> On Jun 28, 2016, at 9:47 PM, Ken Hornstein <[email protected]> wrote: > > The key difference (pun intended) is that we're not really doing any > "key management", at least from a crypto persective, at all, because > as far as OAuth is concerned, there is no crypto. The access token > needs to be protected via TLS when it is sent over the wire. Think > of it as a funky password. On our side, we treat it like a password; > we store it in a file (like we do with passwords in .netrc) and pull > it out when we need it.
I get it. Kerberos uses file permissions to protect the live token (the /tmp/krb5_* file). I just want to make sure we are not letting things like that slip through, where people are not aware that, e.g., environment variables or process arguments aren't secure. _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
