[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Request for advice on GNUS internals. GSSAPI progress report

From: Elias Mårtenson
Subject: Re: Request for advice on GNUS internals. GSSAPI progress report
Date: Tue, 28 Feb 2017 15:25:21 +0800

On 28 February 2017 at 00:29, Lars Ingebrigtsen <address@hidden> wrote:
Elias Mårtenson <address@hidden> writes:

> I don't know about POP3, does anyone still use that? It's definitely
> supported for SMTP, and now that you mention it, I have to implement
> that support too. It would be a pretty useless feature if you can read
> your mail without requiring a stored password, but still needing it to
> send them. :-)

If this is relevant to a lot of the different protocols, perhaps it
would make more sense to put this into the Emacs core like the TLS
support?  Then each protocol wouldn't have to be modified this much to
support it across Emacs...

Unfortunately, that's not possible. Every protocol has a different idea how to perform a GSSAPI handshake. GSSAPI itself only returns a binary blong that is to be sent to the remote side, that side can then send another blob back. After ping-ponging a few times, you get a validated name object representing the remote principal, and context that can be used to encrypt and decrypt other binary blobs. There docs literally says something along the lines of: “Send the binary output to the remote server and pass it to gss_accept_sec_context()”.

This results in plenty of different specs how to apply GSSAPI authentication to various protocols. A few examples:

  - IMAP: https://tools.ietf.org/html/rfc1731
  - SMTP: https://tools.ietf.org/html/rfc4954
  - POP3: https://tools.ietf.org/html/rfc5034
  - LDAP: https://tools.ietf.org/html/rfc4752

Etc, etc.

Currently, when using GNUS, LDAP authentication works with GSSAPI thanks to fact that Emacs leverages the ‘ldapsearch’ external program. IMAP4 works now because I've implemented it. I don't use POP3, and I don't think there is much demand for it.

That leaves SMTP, which really should have support in Gnus proper, but as it turns out, we're not using authenticated SMTP at my workplace so I'll have a hard time testing it. The same goes for encrypted IMAP (using GSS encryption, rather than tunnelling over TLS). To support it, one would have to implement a very simple function but I left that empty since I have no way of testing it.

So, that's the situation as it stands. I've restarted the process with my employer's legal team to make sure I can get the copyright assignments done. It seems to actually be happening this time (which means that we'll be able to get gnu-apl-mode into ELPA soon).


reply via email to

[Prev in Thread] Current Thread [Next in Thread]