Re: [Nmh-workers] XOAUTH2 integration, and a few questions

[Ken Hornstein]

>> On Jun 28, 2016, at 7:14 PM, Ken Hornstein <address@hidden> wrote:
>>
>> Ah, I see.  THAT works because send(1) reads the profile for you and
>> passes down the "credentials" entry via the -credentials switch.
>
>Speaking blindly here, but ... do any of these credentials being passed
>around in command-line switches or the environment contain private key
>data?  We need to beware of ps(1).

Ummm ... that's a good point!

Well, _if_ we're talking about the -credentials switch, no.  All that
passes is the value of the "credentials" profile entry.  If that's a
file, for example, you don't get the file contents.

But if it's a base64-encoded bearer token, that DOES matter.  While the
access token used by a bearer token generally has a lifetime, if you can
see it then you can use it at will until it expires.  So that suggests
to me that we need to make sure it's not visible via ps(1).

(Note: if my understanding of OAuth is wrong, I welcome a correction;
I am not the expert here).

--Ken