On Mon, 19 Aug 2019, to...@tuxteam.de wrote: > Date: Mon, 19 Aug 2019 11:19:58 > From: to...@tuxteam.de > To: debian-user@lists.debian.org > Subject: Re: webmail and email from command line > > On Mon, Aug 19, 2019 at 09:47:55AM -0400, Celejar wrote: > > On Mon, 19 Aug 2019 10:32:31 +0200 > > <to...@tuxteam.de> wrote: > > > > > On Sun, Aug 18, 2019 at 09:15:45PM -0400, Celejar wrote: > > > > On Sun, 18 Aug 2019 23:43:35 +0200 > > > > <to...@tuxteam.de> wrote: > > > > > > > > > On Sun, Aug 18, 2019 at 05:19:28PM -0400, Celejar wrote: > > > > > > On Fri, 16 Aug 2019 10:10:35 +0200 > > > > > > [...] > > > > > > > I think terming Google's decision to call software that doesn't > > > > implement OAuth "less secure" "evil" is hyperbole [...] > > > > > > This nicely demonstrates my point: OAuth is a HTTP oriented access > > > delegation protocol. Why should that be at all relevant, e.g. in > > > the context of IMAP? > > > > >From the Introduction to RFC 6749: > > Edited by D. Hardt, Microsoft. Hmmm. > > > ***** > > > > In the traditional client-server authentication model [...] > > > Third-party applications are required to store the resource > > owner's credentials for future use, typically a password in > > clear-text. > > So for Mr. Hardt, Kerberos doesn't exist. Or he's talking HTTP context > only. > > But I disgress: more interesting is this [1]: > > "Eran Hammer resigned his role of lead author for the OAuth > 2.0 project, withdrew from the IETF working group, and removed > his name from the specification in July 2012. Hammer cited a > conflict between web and enterprise cultures as his reason > for leaving, noting that IETF is a community that is 'all > about enterprise use cases' and 'not capable of simple.'" > > See also "decommoditizing protocols [2] > > > You can argue that none of this matters to you, since you trust > > whatever OSS software you're using, but I stand by what I wrote that > > it's unfair to term Google's decision to refer to applications that > > don't implement OAuth "less secure" "evil". > > Whatever you mean by "none of this": I am interested in security. > But in /my/ security, on in /your/ security -- not Google's or > Microsoft's (or whatever bigcorp's out there). Much less in their > business model's security. > > > I was referring to the client side - Chrome / Chromium achieved > > dominance (particularly on the desktop) largely because they were > > widely recognized as being more performant than the alternatives. > > Remember that Google is an advertising company? > > > Firefox may be catching up now, but my impression is that for years, > > both experts as well as laymen often preferred Chrome / Chromium > > because of its speed. [Note that I have always stuck to Firefox for > > almost all my browsing, largely because I don't like / trust Google, so > > we're not as far apart as we might seem.] > > [...] > > > We agree - I want it out of my cereal bowl as well ;) > > Google-free cereals for all ;-D > > Cheers > > [1] https://en.wikipedia.org/wiki/OAuth#Controversy > [2] https://www.levien.com/free/decommoditizing.html
Google could evaluate the non-browser software in use and pass what is secure and fail the other packages with explanations for the authors of failed packages but what google could do and what google is doing or will be doing are three different matters altogether. Lord Ackton in his full quote had a few things to say about this and other corporate situations in which we find ourselves these days. By the way, his full quote is longer than its first seven words and even better for that for my money. > > -- t > --
