 
>>Dresden HRB 34881 VAT Reg. No.: DE303248743
>>
>>_______________________________________________ webfinger mailing list 
>>webfinger@ietf.orghttps://www.ietf.org/mailman/listinfo/webfinger
>
>-- Marten Gajda CEO dmfs GmbH Schandauer Straße 34 01309 Dresden 
>GERMANY phone: +49 177 4427167 email: marten@dmfs.org Managing 
>Director: Marten Gajda Registered address: Dresden Registered No.: AG 
>Dresden HRB 34881 VAT Reg. No.: DE303248743