[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] XOAUTH2 integration, and a few questions

From: Ken Hornstein
Subject: Re: [Nmh-workers] XOAUTH2 integration, and a few questions
Date: Tue, 28 Jun 2016 23:36:00 -0400

>> On Jun 28, 2016, at 7:14 PM, Ken Hornstein <address@hidden> wrote:
>> Ah, I see.  THAT works because send(1) reads the profile for you and
>> passes down the "credentials" entry via the -credentials switch.
>Speaking blindly here, but ... do any of these credentials being passed
>around in command-line switches or the environment contain private key
>data?  We need to beware of ps(1).

Ummm ... that's a good point!

Well, _if_ we're talking about the -credentials switch, no.  All that
passes is the value of the "credentials" profile entry.  If that's a
file, for example, you don't get the file contents.

But if it's a base64-encoded bearer token, that DOES matter.  While the
access token used by a bearer token generally has a lifetime, if you can
see it then you can use it at will until it expires.  So that suggests
to me that we need to make sure it's not visible via ps(1).

(Note: if my understanding of OAuth is wrong, I welcome a correction;
I am not the expert here).


reply via email to

[Prev in Thread] Current Thread [Next in Thread]