Re: I want to add non-RFC passwd to pop and imap

[Jakob 'sparky' Kaivo]

Sam Roberts <address@hidden> writes:

> Reading the RFCs, they are riddled with references to browsers and
> users, seemingly without awareness that URLs are generally useable
> for descriptions of how to access resources. Passwords were
> disallowed for security reasons that do not exist in many applications.
> 
> Example, mutt's configuration file:
> 
> set spoolfile=imap://address@hidden
> set imap_pass=XXX
> 
> The security advantage is....?
> 
> It *should* allow the password as in the other URLs, ftp, http,
> etc., now you have to invent another syntax for fully specifying
> the resource, and note that Mutt's mechanism is not general
> enough, you have no way to specify which imap url the password
> is associated with.

> Syntax, condensed from RFC 1738, and extended with the ;auth=
> of RFC 2384 (for POP) and RFC 2192 (for IMAP):
> 
> url =
>     scheme ":" = "//"
> 
>     [ user [ ( ":" password ) | ( ";auth=" auth ) ] "@" ]
> 
>     host [ ":" port ]
> 
>     [ "/" urlpath ]

I agree wholeheartedly. It's ridiculous to think that POP and IMAP
URLs should be any different than other URLs WRT passwords. There is
*no* security advantage in the mutt approach: if someone can read your
.muttrc, they can read your password. If you don't want to keep your
password in a file, then don't. The application should ask for it
interactively. If, however, it is either necessary (eg. for a script)
or convenient, the password should absolutely be part of the URL, and
not a separate variable.
 
-- sparky