Re: [Nmh-workers] XOAUTH2 integration, and a few questions

[Lyndon Nerenberg]

> On Jun 28, 2016, at 9:47 PM, Ken Hornstein <address@hidden> wrote:
> 
> The key difference (pun intended) is that we're not really doing any
> "key management", at least from a crypto persective, at all, because
> as far as OAuth is concerned, there is no crypto.  The access token
> needs to be protected via TLS when it is sent over the wire.  Think
> of it as a funky password.  On our side, we treat it like a password;
> we store it in a file (like we do with passwords in .netrc) and pull
> it out when we need it.

I get it. Kerberos uses file permissions to protect the live token (the 
/tmp/krb5_* file).  I just want to make sure we are not letting things like 
that slip through, where people are not aware that, e.g., environment variables 
or process arguments aren't secure.