My general philosophy regarding bearer tokens is that if the underlying data is accessible to the user¹s browser (like via a WebMail interface) - then that...
That works for the Mail case perhaps, but only if you also have a webmail experience, admittedly most do. Is this generally true for everywhere we want to use...
Just a little concerned about how the bearer tokens are bound, in the case of cookies I can elect not to support them if I don't trust the use of them, in...
The bearer tokens can be scoped. We don't have a session binding construct really, although you could implement one yourself by putting some kind of nonce in...
I've been thinking on the SASL discovery question and I am wondering if requiring a Referrer header on the server side mitigates the problem of an evil server...
... How is this different from imap.evil.com asking for the user's password? Or any normal imap client asking the user for permission for their mailbox at...
________________________________ From: sasl_oauth@yahoogroups.com [mailto:sasl_oauth@yahoogroups.com] On Behalf Of Brian Eaton Sent: Wednesday, June 02, 2010...
... I think dealing with this is way out of scope for OAuth. OAuth is at the wrong spot in the system to deal with this problem. OAuth is the first part of...
... I don't buy this argument. Plain SASL already supports OTP and dozens of other mechanisms. IMAP, in particular, has built-in support for out-of-band ...
I¹m dating myself, but AOL used to have an IMAP client called AOL Communicator that supported OTP+Password it suffered severe usability problems since the...
So Bill and I had a quick chat about this scenario. Currently, users who mistype their imap/smtp server hostnames when configuring their mail client end up...
One of the suggested discovery methods was to use WebFinger on the user entered email address (or username + host). The actual information that needs to be...
WebFinger certainly solves a significant part of the problem, but there are some who don't feel it is enough. What I'm moving toward is that if the client...
I've been poking my way through an implementation of a Cyrus SASL mechanism for OAuth. I've come to the conclusion that simple is easy to write the spec for...
I have a working SASL mechanism with stubbed out authentication. I'm happy to send a tarball to anyone willing to accept the warts and blemishes (no...
Greetings. Now that I've finally gotten permission to put my code out into open source I have an implementation of a SASL mechanism in the Cyrus SASL...
Was prompted by Joseph Smarr to post this link to this list: http://fireeagle.yahoo.net/developer/documentation/oauth_over_xmpp Curious if you guys were aware...
Hi, I've posted a new draft. https://tools.ietf.org/html/draft-mills-kitten-sasl-oauth-03 I believe there is one open issue, and that is whether we're going to...
Hi all, I am working on SASL OAuth Patch for Nginx mail module. https://github.com/bucchi/OAuthSASLPatchForNginx. And I have just got a question about Example...
Actually it's sending back and empty response payload along with the success message in 5.1. Is it a problem? From the client perspective we figured it was...
Hi, Thank you for your comment. I may be missing something. But as I mentioned, in the SASL IMAP spec(http://tools.ietf.org/html/rfc4959) at Chapter4 Example...
There doesn't have to be a difference, but there is a final message on the wire to communicate the success or failure. We did it this way to make the sate...
