Re: gmail+imap+smtp (oauth2)

[Tim Cross]

Richard Stallman <rms@gnu.org> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
> Thanks very much for spelling out the whole situation clearly.
>
> (Where does TOTP fit into this picture?)

For the 2FA process. Instead of using something like Google
Authenticator, you could use an open source TOTP client. Your still
going to have to use the non-free Javascript based UI, your just using
less non-free software. However, as they say, you cannot be a little bit
pregnant! 

>
>   > At this stage, I do not know of any way to create/register a google
>   > account which does not require Javascript and the status of that
>   > javascript is unknown, but can be expected to be non-free. Once you have
>   > created an account, the only way to access your account 'settings' page
>   > is to login to the Google site, again requiring use of non-free
>   > javascript. 
>
> This is an injustice, of course.  It is one reason to refuse to use
> Gmail.  It may be possible to write free replacement Javascript code
> and use that instead.  But it doesn't pertain to Emacs in particular,
> so we don't need to go into it here.
>

True. It is also possible Google does provide an API which a school or
institution could use to create a custom account registration and
settings update site. Note also that many larger institutions may
actually integrate Google into their in-house identity and access
management (IAM) system (it is one of the strengths of oauth2, being
able to integrate with 3rd party identity providers). However, few (if
any) of the commercial IAM solutions are based on libre software (there are
some Universities who have been working on an IAM solution which is
based on libre packages, but sadly, too many Universities have ignorant
administrators who still see proprietary = quality, libre = amateur. 

> In case a school demands you have a Gmail account, it would be useful
> if we had instructions to send to the staff, saying, "You may create
> the account, choose a password, and tell it to me.  (Since it will
> only be for email to and from the school, it makes no difference to me
> that school staff will know the password.)  Please choose an account
> name with no resemblance to my name.  Please set the account settings
> as follows so that my software can access the account."
>

There is no way any institution would support such a workflow. Apart
from the additional resource demands, it would raise lots of questions
regarding staff knowing student's email passwords. In many
schools/Universities, email is considered an official record and many
critical workflows are based around it (enrolling, unenrolling,
assignment submission, various approval processes etc). 

>   > Google has started enforcing 2FA (now mandatory on all new accounts).
>
> If 2FA is enabled, in which situations does the user have to do the
> 2FA procedure?  And how many times?  Only once, for setup -- or
> repeatedly?
>

Basically, every time you connect from a new device or new
browser and any time you want to modify your settings. Of course, you
can change that and enforce 2FA every time you try to access a service. 

> This, I think, is where the possibility of using hardware keys such as
> the Yubikey, is pertinent,
>