Re: Request for advice on GNUS internals. GSSAPI progress report

["Elias Mårtenson" <lokedhs@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2520 bytes --]

On 28 February 2017 at 00:29, Lars Ingebrigtsen <larsi@gnus.org> wrote:

> Elias Mårtenson <lokedhs@gmail.com> writes:
>
> > I don't know about POP3, does anyone still use that? It's definitely
> > supported for SMTP, and now that you mention it, I have to implement
> > that support too. It would be a pretty useless feature if you can read
> > your mail without requiring a stored password, but still needing it to
> > send them. :-)
>
> If this is relevant to a lot of the different protocols, perhaps it
> would make more sense to put this into the Emacs core like the TLS
> support?  Then each protocol wouldn't have to be modified this much to
> support it across Emacs...


Unfortunately, that's not possible. Every protocol has a different idea how
to perform a GSSAPI handshake. GSSAPI itself only returns a binary blong
that is to be sent to the remote side, that side can then send another blob
back. After ping-ponging a few times, you get a validated name object
representing the remote principal, and context that can be used to encrypt
and decrypt other binary blobs. There docs literally says something along
the lines of: “Send the binary output to the remote server and pass it to
gss_accept_sec_context()”.

This results in plenty of different specs how to apply GSSAPI
authentication to various protocols. A few examples:

  - IMAP: https://tools.ietf.org/html/rfc1731
  - SMTP: https://tools.ietf.org/html/rfc4954
  - POP3: https://tools.ietf.org/html/rfc5034
  - LDAP: https://tools.ietf.org/html/rfc4752

Etc, etc.

Currently, when using GNUS, LDAP authentication works with GSSAPI thanks to
fact that Emacs leverages the ‘ldapsearch’ external program. IMAP4 works
now because I've implemented it. I don't use POP3, and I don't think there
is much demand for it.

That leaves SMTP, which really should have support in Gnus proper, but as
it turns out, we're not using authenticated SMTP at my workplace so I'll
have a hard time testing it. The same goes for encrypted IMAP (using GSS
encryption, rather than tunnelling over TLS). To support it, one would have
to implement a very simple function but I left that empty since I have no
way of testing it.

So, that's the situation as it stands. I've restarted the process with my
employer's legal team to make sure I can get the copyright assignments
done. It seems to actually be happening this time (which means that we'll
be able to get gnu-apl-mode into ELPA soon).

Regards,
Elias

[-- Attachment #2: Type: text/html, Size: 3379 bytes --]