►
From YouTube: IETF100-JMAP-20171116-1330
Description
JMAP meeting session at IETF100
2017/11/16 1330
https://datatracker.ietf.org/meeting/100/proceedings/
A
E
C
F
D
D
F
C
A
F
G
F
E
E
H
E
C
C
All
right,
everybody
welcome
to
the
slightly
delayed
by
about
15
minutes
J
map
session
at
ITF
100,
the
blue
sheets
of
I
think
made
their
way
around
the
five
people
in
the
room,
and
we
have
another
five
on
me,
echo
I'm,
Bron
Barry
is
arriving
at
the
table
as
well.
The
note
well
should
be
appearing
on
your
screen
right
about
now.
If
you
can't
see
it,
there's
plenty
of
places
to
find
it
and
let's
get
on
with
the
agenda,
so
we're
going
to
start
with
an
overview
of
the
changes
since
the
last
time.
I
F
F
J
If
you
were
just
naively
writing
the
whole
thing
out
rather
than
and
are
not
checking,
the
state
hasn't
changed
under
you,
so
with
patch
updates.
Basically,
it
looks
like
this,
so
you
can
see.
We've
got
keywords,
slash
dollar
flags
being
set
to
true,
which
is
basically
JSON,
pointer
format.
I
comment
the
RSC,
but
it's
another
standardized
format
for
with
going
into
the
property
of
what
you're
changing
and
the
patch
format
is
defined.
J
Such
that
you
can
also
you
can
include
just
the
whole
object
and
the
top-level
properties
if
you
want-
or
you
can
include,
the
detailed
minimal
patches
and
the
server
processes
at
the
same
way
either
way
and
that's
pretty
much
all
there
is
to
say
about
that.
But
just
pause.
The
moment
see
if
there's
any
comments.
J
J
Great
+1
for
maxi
yeah,
the
other
other
major
change,
is
introducing
this
idea
of
back
references
for
method
arguments.
So
the
idea
here
is
there
was
quite
a
few
methods
where
we're
having
two
special
case:
extra
proper
extra
arguments
for
things
like
fetching
the
messages
from
the
message
list
or
fetching
the
threads
from
the
message
list,
and
all
of
this
was
really
just
to
allow
you
to
make
implicit
method
calls
and
so
avoid
round
trips,
because
you
need
some
of
the
results
of
the
previous
method
in
order
to
make
the
next
call.
J
So,
with
the
back
references,
we
have
basically
simple
syntactic
transformation,
which
is
really
easy
to
implement
on
the
server,
but
it
actually
gives
you
just
as
much
power
and
more
from
before
and
means
we
could
remove
a
whole
load
of
special
cases
so
that
actually
a
lot
of
the
met.
The
methods
become
simpler,
so
here's
an
example
to
actually
explain
more
what
I'm
talking
about.
J
So
the
first
thing
we
do
is
a
get
get
message
list
with
the
filter
just
off
a
particular
mailbox
that
doesn't
that's
the
idea
of
the
mailbox
there
if
you've
not
familiar
with
J
map,
filter
format,
sorted
date,
descending
collapse
by
thread,
so
that
we
only
return
each
thread
once
at
the
first
position
of
its
message
and
we
live
in
that
30.
So
that
gets
us
the
30
IDs
of
those
first
30
messages
in
that
message
list.
J
The
next
one
is
slightly
odd,
but
you
can
see
here
how
our
work,
so
we
have
a
hash
before
the
argument
name-
and
you
can
do
this
for
any
argument
name
and
so
that's
very
easy
to
scan
through
the
arguments
and
check.
And
then
it's
telling
you
which
of
the
previous
methods
to
look
for
the
result
in
and
in
the
path
into
the
response
from
that
to
look
through.
So
there's
also
of
zero,
so
we
can
look
back
and
see.
That
was
what
was
tagged.
J
They
get
message
list
cool
was
tagged
with
zero
that
that's
the
ID
of
that
method
call
and
then
we
would
look
at
the
IDS
path
in
the
result,
and
that
is
an
array
of
IDs
and
that
then
becomes
the
IDS
argument
for
get
messages.
So
it's
it
looks
slightly
weird
when
you're
looking
it
on
in
the
slides
I
think,
but
it's
actually
really
easy
to
implement
and
gives
you
a
lot
of
extra
power
to
reduce
round
round
trips
and
make
things
more
efficient
and.
F
J
The
this
this
is
the
argument
name
so
I.
Don't
they
obviously
are
no
arguments
at
the
moment.
Let
us
start
with
a
pound
and
I.
Don't
think
anyone
is
likely
to
define
one
and
they
can
certainly.
We
can
certainly
make
sure
you
don't
that.
That's
the
that's
all
you're
looking
for
you're
iterating
through
the
arguments
to
a
method
in.
J
Do
we
have
any
further
comments
on
the
mute
echo?
Okay,
I'll
just
keep
continuing
for
a
short
time
them,
so
so
what
we've
done
so
the
second
one
was
fetching
basically
we're
getting.
We
want
to
know
what
the
thread
ID
for
each
of
those
messages
is,
so
we
do
a
get
messages
called
just
fetching
the
thread
ID
property
for
each
of
those.
For
that
that's
the
one
slightly
weird
bit
and
then
after
that,
we're
simply
getting
the
threads
so
for
each
of
those
thread,
IDs
that
we've
got
a
back
reference
there
to
the
thread.
J
Ids
result
of
the
previous
thing,
we're
fetching
the
threads
which
is
list
of
messages
in
each
of
those
threads
and
then
finally,
we're
doing
our
get
message
with
the
header
properties.
We
want
back
referencing
to
those
message
IDs
in
the
threads
to
fetch
all
the
messages,
so
it
I
said
I
think
it
does
look
a
bit
weird
when
you
first
see
it
in
the
slide,
but
having
now
tried
implanting
this
and
playing
around
with
it,
it
seems
to
work
quite
well
and
actually
simplifies
code.
F
J
J
Doesn't
look
like
it
cool,
okay,
great
cool?
Well,
let's
move
on
the
veining
overview.
Stuffer!
What's
changed
since
prog
push
support,
it's
not
a
lot
to
say
about
this.
It
was
just
mainly
kind
of
refinements
to
what
was
there
before
referencing
in
webbing
encryption
sport,
which
is
going
to
be
needed
if
you're
going
to
use
this
in
a
browser
that
just
references
a
different
RFC
or
will
be
an
RFC
before
this
is
finalized.
J
Martin
Thompson's
writing
and
ensures
that
we
are
conforming
to
what's
required
and
I've
see
a
t-34
too
to
be
able
to
be
used
as
part
of
that
standard
push
ecosystem.
The
other
form
push
which
is
the
eventsource,
has
changed
slightly
in
that
there.
The
client
can
now
pass
some
query
parameters,
one
of
which
says
this
is
kind
of
long
polling.
So
just
close
the
connection
every
time
you
actually
push
something
and
the
other
one
is
to
let
the
client
determine
how
long
the
service,
what
interval
the
server
should
send
things
down.
J
Events
also,
if
there's
been
no
events,
these
are
to
allow
clients
to
detect
that
they've
got
a
live
connection
to
the
server
and
their
concerns
were
raised
before
the
the
trouble
with
events
or
sometimes
is
that
you
have
proxies
in
between
which
mean
that
if
they're
buffering
proxies,
you
never
get
the
response
until
the
connection
is
closed
because
they're
buffering
too
much
in
between,
and
so
this
sometimes
doesn't
work
in
some
corporate
environments.
So,
with
these
options,
the
client
can
look
out
for
pings
and
if
it
determines
it's,
not
getting.
J
The
things
through
can
fall
that
long
calling
which
normally
always
works
because
you're
closing
the
connection
and
therefore
the
proxies
flush
their
buffer
and
you
get
get
the
data
poof,
and
so
it's
all
works
as
a
push
channel.
It's
just
slightly
less
efficient
on
the
network
and
so
with
those
as
a
set
I
think
pushes
pretty
much
finished.
So
any
comments
on
push
I
think
coming
great
and
finally
authentication.
This
is
a
big
issue.
We've
discussed
in
a
few
cases.
J
Basically
we've
taken
out
the
new
authentication
stuff
that
was
in
the
J
Mack
core.
It's
kind
of
out
of
scope
and
makes
it
much
more
difficult
to
get
through
the
spec.
This
is
a
problem.
That's
not
really
just
tied
to
J
map.
So
it's
basically
just
now
says
it's
HDPE,
so
you
need
HTTP
author
to
authenticate
connections.
J
F
J
The
manner
they
I
mean
I'm
certainly
interested
looking
those
and
doing
some
experiments
with
them
in
terms
of
the
specification
I
think
whatever
that
is,
it
would
still
have
to
be.
Consumer
like
it
is
an
independent
part,
is
not
required
and
tying
the
two
together
would
be
a
mistake.
I
think
that's.
F
H
G
J
So
the
kind
of
history
of
this
is
the
we
were
desperately
trying
to
avoid
basic
auth,
but
mandating
OAuth
doesn't
work
because
there
are
too
many
situations,
email
that
that's
not
necessarily
viable.
We
could
prohibit
basic,
but
again
that's
it's.
It's
going
to
be
hand.
Waving
scanned
is
going
to
be
used
in
situations
to
an
extent
like
if
you're,
so
so,
obviously,
there's
there
situations
in
the
in
the
back
and
like
only
internal
networks,
sometimes
where
it's
in
Crocs
eat
through
and
at
that
point
it's
gonna
use
some
some
other
all
system.
J
That's
this
could
just
be
basic
or
something,
but
the
other
issue
main.
The
main
issue
is
if
your
random
isp
set
up
an
email
service,
mail
client
has
to
connect
to
it
so
kind
of
worry
options
for
allowing
authentication
while
there's
basic
or
there's
OAuth
pretty
much,
but
but
all
with
OAuth
is
borrowing
there's
now
some
new
standards
to
do
auto
discovery,
but
just
the
whole
there's
no
email,
clients,
I,
don't
know
how
likely
it
is.
People
are
gonna
support.
J
All
these
things
in
order
to
be
able
to
auto,
discover
the
oath
settings,
Auto
register
the
client,
and
so
they
can't
pre-register
with
every
email
service
out
that
they
can
pre-register
with
Gmail
and
Yahoo
and
stuff
so
that
they
don't
need
the
auto
discovery
system.
But
they
can't
can't
do
that
with
every
ISP
yeah.
F
J
J
Is
what
we've
been
trying
to
do,
except
that
we
also
don't
want
to
be
defining
a
new
authentication
specification
because
that's
out
of
scope-
and
we
can't
there
doesn't
seem
to
be
anything
we
can
just
say
you
must
like
saying
you
must
use
it
auth,
it's
not
practical
either
like
you
could
you
we
can
say
you
mustn't,
use
basic.
You
must
use
a
bearer
token
and
how
you
get
that
bearer
token.
It's
not
necessarily
vile,
oh,
but
that's
still
these
open.
If
you're
writing
a
client,
okay
I
need
a
Barrett
Oken.
F
You
post
to
the
SAG
list,
si
AG
mailing
list
and
ask
for
somebody
to
look
at
this
document
from
a
security
point
of
view
and
comment
on
what
you
might
do,
but
because
of
what
I'm
afraid
is
that,
when
this
gets
to
the
IAS
G,
it's
gonna
get
pounced
on
by
the
security,
a
DS.
If
we're
doing
basic
off
I.
I
F
F
It's
it's
not
sufficient
to
solve
everything,
but
it
may
be
sufficient
to
get
past
the
initial
issue
so
anyway,
let
me
Chris
says
basic
over
TLS
is
the
only
thing
that's
likely
to
interoperate
as
long
as
authentication
is
out
of
scope,
so
it's
probably
the
mandatory
to
implement
for
interoperability
and
I.
Guess
I
agree
with
Chris
on
that
bearer
tokens
are
better
than
password
over
TLS
for
mobile
devices
as
long
as
there's
a
way
to
expire,
the
bearer
token,
if
the
device
is
lost.
C
So
I
would
actually
answer
that
this
is
what's
happening
in
the
world.
Is
that
a
lot
of
big
providers
now
are
issuing
an
app
specific
passwords
to
each
device
and
saying
your
bearer
token?
Is
your
username
Plus
this,
because
HTTP
basic
authentication
in
two
parts
and
part
of
a
bearer
token
is
you
use
an
M
part
of
the
bearer
token?
Is
this
long-lived
app
password
that
you
can
then
cancel
when
your
device
is
lost
and
because
the
canceling,
a
token,
is
still
going
to
be
saying?
H
J
J
J
Yep,
okay,
so
those
are
the
main
changes
since
last
time.
So
let's
look
through
the
remaining
issues.
There's
no
actually
too
many
kind
of
the
real
substantial
issues
to
go:
we're
hoping
to
get
most
of
these
resolved
by
March
in
the
in
London
and
then
hopefully
we
can
actually
do
Interop
testing
at
the
hackathon
and
ITF
London
as
well
beforehand,
if
people
have
got
fairly
complete
in
plantations
of
a
fairly
finished
spec.
J
So
let's
have
a
look
what's
remaining
in
core,
so
one
thing
we
need
to
do
is
make
sure
we
have
sorted
our
plan,
versioning
extensions,
which
is
obviously
always
going
to
happen
with
any
API,
and
my
rough
plan
for
this
looks
a
bit
like
this.
So
at
the
moment
your
method
calls
are
an
array
which
is
what
you,
post
to
the
API,
we'll
wrap
that
array
in
a
top-level
object
which
lets
us
add
various
kind
of
metadata
properties.
J
If
you
like
to
the
whole
request,
Chris
Newman
I
know,
has
raised
ideas
of
adding
extensions
on
this
in
the
future.
For
things
like,
you
must
commit
the
whole
thing
atomically
or
things
like
that.
But
for
now
the
main
thing
is
that
we
can
add
it
using
property
which
behaves
a
lot
like
sieve.
It's
not
in
to
extend
to
specifications.
You
have
to
opt
in
as
a
client
to
everything
you
wish
to
use.
J
If
you
don't
opt
in
the
server
behaves
as
though
it
doesn't
support
it,
which
gives
you
fairly
decent
yeah
if
the
server
advertisers
which
specs
it
supports
in
the
capabilities
object
which
is
fetched
at
the
beginning.
If,
with
with
your
basically
information
about
the
session,
once
you
have
some
kind
of
authentication
token,
however,
that
is,
you
can
fetch
this
object.
J
That
has
information
about
which
endpoints
to
hit
for
the
resources
and
the
capabilities
at
the
server
and
the
capability
objects,
basically
is
a
key
of
the
spec
name
or
preferably
I
think
a
URL
to
the
specification
itself,
so
that,
if
you're
just
trying
to
see
what
a
server
supports
you
see
something
you
don't
recognize.
You
can
just
follow
the
link
and
you
know
find
out
about
respect
which
would
be
quite
nice
and
then
the
value
of
that
in
the
capabilities
object
is
an
object
with
various
information
about
that
spec.
J
So,
for
example,
for
the
male
spec,
the
capabilities
object
includes
things
like
max,
mailboxes
and
stuff
like
that.
So
that's
the
general
plan.
It's
not
too
complicated,
I
think
it's
based
on.
You
know
existing
solutions
that
work
and
it
gives
you
a
way
to
move
forward
while
not
breaking
old
clients,
which
is
the
main
thing
you
want
any
objections
or
alternative
proposals
or
ideas
on
that.
J
Not
at
all
I
mean
the
the
capabilities.
If
your
capability
name
is
a
URL
yeah,
the
the
thing
is
that
the
so
the
specification
will
define
its
capability
name,
which
doesn't
have
to
be
a
URL
I'm,
just
suggesting
it
will
be
nice
if
they
aren't
for
things
like
RFC's,
you
can
have
a
canonical
URL,
I
think,
which
is
a
chore
forever,
is
a
long
time,
but
can
be
reasonably
stable.
I.
F
J
It's
not
important
to
this
functioning;
it
can
perfectly
function
without
it
being
a
URI.
It's
just
I
think
that
would
be
nice.
If
that's
a
suggested
thing
for
future
extensions,
because
then
it
helps
people
developers
who
are
examining
new
server
if
they
come
across
something
that
I
recognize
to
find
the
documentation
on
that
of
what
the
server
can
do.
My
question
wasn't:
URL
versus.
F
F
H
J
J
Name:
we've
got
rules,
we
get
Foose
and
set
throughs,
but
we
have
a
singular
phupho
get
through
updates,
get
through
lists
list
updates,
which
is
both
aesthetically
a
little
bit
annoying
and
also
makes
it
harder
to
programmatically
generate
these
if
you're
kind
of
doing
automatically
from
by
just
giving
it
one
type
name
and
having
it
synthesized
what
the
event,
what
method
names
are
cause?
You
have
to
know
how
to
pluralize
something
in
mailboxes
has
es
as
opposed
to
something
else,
so
I
think
it
would
just
be
nice
if
we
made
this.
J
J
J
J
J
This
is
by
jenny.
In
its
best,
we
can
wis
pass
the
important
bits,
there's
a
very
similar,
quick
naming
bike-sharing
issue
on
email.
We
want
to
the
mail
spec
now,
which
is
simply
that
it's
been
proposed.
We
renamed
the
message,
object
to
email,
because
there's
some
confusion
around
the
fact
that
you
have
an
ID
on
the
message,
object
and
that's
a
J
map
ID
and
not
the
RFC
52
to
message
ID
and
terminology.
J
So
that's
just
avoids
that
confusion,
because
then
it
becomes
email,
ID
and
stuff
yeah,
so
great
move
on
from
the
blank
cutting
stuff.
This
is
the
main
issue,
I
think
still
to
resolve,
and
so
this
is
hopefully
what
we
can
hash
out
to
here
and
on
the
mailing
list
between
now
and
March,
which
is
the
message
format
in
JSON
of
the
RFC
five
three
to
two
so
I
think
the
headers
bit
of
this
is
fine
and
doesn't
need
have
any
objections.
J
It's
gives
you
past
forms
of
a
lot
of
the
headers,
which
makes
it
easier
for
the
client
to
deal
with
like
getting
the
from
as
an
array
of
objects
with
the
name
and
email
property
and
rather
having
to
pass
the
string.
The
main
I
think
thing
that
we
really
are
not
sure
about
at
the
moment
is
converting
the
body
into
an
and
what
form
does
that
take?
J
Is
it
just
some
kind
of
JSON
representation
of
a
mime
tree
which
is
kind
of
what
the
Gmail
API
does,
or
is
it
closer
to
what
clients
generally
use,
which
is
clients
generally
present
a
message
as
some
kind
of
body,
which
is
a
text
thing
or
HTML
representation,
and
then
some
attachments
which
are
files
associated
with
that?
Then,
of
course,
even
how
you
convert
between
them.
There's
some
ambiguity
of
what
is
an
attachment.
We've
had
some
discussion
on
the
list
the
last
few
days.
J
F
H
Mouse
key
Google,
so
my
question:
why
would
be
you
do
something
different
and
provided
providing
the
original
mime
structure?
Because
the
point
is
to
you
want
to
provide
like
a
mail,
the
desktop
transfer.
So
you
want
to
actually
respect
that
rather
than
try
to
select,
say
key
bees
that
select
the
field,
but
you
want
to
propagate
so.
J
There's
a
couple
of
reasons:
firstly,
it
just
makes
it
easier
for
client
authors,
because
I
said
this
is
this:
does
not
map
to
the
presentation
that
is
used
in
in
clients
generally,
it's
which
is
body
plus
attachments?
The
second
reason
is,
it
also
makes
easier
to
optimize
fetching.
So
it's
a
to
optimize.
The
network
usage
I
want
to
be
able
to
say
return
me
just
the
HTML
body.
J
Representation
of
each
of
these
messages,
without
having
to
fetch,
are
some
kind
of
overall
structure
object,
interrogate
that
work
out,
which
bits
and
individually
fetch
each
each
of
those
that
becomes
a
lot
more
Bo
overhead
and
complexity
to
fetch.
What
I
need
to
just
display
this
message
in
a
client.
J
One
of
the
things
which
organized
whether
we
basically
provide
both
options.
So
the
client
can
request
which
it
wants,
whether
it
wants
kind
of
the
mime
structure
or
whether
it
wants
some
interpretation
by
the
server
of
that,
so
that
it
doesn't
have
to
bother
passing
that
that
that's
what
we're
discussing
the.
C
I
But
it's
exactly
the
same
problem
and
once
you
start
dealing
with
multi-part,
alternative
multi-part
makes
multi-part
related
all
arbitrary
nesting,
yeah
yeah,
so
yeah,
if
you
want
just
for
display,
I
mean
returning
a
single
block.
You
know
whatever
text
play
no
HTML
depending
what
the
client
wants
is
probably
so.
J
That's
another
question:
whether
a
single
blob
or
one
thing
we
noticed
when
we
went
looked
annotation
for
this
is
actually
it's
kind
of
an
array
of
blobs
that
we
get
so
it's
a
flat
array.
But,
for
example,
if
you
had
a
message
centers
with
HTML
and
text
alternatives,
and
then
it
goes
through
a
mailing
list
which
adds
a
text
only
signature
as
a
next
apart
after
it.
J
Then,
if
you
were
synthesizing
this
into
a
single
property,
you'd
have
to
convert
that
to
HTML
and
then
append
that
to
HTML
to
get
an
HTML
version,
but
then
appending
that
to
a
HTML
is
hard
because
you
don't
want
to
stick
it
just
after
the
end
of
the
line,
if
you
just
append
them,
because
that's
actually
not
valid,
and
you
can
do
this
and
that
what
we
do
and
it
kind
of
works
every
third
browser.
But
it's
yeah.
J
C
I
J
I
think
the
same
messages
would
have
to
mirror
whatever
we
do.
Forget
messages
really
like
it
doesn't
make
sense
to
do
different,
something
different
there.
So
if
you,
if
the
get
message,
can
either
fetch
a
mime
structure
or
fetch
this
past
version,
then
I
think
need
to
be
able
to
do
the
same
with
set
if
the
client
wants
just
do.
The
past
version
does
that
otherwise
it
so
I
hit
the
we.
C
F
I
J
J
Think
oh
I,
don't
know
well
I
wanted
to
get
people
to
start
thinking
about
it
here
and
we'll
maybe
send
through
some
ideas
of
Basil's
I,
said
I
think
this
is
the
meatiest
issue
still
remaining
to
be
resolved
so
worth
worth
a
bit
of
thought.
The
other
thing
that's
come
up
kind
of
related
to
this,
although
in
some
ways
differently
is
wanting
to
be
able
to
fetch
partial
body.
J
So
suppose
you
had
your
HTML
body,
where
we've
service
magically
worked
out
a
single
text,
HTML
thing
to
represent
the
body,
but
that
HTML
thing
could
be
three
measures
of
text
and
as
a
client,
you
only
want
to
fetch.
Maybe
100
kilobytes
up
front,
especially
on
the
constrained
environment,
so
you're
not
wasting,
and
then
only
if
the
user
says
yeah
I
won't
see
the
whole
thing.
Do
you
bother
fetching
the
rest?
J
So
we
don't
have
a
way
of
representing
that
at
the
moment
in
in
J
map,
and
so
whether
that's
part
of
something
custom
for
message
or
whether
that
becomes
part
of
core
in
some
way
of
some
custom
thing
of
determining.
For
a
string
I'm
not
sure
about
that
it
seems
fairly
limited
in
use
case,
but
yeah.
That's.
F
So
the
other
Neil
says
every
client
I've
worked
on,
wants
a
pair
of
HTML
attachments
to
actually
display
the
message
content
at
the
UI
layer.
So
somebody
has
to
solve
the
problem
at
some
point
in
the
pipeline
and
it's
better
in
my
opinion.
If
the
server
can
so
things
like
search
and
message
body
display
are
consistent.
F
Chris
says
the
structure.
I
prefer
is
main
inline,
blob
or
array
of
inline
blobs
plus
array
of
attachments,
but
the
array
of
attachments
has
an
optional
question:
mark
IMAP
style,
mine,
part
number.
This
allows
conversion
between
flat
attachment
view
and
mime
hierarchy,
Jeff
says,
but
that
makes
the
server
responsible
for
some
of
the
presentation
decisions.
Presuming
he's
going
back
to
Neil's
comment,
which
is,
in
my
opinion,
not
a
server
problem.
I
H
Right
right,
okay,
so
in
okay
and
I,
think
it's
actually
it's
a
really
hard
problem.
If
you
have
both
the
server
and
the
client
trying
to
decide
which
mime
part
was
to
show,
on
the
other
hand,
in
dust
cloud
you
have
to
do,
you
have
to
deal
with
also
in
line
in
line
attachments
like
CID
type
attachment,
whether
you
want
them
or
not.
In
the
case
of
partial
body,
fetch
you
get
something
even
a
bigger
problem:
you
are,
you
may
cut
off
HTML
in
the
middle
and
cut
off.
Html
middle
can
have
drastic
different
behavior.
H
J
I
think
this
is
a
good
point.
There
is
certainly
security
issues
that
can
result
from
chopping,
HTML
or
arbitrary
points
and
I,
don't
think
it's
it's
not
easy
for
a
server
to
chop
it
off
and
manipulate
it
search
to
make
guarantee
it's
it's
safe.
In
that
respect,
I
I.
On
the
other
hand,
I
mean
the
client
you're
still
going
to
make
sure
it's
not
running
scripts
or
anything
like
that,
but
yeah.
It's
a.
H
J
I
J
I
J
F
On
me,
deco
tell
me
on
jabber,
if
you
can
hear
alexei
because
in
the
room,
it's
he's
not
coming
through
the
speakers
very
well,
but
he
might
be
coming
to
you.
Jeff
says
another
option
return.
I
map
style
structure,
but
the
server
tagged
certain
parts
as
body
and
others
as
attachments
and
the
MUA
can
assemble
all
body
parts
for
displaying
and
jabber
says
they
can
hear
you
fine.
So
don't
worry
about
it.
That's.
J
An
interesting
idea,
it
might
be
one
of
the
options
we
offer
the
main
tricky
bit.
I
like,
I
think
that
makes
it
very
hard
to
optimize
your
network
uses,
which
is
one
of
the
things
that
we've
been
trying
to
make
happen,
because
you
don't
want
to
download
all
of
the
alternative
parts
if
you're
only
going
to
display
one.
J
I
think
that's
quite
a
lot
of
waste
overhead,
especially
with
large
messages
right
and
but
if
you
only
get
kind
of
just
the
outline
structure,
you
didn't
have
to
make
successive
requests
once
you
decided,
which
ones
you
want
to
fetch
that
data.
So
you
end
up
with
more
round-trip.
So
it's
it's.
It's
a
trade-off.
I
know
idea
and.
C
C
J
F
J
Potentially,
it
depends
on
the
output
format
that
we
come
up
with,
I
think
we'd
have
to
we.
You
can't
tell
that
until
we
have
a
bit
more
idea
of
what
we
want
the
structure
to
look
like
and
what's
returned
yeah,
it
was
possible
that
backrests
could
help
with
this.
But
at
the
moment
it
sounds
like,
what's
being
proposed,
is
returned
to
the
client
requires
more
processing
than
you
know
which
why
not
to
make
the
back
reference
stuff
some
kind
of
a
virtue,
scripting
language,
you
can
run
on
the
server.
I
J
J
I
J
So
this
is
being
done
everywhere
as
far
as
I
can
see
and
I'm,
not
quite
sure
what
this
non-simple
Klein
that's
gonna
do
something
different
is
because
I
haven't
I,
guess
if
you're,
using
if
you're
using
email,
not
actually
as
email,
is
there
some
kind
of
bus
system?
Instead,
then
you
start
to
get
into
a
point
where
you
might
something
different
yeah.
I
I
guess
the
question
is
where
the
client
wants
to
know
you
know:
is
there
like
two
textual
parts
or
a
single
textual
part?
Maybe
it
wants
to
put
separate
delimiter
between
them.
I,
don't
know,
I
mean
that's
sort
of
a
bit
obscure,
but
you
know
that
might
affect
you
I
potentially
so
maybe
just
getting
away
with
the
array
of
things
might
be
good
enough.
Yeah.
J
You
know
I
do
think
you.
Your
client
still
needs
to
be
able
to
request
like
HTML
version
or
text
version,
if
there's
alternatives
and
maybe
know
that
the
other
versions
there,
even
if
it
doesn't
fetch
it,
that's
the
other
kind
of
thing
that
I
don't
have
a
solution
for
necessary.
That's
great
at
the
moment,
but
yeah
Neal
says.
F
J
I
think
some
kind
of
pastures.
Well,
my
goal
was
only
over
the
API,
it
would
be.
You
can
fetch
the
structure
and
some
kind
of
Jason
thing
more
like
the
Gmail
API
or
you
can
fetch
this
more
with
processed
version,
which
gives
you
their
bodies
and
attachments
which
we
seem
to
think
most
clients.
They're
gonna,
want
you.
C
J
But
I
would
have
thought
if
we
can,
if
we
make
them,
if
we
do
the
API
right.
A
lot
of
certainly
new
clients
would
never
do
that,
because
why
write
all
this
complicated,
parsing
code
when
they
don't
have
to?
And
we
don't
want
to
require
that
unless
you're
doing
something
really
obscure,
that's
always
there's
kind
of
the
escape
hatch,
so
we
don't
have
to
cover
every
single
option.
You
know
we
want
to
cover
all
the
common
things
and
yeah
you
really
have
to.
You
can
fetch
that,
but
you
shouldn't
have
to
for
most
cases,
yeah.
E
F
J
J
I
mean
I
think
this
is
where
we've
well
for
now.
We
kind
of
said
that
the
escape
hatch
of
devolve
always
kind
of
handing
that
but
yeah.
If,
if
the
client
is
the
one,
that's
to
cookie
I,
don't
see
if
the
server
is
the
one
that
has
the
keys,
then
it
can
just
present
all
this
anyway,
doesn't
matter
if.
J
J
J
J
I
F
J
J
I
mean
yes:
if
the
two
accounts
on
different
servers,
yes,
then
you
would
need
that.
I
me
know
if
they're
two
accounts
you
have
access
to
via
the
same
came
up:
API,
there's
a
method
just
to
copy
them
over
without
having
to
download
and
upload
it
again.
But
yes,
that's
true,
so
yeah
we
think
this
is
gonna,
be
yeah.
You
you're
always
going
to
need
access
to
that
for
those
kind
of
cases,
but
as
far
as
possible,
we
would
prefer
you
not
to
need
it.
J
Okay,
I
think
that's
been
a
good
opening.
Discussion
of
this
will
definitely
continue
all
this
on
the
list.
I
think
we
will
be
able
to
agree
on
something.
Is
it's
not
like
everyone's
got
wildly
different
opinions,
but
there's
certainly
different
ideas,
which
we
should
have
a
look
at.
Try
out
see
what
they
actually
looked
like
with
real
messages
and
then
decide
and
stuff
said,
hopefully
get
this
over
the
next
couple
of
months,
because
yeah,
ideally
we'll
have
pretty
much
all
the
issues
closed
off
by
March
and
start
doing
some
in
shop
testing
them.
Okay,.
F
Chris
for
security
considerations
will
have
to
say
something
about
HTML
security
filtering
it's
safer
if
the
server
has
a
whitelist
HTML
filter
by
default,
but
that
increases
complexity.
A
lot,
an
extension
to
request
HTML
whitelist
filtering
by
the
server
would
be
very
interesting
to
client
authors,
yeah.
J
We've
kind
of
got
away
from
this
in
that
we
found
you
can
now
with
with
more
modern
browsers.
You
can
often
do
better
filtering
in
the
in
in
the
browser,
because
you
have
the
same
Dom
parser,
rather
than
a
different
one,
which
is
often
where
bugs
creep
in
when
the
dump
are
slightly
different
to
what
actually
ends
up
being
passed
in
the
browser.
J
H
Definitely
suggest
like
having
both
approach
in
the
case,
because
unless
a
client
knows
exactly
what's
going
on,
the
server
like
displaying
I'd
push
displaying
raw
HTML
will
be
like
suicide,
or
you
have
a
lot
of
side
effect
possible
depending
on
implementation,
depending
on
which
platform
you're
running
on.
So
you
have
to
be
extremely
defensive,
but.
K
J
J
J
If
the
messages
in
multiple
mailboxes
you're
gonna,
you
need
permission
on
every
mailboxes
and
I
think
to
be
able
modify
the
key
words
because
the
site,
that's
the
only
eyewitness,
but
one
thing
that
has
been
brought
up
is
that
the
scene
keyword
is
kind
of
special
in
IMAP.
There's
a
lot
of
special
casing,
certainly
in
this
iris
IMAP
server
for
this
versus
other
keywords.
It's
included
in
this
computed
count
on
the
mailboxes
object
is
unread
Affairs
and
unread
messages,
which
is
actually
kind
of
flipping
the
behavior,
because
everything
treat
stuff
as
unread
read.
C
J
J
Maybe
it's
special
enough
that
we
take
it
out
of
keywords,
I
think
one
of
the
downsides
this
is,
it
does
mean
there
will
have
to
be
more
to
plication
off
things
like
the
message
list,
filter
and
search
where
you
have
things
like
is
all
in
thread.
The
all
in
fred
has
keywords.
Some
in
that
is
keyword.
You
need
to
mirror
that,
with
all
in
thread
is
unread,
some
in
fetters
on
red,
etc.
So
that
is
a
little
bit
of
kind
of
duplicate
of
stuff
that
ends
up
there,
but
any
opinions
on
on
this.
I
Alexi
as
far
as
ACL
slight
preference
for
having
keeping
parity
with
M
I'm
a
pace,
yells
back
okay
for
people
who
implemented
it
just
makes
it
slightly
easier.
But
of
course
your
specific
server
can
always
bundles
rights.
So
if
you're
writing
one
from
scratch,
you
probably
don't
want
to
have
them
separate
anyway.
So
you
just
or
not,
you.
C
F
F
J
J
F
Chris
says
it
was
separated
in
IMAP
because
of
the
idea
of
reading
net
news
via
IMAP,
with
dot
news
RC,
to
which
I
responded.
Do
we
think
that's
still
an
important
use
case
to
which
he
didn't
respond,
but
he
said:
I
concur
with
Alexei,
with
slight
preference
for
separate
ACL,
no
preference
on
same
or
separate
property.
Okay,.
J
G
C
F
F
But
going
go
count,
everything
says
Alexei,
but
it
going
back
to
going
back
to
Chris's
point
about.
The
reason
that
we
had
it
separate
was
to
actually
prevent
you
from
setting
scene
flags
in
certain
cases.
If
we
don't
have
that
need
anymore,
if
we
don't
have
that
you
case,
maybe
the
whole
thing
goes
away
by
saying
the
scene
flag
is
not
covered
by
ACLs.
J
F
F
C
In
this
cyrus,
I
map
implementation
scene
is
per
user
optionally
shared
but
defaults
to
per
user,
whereas
all
the
other
keywords
are
shared,
there's,
certainly
a
use
case
for
allowing
people
to
have
some
own
some
of
their
own
per
user
data
stored
about
things
without
being
able
to
change
it
for
everybody.
In
any
case
where
you
share
information.
J
Okay,
I
I
think
it
does
sound
like
we
want.
Probably
one
separate
sales
I
seems
to
be
a
slight
majority
opinion
on.
That
seems
not
huge
amounts
either
way
on
whether
it
should
be
a
separate
property
or
not
all
right,
I'll
think
about
a
bit
right
up
the
list,
maybe
and
we'll
see
if
there's
any
final
comments
on
the
list
and
then
make
a
decision
one
way
or
the
other
I'm
good,
okay
and
then
I
think
this
is
the
final
thing
again.
This
has
mainly
been
discussed
on
the
list.
What
happens
when
you
destroy
mailboxes?
J
If
you
had
messages
in
it?
So
the
original
spec
basically
said
this
was
an
errand
just
rejected,
destroying
the
mailbox,
which
is
the
kind
of
more
J
map
thing,
because
it
requires
all
of
the
changes
to
be
explicit.
So
the
client
always
knows
what
has
changed
was
this
is
kind
of
implicit,
but
it
is
pretty
useful
to
be
able
to
destroy
a
mailbox
and
just
remove
it
from
all
the
messages.
So
the
suggestion
was,
we
add
an
extra
argument
just
for
set
mailboxes,
where
we
can
say
if
this
was
the
last
mailbox.
J
J
That's
that
the
main
concerns
over
since
many
ways
it's
that
if
you
just
omit
this
argument
at
the
moment,
that's
the
same
as
null,
which
is
the
same
as
delete
the
messages
and
maybe
that's
a
too
risky
default.
Maybe
if
you
omit
it,
it
should
be
an
error
to
try
and
destroy
the
mailbox
without
messages.
If
you
don't
explicitly
say,
I
want
to
delete
them.
Oh
I.
I
F
E
F
J
F
F
F
F
E
F
C
F
J
So
when
you
destroy
a
mailbox,
you
remove
that
mailbox
from
well
one
option:
is
you
remove
that
mailbox
from
every
message
that
it
used
to
be
used
to
be
in
it
right,
except
that?
If
yet,
if
the
message
was
only
in
that
mailbox,
that
is
destroying
the
message
as
well,
I
understand
so
be.
The
extra
argument
was
meant
to
be.
If
this
is
the
only
mailbox,
it
was
in
then
move
it
to
this
mailbox
rather
than
destroying
it.
Otherwise,
it's
fine,
because
it's
already
in
something
else.
I
F
I
C
C
J
C
J
C
J
Sure
it
matters
that
much
terrorists,
so
okay,
I
guess
yes,
what
kind
of
poll
of
people
online
and
in
the
room?
Would
anyone
actually
use
this
argument
on
last
reference
move
to
or
if
just
if
you,
the
kind
of
if
the
default
behavior
was
it
destroy
the
message
if
that
was
any
mailbox
was
in,
and
that
was
the
only
behavior
you
got
that
that'd
be
fine
Neal.
J
I
F
J
Okay,
so
it
doesn't
seem
to
be
anyone
that
here
are
those
I
think
there
was
some
of
them
Lynne
Agora,
that
was
concerned
for
default,
deleted
messages,
business
on
my
own
else's
concerns,
so
I'd
say:
that's
probably
still
rough
consensus.
That's
fine
I'll
do
if
I
don't
call
on
the
list
with
again
summary
of
that,
but
I'm
leaning
towards
maybe
just
a
meeting
the
whole
argument
as
I
no
one's
gonna
use
it.
What's
the
point
Chris.
J
E
Resnick,
if
I'm
implementing
trash
as
a
UI
element,
if
I
delete
a
message
from
a
single
mailbox,
even
if
it
belongs
to
multiple
mailboxes,
does
that
UI
wise
make
a
copy
in
the
trash
or
not
I
am
what
am
I
exposing
to
the
user?
Am
I
exposing
multiple
mailbox
existence,
or
is
it
multiple
messages
that
happen
to
all
point
through
the
same
message
so.
F
I'm
I'm
app
has
is
a
very
odd
thing
with
implementing
a
client-side
trash.
Folder
and
J
map
doesn't
change
that,
but
still,
if
you
have
not
retrieved
the
message
to
the
client,
you
can't
put
it
in
a
in
a
client-side
trash
folder,
well
Lea,
so
the
the
any
reasonable
IMAP
implementation
is
going
to
have
a
server-side
trash
folder
right
reason.
So
if
I've
got
a
server-side
trash,
folder.
E
F
J
E
J
This
would
depend
on
your
client,
but
I
would
expect
it
if
it's
actually
labeled
delete
I
would
expect
it
basically
to
remove
it
from
that
mailbox
and
add
it
to
the
trash
there's
also
in
the
other
mailboxes,
and
if
you
empty
your
trash,
it
wouldn't
delete
it
from
the
other
mailboxes.
It
would
just
remove
the
trash
so.
J
E
E
Given
that,
if
I
delete
the
mailbox
mm-hmm
one
choice,
well,
one
choice
is
that's
the
problem.
One
choice
is
to
say
to
delete.
The
mailbox
is
to
remove
this
mailbox
from
the
messages
and
add
trash
to
them
right.
That
would
be
one
way
to
implement
and
and
then
I
don't
have
to
worry
about
this
move
it
on
last,
because
if
the
user
sees
that,
as
deleting
this
mailbox
deletes
all
these
messages,
maybe
they
all
well.
J
E
F
F
Only
issue
with
that
is,
if
you
have
a
limited
size,
trash
folder,
then
you
can
wind
up
flushing
your
trash
with
messages
that
you
didn't
really
need
to
trash.
There's
some
stuff
from
jabber
Robert
says:
wouldn't
an
on
last
reference
move
to
imply
an
account
global
lock
on
all
messages
for
this
operation.
F
J
G
J
I
E
J
I
J
J
I
I
can
try
to
go
through
my
notes.
You
know
some
of
your
changes,
especially
about
sorting
they
hand-wave
about
how
we
sort
I,
think
that
needs
to
be
specified
and
we
have
a
collect
collation
registry
for
this,
or
at
least
you
know,
prescribed
by
default
sort
order,
I
think
using
Unicode,
and
there
is
also
in
some
places.
You
say
it's
case
insensitive
and
for
Unicode.
Oh,
my
god,
you
just
made
John
John
Clemson,
very.
J
I
F
I
I
I
E
E
I
F
J
H
F
I
I
F
I
F
Realistically,
if
you
had
a
Russian
anti-spam
engine
that
put
in
an
anti-spam
message
that
said
in
Russian,
this
is
a
pile
of
junk
and
you
were
searching
for
that.
You
would
expect
to
find
it
not
expect
to
have
it
fail
to
find
it
because
you
didn't
decode
the
field,
even
though
it's
kind
of
non-standard
behavior,
it's
still
common
to
encode,
an
an
arbitrary
field,
I,
don't.
F
E
I
No,
you
typically,
if
you
want
to
search
for
specifically,
so
if
there
is
a
fixed
small
set
of
fields
that
we
know
about
like
from
date
subject,
you
know
to
GC
decoding.
There
is
absolutely
fine
because
they
are
well
specified.
They're,
structured
header
fields,
everything
you
don't
else
you
don't
know
about
is
unstructured.
F
I
F
I
I
J
I
I
I
You
have
a
minor
thing:
I
can
send
it
an
email
when
deciding
for
message
submission.
You
know,
what's
the
primary,
what
you
are
going
to
put
in
mouth
from
by
default,
you
assume
that
sender
can
have
multiple
values.
I,
don't
think
sender
can
have
on
the
front,
can
have
multiple
value.
Sanders
can't
I
mean
it's
sort
of
the
way.
It's
it's
war
that
you
take
the
first
one
even
from
the
sender,
but
in
the
center
you
can
only
have
one
so
I
mean
it's
a
Magna
thing.
The.
J
J
I
I
C
J
C
J
F
I
F
I
J
I
J
F
J
J
I
J
C
J
J
I
would
say
it's
up
to
the
server,
so
one
option
is
the
server
can
reject.
You
is
an
invalid
message
because
they
can
always
reject
whatever
you
blob.
You
upload
is
not
being
a
valid
I,
see
HTT
message
or
the
other
option
is.
The
champ
doesn't
actually
lie
on
the
eighty-two
message.
Id
at
all,
so
there's
no
reason
why
couldn't
exist
in
the
game.
App
Store.
Now.
To
be
honest,
you
really
wants
to
the.
C
J
C
H
H
J
So
yeah
so
I
mean
Jamie
already
has
a
in
just
the
cool
syntax.
The
server
is
allowed
to
return
any
properties
that
it
changed.
When
you
create
something.
So
we
can,
we
can
just
specify
that
it's
allowed
to
change
any
of
those
properties
and
there's
already
a
method
for
it
to
tell
the
squire
what
it
changed.
If
you
change
anything,
so
you
can
see
so
when
they
upload
it
immediately.
H
F
F
H
J
H
J
J
Http
fetch
so
I,
don't
know
if
there's
a
standard,
HTTP
response
for
the
services.
I
did
not
return
this
data
because
of
security
policy,
but
the
the
other
I
guess
the
other
options
yeah.
If
we
could,
if
you
want
a
way
of
returning
this
kind
of
in
the
past
message,
format
to
say
this
attachment
I,
so
you
want
the
attachment
to
be
there.
So
then
users
know
that
wasn't
attachment,
but
just
the
same.
H
J
H
J
So
we
can
definitely
add
that
I
think
as
a
yes
policy
refused
error
or
something
if
you
try
and
actually
download
the
binary
data.
Obviously,
if
the
client
downloaded
it
before
with
a
server
decided
is
bad
and
it's
cached
it
there's
not
much.
You
can
do
unless
the
client
checks
again
later.
That's
where,
if
you'd
have
to
actually
modify
the
message
in
some
way,
so
it
got
the
update.
H
H
One
question:
what
does
he
believe
some?
Why
what
provision
you
have
for
for
seeing
a
client
to
redownload
in
case
it
doesn't
have
an
up-to-date
Sarah
decided
version,
then
I
say
the
server
decide
like
I
took
for
the
time
after
you
don't
know
date,
the
body
the
modified
body
decide
to
change
the
content.
They
say
there
was
a
Bergamo
server-side
hard
to
get
the
client
to
research.
The
updated
drops
you'd.
E
J
H
J
Necessarily
because
it
depends
on
how
the
server
does
it,
the
attachment
has
a
blob
ID,
which
represents
the
binary
data,
which
is
the
bulk
of
the
attachment,
and
if
your
server
does
that
by
like
char
256
of
the
data
which
is
kind
of
what
we
do,
then
you
would
see.
I
already
have
that
if
you
download
the
new
message,
but
the
message
reference
is
the
same
blob
ID
for
the
date
with
the
attachment
so
go
so
I
already
have
that
case,
so
it
wouldn't
necessarily
have
to
download
the
whole
attachment
again.