Re: webmail and email from command line
On Mon, 19 Aug 2019 17:19:58 +0200
<tomas@tuxteam.de> wrote:
> On Mon, Aug 19, 2019 at 09:47:55AM -0400, Celejar wrote:
> > On Mon, 19 Aug 2019 10:32:31 +0200
> > <tomas@tuxteam.de> wrote:
> >
> > > On Sun, Aug 18, 2019 at 09:15:45PM -0400, Celejar wrote:
> > > > On Sun, 18 Aug 2019 23:43:35 +0200
> > > > <tomas@tuxteam.de> wrote:
> > > >
> > > > > On Sun, Aug 18, 2019 at 05:19:28PM -0400, Celejar wrote:
> > > > > > On Fri, 16 Aug 2019 10:10:35 +0200
> > >
> > > [...]
> > >
> > > > I think terming Google's decision to call software that doesn't
> > > > implement OAuth "less secure" "evil" is hyperbole [...]
> > >
> > > This nicely demonstrates my point: OAuth is a HTTP oriented access
> > > delegation protocol. Why should that be at all relevant, e.g. in
> > > the context of IMAP?
> >
> > >From the Introduction to RFC 6749:
>
> Edited by D. Hardt, Microsoft. Hmmm.
Ad hominem.
> > *****
> >
> > In the traditional client-server authentication model [...]
>
> > Third-party applications are required to store the resource
> > owner's credentials for future use, typically a password in
> > clear-text.
>
> So for Mr. Hardt, Kerberos doesn't exist. Or he's talking HTTP context
> only.
Not sure what your point is here: how are the relative merits of
OAuth and Kerberos relevant to the underlying question of whether it is
or is not reasonable for Google to call OAuth more secure than plain
password authentication?
> But I disgress: more interesting is this [1]:
>
> "Eran Hammer resigned his role of lead author for the OAuth
> 2.0 project, withdrew from the IETF working group, and removed
> his name from the specification in July 2012. Hammer cited a
> conflict between web and enterprise cultures as his reason
> for leaving, noting that IETF is a community that is 'all
> about enterprise use cases' and 'not capable of simple.'"
Not sure how this is relevant to our discussion.
> See also "decommoditizing protocols [2]
Relevance? Explain?
> > You can argue that none of this matters to you, since you trust
> > whatever OSS software you're using, but I stand by what I wrote that
> > it's unfair to term Google's decision to refer to applications that
> > don't implement OAuth "less secure" "evil".
>
> Whatever you mean by "none of this": I am interested in security.
> But in /my/ security, on in /your/ security -- not Google's or
> Microsoft's (or whatever bigcorp's out there). Much less in their
> business model's security.
You're not addressing what I wrote: I cited the OAuth RFC's explanation
for why something like OAuth is more secure than plain password
authentication. You've thrown in all sorts of interesting history and
ideology, but haven't directly addressed the points in the RFC.
> > I was referring to the client side - Chrome / Chromium achieved
> > dominance (particularly on the desktop) largely because they were
> > widely recognized as being more performant than the alternatives.
>
> Remember that Google is an advertising company?
Of course I remember, but you keep ignoring the technical points I'm
making, and instead argue from ideology and innuendo. Do you or
do you not agree that much of Chrome / Chromium's success for years was
due to its technical merits?
> > Firefox may be catching up now, but my impression is that for years,
> > both experts as well as laymen often preferred Chrome / Chromium
> > because of its speed. [Note that I have always stuck to Firefox for
> > almost all my browsing, largely because I don't like / trust Google, so
> > we're not as far apart as we might seem.]
>
> [...]
>
> > We agree - I want it out of my cereal bowl as well ;)
>
> Google-free cereals for all ;-D
On this we agree!
Celejar
Reply to: