ietf-822
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-822] WSJ/gmail/ML, was a permission to...

2014-05-06 12:35:03
from [Brandon Long] [Permanent Link] 
On Mon, May 5, 2014 at 7:03 AM, John R Levine <johnl(_at_)taugh(_dot_)com> 
wrote:


Those two problems can be solved in different ways.  Gmail could use a

third party's submission server just like they use its pop/imap one.



Gmail does allow you to use a third party submission server, and it looks
like we may have to encourage its use even more in the future.



I'm not sure how realistic that is in practice for users who aren't
uber-nerds.

To set up to use Yahoo's submission server from Gmail, I tried to
configure it in the popup Gmail provided, which failed with an error
message that told me to go log in at Yahoo.  I did, didn't help.  After
some poking around I found a message in my Yahoo inbox that suggested I
needed an app specific password.  (How many people will realize that Yahoo
considers Gmail to be an app?)  It provided a link to the place in their
credential server to create such a password, which is otherwise not easy to
find.  So I finally found it, and made a password for Gmail, and then went
back to Gmail, and used it, and indeed it worked.

But how many people without CS degrees are going to be able to go through
all that?



Yes, it runs up against that other problem, that username/passwords are no
longer near useful enough.  In Gmail's case, you would only need an
application specific password if you have one-time passwords enabled on
your account.  The error message when trying to use your password would
give you to this url:
https://support.google.com/accounts/answer/185833which should be
enough for some non-CS types to figure it out.  Its less
than ideal, however.

But, even then, we have
http://googleonlinesecurity.blogspot.com/2014/04/new-security-measures-will-affect-older.htmlwhich
means that trying to use a password on an account isn't going to work
all that well in the future.  OAUTH2 SASL is almost an RFC, but using it
still has scaling issues for clients, in that there is no
discovery/registration protocol yet.  Theoretically, once all that is
accomplished and implemented, trying to authorize smtp-msa from one account
to another via the web would be as simple as an ACL pop-up that you can
agree to.

Clearly, that level of interop is a bit further away than we'd want any
solution to the DMARC issue.

Brandon

_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-822] WSJ/gmail/ML, was a permission to..., Brandon Long
Next by Date:  Re: [ietf-822] WSJ/gmail/ML, was a permission to... (on-topic), Russ Allbery
Previous by Thread:  Re: [ietf-822] WSJ/gmail/ML, was a permission to..., Ned Freed
Next by Thread:  Re: [ietf-822] WSJ/gmail/ML, was a permission to..., Alessandro Vesely
Indexes:  [Date] [Thread] [Top] [All Lists]