nmh-workers
[Top] [All Lists]

Re: [Nmh-workers] XOAUTH2 integration, and a few questions

2016-06-28 22:36:19
On Jun 28, 2016, at 7:14 PM, Ken Hornstein <kenh(_at_)pobox(_dot_)com> wrote:

Ah, I see.  THAT works because send(1) reads the profile for you and
passes down the "credentials" entry via the -credentials switch.

Speaking blindly here, but ... do any of these credentials being passed
around in command-line switches or the environment contain private key
data?  We need to beware of ps(1).

Ummm ... that's a good point!

Well, _if_ we're talking about the -credentials switch, no.  All that
passes is the value of the "credentials" profile entry.  If that's a
file, for example, you don't get the file contents.

But if it's a base64-encoded bearer token, that DOES matter.  While the
access token used by a bearer token generally has a lifetime, if you can
see it then you can use it at will until it expires.  So that suggests
to me that we need to make sure it's not visible via ps(1).

(Note: if my understanding of OAuth is wrong, I welcome a correction;
I am not the expert here).

--Ken

_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers

<Prev in Thread] Current Thread [Next in Thread>