Re: [Aggsrv] updated charter proposal

"Paul E. Jones" <> Wed, 27 February 2013 18:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4604021F84BE for <>; Wed, 27 Feb 2013 10:23:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v++MLf4gxY6x for <>; Wed, 27 Feb 2013 10:23:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0B3A321F84A6 for <>; Wed, 27 Feb 2013 10:23:33 -0800 (PST)
Received: from sydney ( []) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id r1RINPfq015471 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 27 Feb 2013 13:23:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=dublin; t=1361989407; bh=BBhEQr4oTnXH25aPsUn/4/DNCC6JxaXtuHDliPkoPgs=; h=From:To:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=XCHu35TdsIdHwR5Rqa/UINchyfSvl/yJ7dvXWRLV3mH/KpYCJSEVt6XjPAIFJZXJq sWsGEiKtB68zlUAZZLcK2DxmvVlaeYsLCQKWN4NKoKatL/TLFVYBZKGyBNVXEhT4Ls YwZqaXKX4IDYbtclEPIq7AwLVRpsn2+AfC2Lq38Y=
From: "Paul E. Jones" <>
To: 'Cyrus Daboo' <>, 'Peter Saint-Andre' <>,
References: <> <01f701ce13ab$a9def660$fd9ce320$> <>
In-Reply-To: <>
Date: Wed, 27 Feb 2013 13:23:32 -0500
Message-ID: <011601ce1517$8df64080$a9e2c180$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Subject: Re: [Aggsrv] updated charter proposal
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Aggregated Service Discovery \(aggsrv\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Feb 2013 18:23:35 -0000


> -----Original Message-----
> From: Cyrus Daboo []
> Sent: Wednesday, February 27, 2013 11:10 AM
> To: Paul E. Jones; 'Peter Saint-Andre';
> Subject: Re: [Aggsrv] updated charter proposal
> Hi Paul,
> --On February 25, 2013 at 5:58:44 PM -0500 "Paul E. Jones"
> <> wrote:
> > I'm confused.  How is what is being described different than what
> > WebFinger can do? From what I can tell, what is missing is just the
> > definition of "rel" and "properties" values for WebFinger.  That would
> > be a good focus for the group.
> >
> > Do we want to define another new protocol that is so similar?
> Will you be in Orlando to provide input to the BoF?

Yeah, I will be there.
> It does look like webfinger could be a viable solution - and indeed I
> see you have an example in the webfinger spec of auto-configuration of
> an email client. Maybe it is sufficient for aggsrv to standardize the
> appropriate properties for services, and semantics of priority, grouping,
> and security requirements.

Yeah, but it's only for illustrative purposes.  It is there more to
demonstrate the use of "properties" in WebFinger than to prescribe a
solution to mail server auto-provisioning.

> What I might do is try taking the examples in the spec I wrote and see
> what they would look like in terms of webfinger.

Cool.  If you need any input, I'm glad to provide it.
> That said, I have some questions:
> 1) Security - it still seems to me that there is a fundamental
> difference in security "contexts" here. In particular, the aggsrv
> information must only be given out to the actual "owner" of the account.
> The webfinger spec does have a section on access control, aggsrv would
> need to have much stronger language. At the very least I think you
> should change Section 3.3 of webfinger to include an example of an
> authenticated HTTP request and point out in the text that authentication
> is required.

It's mentioned in the WebFinger spec (or is supposed to be) that linked
resources might require their own authentication.  For mail server
configuration, for example, I can fully appreciate that one might use a TLS
connection to some other URI and use basic authentication with the user's
email server user ID and password for authentication.  The response might be
some JSON object that contains all of the config data.

> 2) If no rel= parameter is provided in the URI, is the webfinger server
> required to return all information for the target resource= value? It
> seems to me that aggsrv information should not be returned by "default"
> (i.e., when there is no rel=) but rather should only be returned by an
> explicit request for it (with a very specific rel=).

Yeah, without "rel" everything is to be returned.  WebFinger is about
discovery what's published, not just for asking for a specific piece of
information.  If there is a specific piece of information a client is
seeking (such as the case with OpenID Connect), then one can include "rel"
to reduce the size of the response.  Usually, though, one might use a client
(e.g., an email client) and want to discover all kinds of information about
the sender of a message.  So, if I publish my blog URI, H.323 URI, Twitter
ID, etc. you might want to be able to see all of those when you move the
mouse over my name.

Here's an example:

This script queries a WebFinger server and then shows what it finds.
> 3) Links - one of the things we want to avoid is having aggsrv clients
> having to follow lots of links to get all the relevant data - that would
> pretty much eliminate one of the key performance enhancements we are
> looking to get with the new protocol over current best practice.

In the above demo, a single query is made to the server and all data is
returned in a single response.  The links can be followed by the user.  If
you want to hide certain information (such as the hostname of the mail
server or whatever), then that would have to be protected behind a link that
requires authentication.

There's a balance that has to be struck here between discovery and
performance of the discovery process AND querying for specific information
that needs to be secured.

> 4) One of the simplest aspects of aggsrv is that it is trivial to setup
> a "static" document with service information and deploy that on the
> well-known URI. That significantly lowers the barrier to entry and makes
> the likelihood of deployment much greater. I am not sure that level of
> simplicity could be achieved with webfinger - at the very least it looks
> like the JRD response has to contain the "subject" member which echoes
> the resource= value. Whilst that could trivially be accomplished by, for
> example, string substitution in a PHP script it does imply additional
> overhead to deploy.

This was something we debated at length working on WebFinger.  There is
certainly an advantage in having a static file for small sites.  On the
other hand, using "rel" is useful and any large service provider I would
expect to pull all raw data from somewhere (e.g., a database), since
generation and maintenance of static files also involves some work.
Regardless, flexibility is there.

Look near the bottom of this page:
You will see a link to setting up a WF server:

This is a WF server implementation I wrote in Perl that I use for my own
server.  It actually does WF and RFC 6415 (XML + JSON) and pulls data from a
MySQL database, so perhaps a good of example of the most complex
implementation.  I don't worry about that, though, as anyone setting up a
server will not be counting lines of code.  One has the option to use a WF
server that uses a scripting language (Perl, PHP, etc.) or Apache re-write
rules that use static files.  I would guess that covers most people who
might want to run their own server.  Those who do not want to run their own
server could redirect requests to a WF "service provider".  That's also an