On Jun 28, 2016, at 9:47 PM, Ken Hornstein <kenh(_at_)pobox(_dot_)com> wrote:
The key difference (pun intended) is that we're not really doing any
"key management", at least from a crypto persective, at all, because
as far as OAuth is concerned, there is no crypto. The access token
needs to be protected via TLS when it is sent over the wire. Think
of it as a funky password. On our side, we treat it like a password;
we store it in a file (like we do with passwords in .netrc) and pull
it out when we need it.
I get it. Kerberos uses file permissions to protect the live token (the
/tmp/krb5_* file). I just want to make sure we are not letting things like
that slip through, where people are not aware that, e.g., environment variables
or process arguments aren't secure.
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers