== Overview ==
We're We’re currently (mid‐2009) implementing "autoconfig" for [[Thunderbird, which is intended to be able to :Autoconfiguration|mechanisms within Thunderbird that automatically figure out the mail settings needed to configure an email account, like hostnames, ports, SSL on/off, secure auth algo etc.user accounts]]. All that the user should need to provide is his real a name, an email address and a password. We take Given those data, [[Thunderbird]] will seek the configuration parameters. Ideally, the domain provider of the user’s email address and try service would publish the configuration parameters. This document reviews the security of the protocol that governs Thunderbird’s attempts to find the retrieve configuration parameters from thatthe provider of the user’s email service.
Ideal way is that the ISP publishes the configuration. This is the security review of the protocol for this specific part (fetch configuration from ISP). For a general description of the flow, see [[Thunderbird:Autoconfiguration]]. The original discussion of the idea and protocol has been on the [http://groups.google.com/group/mozilla.dev.apps.thunderbird/browse_thread/thread/e8bdb0af31961908/a73bd97251b18777?q=#a73bd97251b18777 newsgroup The original discussion of mechanisms within Thunderbird that automatically configure user accounts] occurred in March 2008]-03. The linked, first post also contains a description. A security review has already been initiated on the [http://groups.google.com/group/mozilla.dev.apps.thunderbird/browse_thread/thread/e85fd8d5db0a4a6d/2b36ce3fbb7c2142?q=#2b36ce3fbb7c2142newsgroup 2b36ce3fbb7c2142 A security review of mechanisms within Thunderbird that automatically configure user accounts] began in Jan 2009]-01.
== Security and Privacy ==
