... No popular IMAP clients actually support that, though. =(...
69
Tim Showalter
tim.showalter
Jun 2, 2010 9:29 pm
... I don't buy this argument. Plain SASL already supports OTP and dozens of other mechanisms. IMAP, in particular, has built-in support for out-of-band ...
68
Brian Eaton
brian95060
Jun 2, 2010 7:53 pm
... I think dealing with this is way out of scope for OAuth. OAuth is at the wrong spot in the system to deal with this problem. OAuth is the first part of...
67
William Mills
wmills_92105
Jun 2, 2010 7:31 pm
________________________________ From: sasl_oauth@yahoogroups.com [mailto:sasl_oauth@yahoogroups.com] On Behalf Of Brian Eaton Sent: Wednesday, June 02, 2010...
66
Brian Eaton
brian95060
Jun 2, 2010 7:23 pm
... How is this different from imap.evil.com asking for the user's password? Or any normal imap client asking the user for permission for their mailbox at...
65
William Mills
wmills_92105
Jun 2, 2010 7:15 pm
From: sasl_oauth@yahoogroups.com [mailto:sasl_oauth@yahoogroups.com] On Behalf Of Brian Eaton Sent: Wednesday, June 02, 2010 11:31 AM To:...
64
Brian Eaton
brian95060
Jun 2, 2010 6:31 pm
... Sorry, I missed something, maybe a lot of somethings. Why won't PR asserted auth endpoints work?...
63
Bill Mills
wmills_92105
Jun 2, 2010 6:56 am
I've been thinking on the SASL discovery question and I am wondering if requiring a Referrer header on the server side mitigates the problem of an evil server...
62
Bill Mills
wmills_92105
May 24, 2010 6:06 pm
The bearer tokens can be scoped. We don't have a session binding construct really, although you could implement one yourself by putting some kind of nonce in...
61
Anthony Nadalin
nadalin...
May 23, 2010 5:28 pm
Just a little concerned about how the bearer tokens are bound, in the case of cookies I can elect not to support them if I don't trust the use of them, in...
60
Brian Eaton
brian95060
May 21, 2010 6:03 pm
We're fine with bearer tokens as well....
59
William Mills
wmills_92105
May 21, 2010 3:54 pm
That works for the Mail case perhaps, but only if you also have a webmail experience, admittedly most do. Is this generally true for everywhere we want to use...
58
Allen Tom
allentomdude
May 21, 2010 3:41 pm
My general philosophy regarding bearer tokens is that if the underlying data is accessible to the userĀ¹s browser (like via a WebMail interface) - then that...
57
Bill Mills
wmills_92105
May 21, 2010 3:23 pm
Any objection to using only bearer tokens for SASL OAuth?...
56
Bill Mills
wmills_92105
May 21, 2010 1:44 am
Are there protocols we want to do SASL with that we don't have a user@domain style identifier for? If yes can we convert to user@domain for the purposes of...
55
Bill Mills
wmills_92105
May 21, 2010 1:36 am
There were some pretty compelling arguments made today about OAuth endpoint discovery and server discovery that boil down to "we should not do OAuth discovery...
54
Bill Mills
wmills_92105
May 18, 2010 5:19 am
can be found at http://docs.google.com/View?id=dhjg77m3_0gsn2psdq for those joining recently. -bill...
53
Joseph Smarr
jsmarr
May 14, 2010 2:50 pm
Bill-you gotsta be there man! :) js...
52
William Mills
wmills_92105
May 14, 2010 1:04 am
I'm finding out if I can swing it. I'd love to get together and hammer the spec out. ________________________________ From: sasl_oauth@yahoogroups.com ...
51
Mark Atwood
mark_atwood
May 13, 2010 11:24 pm
I will be there. I've very excited about SASL OAuth. I lucked into being at the XMPP meeting where XMPP Oauth was presented and approved. The vast majority...
50
Joseph Smarr
jsmarr
May 13, 2010 10:56 pm
Who's coming to IIW next week (http://www.internetidentityworkshop.com/)--we should definitely do a session on the current OAuth SASL proposal! Thanks, js...
49
Bill Mills
wmills_92105
May 12, 2010 6:09 am
Phil, I've updated Section 2 of the doc (http://docs.google.com/View?id=dhjg77m3_0gsn2psdq) which I hope makes it clearer. I'd appreciate further comments...
48
Bill Mills
wmills_92105
May 11, 2010 5:23 pm
Replies in-line. Thanks for taking a read! -bill ... Yes, this is very much like the preliminary Google support. And your's is a great summary of the major...
47
Bill Mills
wmills_92105
May 11, 2010 5:02 pm
Replies in-lined below. Thank you! -bill ... I think using the browser for the HTTP interaction probably wants to be limited to the authz flow, where the user...
46
Phil Pennock
syscomet
May 11, 2010 2:34 am
... Okay, I did, as a prospective client implementor. Background: I've written SASL client code for various mechanisms before and written small apps which use...
45
James Burke
jrburkebc
May 11, 2010 12:39 am
... Skimming through the spec draft[1] from Raindrop's perspective, it looks like the spec draft is similar to what we implemented according to the preliminary...
44
Bill Mills
wmills_92105
May 10, 2010 7:34 pm
Another shoe has dropped. It turns out that OAuth 1.0a references will make getting this on the RFC track much more difficult. Given that, unless there is a...
43
Bill Mills
wmills_92105
May 10, 2010 12:33 am
It would be really useful if someone on the client side could take a read through the spec. Can anyone step up for that? Thanks, -bill...
42
Bill Mills
wmills_92105
May 7, 2010 12:56 am
We've been hammering on this and it's time for a wider review. Please take a read through ...
41
Bill Mills
wmills_92105
May 3, 2010 4:22 pm
I am hoping we'll have a rework hammered out soon. There have been changes ot the OAuth 2.0 proposal (adding endpoint discovery) that meant a few changes. ...
