My general philosophy regarding bearer tokens is that if the underlying data is accessible to the user¹s browser (like via a WebMail interface) - then that...
59
William Mills
wmills_92105
May 21, 2010 3:54 pm
That works for the Mail case perhaps, but only if you also have a webmail experience, admittedly most do. Is this generally true for everywhere we want to use...
60
Brian Eaton
brian95060
May 21, 2010 6:03 pm
We're fine with bearer tokens as well....
61
Anthony Nadalin
nadalin...
May 23, 2010 5:28 pm
Just a little concerned about how the bearer tokens are bound, in the case of cookies I can elect not to support them if I don't trust the use of them, in...
62
Bill Mills
wmills_92105
May 24, 2010 6:06 pm
The bearer tokens can be scoped. We don't have a session binding construct really, although you could implement one yourself by putting some kind of nonce in...
63
Bill Mills
wmills_92105
Jun 2, 2010 6:56 am
I've been thinking on the SASL discovery question and I am wondering if requiring a Referrer header on the server side mitigates the problem of an evil server...
64
Brian Eaton
brian95060
Jun 2, 2010 6:31 pm
... Sorry, I missed something, maybe a lot of somethings. Why won't PR asserted auth endpoints work?...
65
William Mills
wmills_92105
Jun 2, 2010 7:15 pm
From: sasl_oauth@yahoogroups.com [mailto:sasl_oauth@yahoogroups.com] On Behalf Of Brian Eaton Sent: Wednesday, June 02, 2010 11:31 AM To:...
66
Brian Eaton
brian95060
Jun 2, 2010 7:23 pm
... How is this different from imap.evil.com asking for the user's password? Or any normal imap client asking the user for permission for their mailbox at...
67
William Mills
wmills_92105
Jun 2, 2010 7:31 pm
________________________________ From: sasl_oauth@yahoogroups.com [mailto:sasl_oauth@yahoogroups.com] On Behalf Of Brian Eaton Sent: Wednesday, June 02, 2010...
68
Brian Eaton
brian95060
Jun 2, 2010 7:53 pm
... I think dealing with this is way out of scope for OAuth. OAuth is at the wrong spot in the system to deal with this problem. OAuth is the first part of...
69
Tim Showalter
tim.showalter
Jun 2, 2010 9:29 pm
... I don't buy this argument. Plain SASL already supports OTP and dozens of other mechanisms. IMAP, in particular, has built-in support for out-of-band ...
70
Brian Eaton
brian95060
Jun 2, 2010 9:42 pm
... No popular IMAP clients actually support that, though. =(...
71
Allen Tom
allentomdude
Jun 2, 2010 9:56 pm
I¹m dating myself, but AOL used to have an IMAP client called AOL Communicator that supported OTP+Password it suffered severe usability problems since the...
72
Allen Tom
allentomdude
Jun 3, 2010 8:32 pm
So Bill and I had a quick chat about this scenario. Currently, users who mistype their imap/smtp server hostnames when configuring their mail client end up...
73
Marius
scurtescum
Jun 5, 2010 1:36 am
One of the suggested discovery methods was to use WebFinger on the user entered email address (or username + host). The actual information that needs to be...
74
William Mills
wmills_92105
Jun 5, 2010 3:33 pm
WebFinger certainly solves a significant part of the problem, but there are some who don't feel it is enough. What I'm moving toward is that if the client...
75
Bill Mills
wmills_92105
Jun 28, 2010 5:12 am
I've been poking my way through an implementation of a Cyrus SASL mechanism for OAuth. I've come to the conclusion that simple is easy to write the spec for...
76
Bill Mills
wmills_92105
Jul 16, 2010 11:41 pm
I have a working SASL mechanism with stubbed out authentication. I'm happy to send a tarball to anyone willing to accept the warts and blemishes (no...
77
Bill Mills
wmills_92105
Jan 20, 2011 2:49 am
Greetings. Now that I've finally gotten permission to put my code out into open source I have an implementation of a SASL mechanism in the Cyrus SASL...
78
Bill Mills
wmills_92105
Feb 17, 2011 1:06 am
http://www.ietf.org/id/draft-mills-kitten-sasl-oauth-01.txt I'd appreciate any feedback. -bill...
79
Bill Mills
wmills_92105
Feb 17, 2011 1:10 am
Better is http://trac.tools.ietf.org/html/draft-mills-kitten-sasl-oauth-01 ... -bill...
80
chris.messina
Feb 23, 2011 8:12 pm
Was prompted by Joseph Smarr to post this link to this list: http://fireeagle.yahoo.net/developer/documentation/oauth_over_xmpp Curious if you guys were aware...
81
William J. Mills
wmills_92105
Feb 23, 2011 8:48 pm
Cool stuff. They are extending the XMPP XML there to carry the OAuth credential/signature. From: chris.messina <chris.messina+yahoo@...> To:...
82
Bill Mills
wmills_92105
Jul 8, 2011 7:21 pm
Hi, I've posted a new draft. https://tools.ietf.org/html/draft-mills-kitten-sasl-oauth-03 I believe there is one open issue, and that is whether we're going to...
83
yutaka.obuchi
Aug 26, 2011 5:54 am
Hi all, I am working on SASL OAuth Patch for Nginx mail module. https://github.com/bucchi/OAuthSASLPatchForNginx. And I have just got a question about Example...
84
William J. Mills
wmills_92105
Aug 26, 2011 3:53 pm
Actually it's sending back and empty response payload along with the success message in 5.1. Is it a problem? From the client perspective we figured it was...
85
yutaka.obuchi
Aug 26, 2011 10:41 pm
Hi, Thank you for your comment. I may be missing something. But as I mentioned, in the SASL IMAP spec(http://tools.ietf.org/html/rfc4959) at Chapter4 Example...
86
William J. Mills
wmills_92105
Aug 27, 2011 12:57 am
There doesn't have to be a difference, but there is a final message on the wire to communicate the success or failure. We did it this way to make the sate...
