[imp] imp 2.3.x vs TWIG

[Anil Madhavapeddy]

Quoting andrew morgan <morgan@orst.edu>:

> But the information has to be stored in an accessible manner so that it
> can be used between sessions.  Even right now, IMP has to be storing your
> IMAP password in the database in a recoverable fashion so that it can send
> it everytime you load a new page.  It would have to do the same for the
> new "horde" password which is used to decrypt the multiple passwords.
> Ugh, I guess this new scheme is no more secure or insecure than the
> current scheme, so I'll stop complaining.

IMP 2.3 encrypts that against a propagated cookie from the client browser,
so it can't be decrypted just by cracking the session database.

> 
> How do you know when the connection should be closed?
> 

When it times out.  It's no burden to re-open the connection the next
time the client asks for it.

> This would be simpler for the users because they are already familiar with
> this style.  Also, it seems to me that this functionality should be in the
> client, not the proxy.

The client is a valid place to put this functionality as well.  But if
it's done at the IMAP level, then any dumb IMAP clients can use this,
such as mutt.  It would be a fair bit of hassle and complication in IMP's
interface as well, I think.  Anyway, the reason that _I_ need it is that
work email is stuck behind a VPN, so I plan to run the proxy on my border
VPN router.

-- 
Anil Madhavapeddy, <anil@recoil.org>