Re: Opportunistic STARTTLS in smtpmail.el

[Lars Magne Ingebrigtsen]

Here's my concrete suggestion for how auth-source would deal with this
stuff.

The design requirements are:

1) if users want it, credentials should be encrypted

2) the credentials should be stored in a file that can be edited by
hand, if necessary

5) it should be possible to check whether credentials exist without
giving a password, even if the credentials are encrypted

My solution to all this is to allow putting encrypted stuff into the
~/.authinfo file.

It's currently a one-credential-per-line file like this, and this would
still be perfectly valid:

machine news.foo.org force yes port nntp login bar password zot

However, if auth-info.el prompts somebody for a password, auth-info.el
will also prompt them for whether the credentials should be stored
encrypted.  If the user says yes, then auth-info.el will write the
following to the file:

machine news.foo.org force yes port nntp secret bG9naW4AYmFyAHBhc3N3b3JkAHpvdA

The secret is simply a base64-encoded gpg-encoded string made something
like this:

(base64-encode-string (gpg-encode-string "address@hidden@address@hidden"
                       (read-string "Password? ")))

We can add some padding and entropy to make things l33tly secure, like

(base64-encode-string
 (gpg-encode-string
  (format "address@hidden@address@hidden@address@hidden" (random 42))
  (read-string "Password? ")))

When decoding, we don't have to decode anything until we actually know
that we need the password.
  
People who think this is too insecure can use ~/.authinfo.gpg files,
just like now.  That's up to them.  

And people that think that using no encryption at all can do that, too.


-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/