[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] XOAUTH2 integration, and a few questions

From: Lyndon Nerenberg
Subject: Re: [Nmh-workers] XOAUTH2 integration, and a few questions
Date: Tue, 28 Jun 2016 21:54:10 -0700

> On Jun 28, 2016, at 9:47 PM, Ken Hornstein <address@hidden> wrote:
> The key difference (pun intended) is that we're not really doing any
> "key management", at least from a crypto persective, at all, because
> as far as OAuth is concerned, there is no crypto.  The access token
> needs to be protected via TLS when it is sent over the wire.  Think
> of it as a funky password.  On our side, we treat it like a password;
> we store it in a file (like we do with passwords in .netrc) and pull
> it out when we need it.

I get it. Kerberos uses file permissions to protect the live token (the 
/tmp/krb5_* file).  I just want to make sure we are not letting things like 
that slip through, where people are not aware that, e.g., environment variables 
or process arguments aren't secure.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]