Re: [apps-discuss] Looking at Webfinger
"Paul E. Jones" <paulej@packetizer.com> Tue, 11 September 2012 04:06 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63C2D21F875D for <apps-discuss@ietfa.amsl.com>; Mon, 10 Sep 2012 21:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=0.649, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBxb0-TLSDaB for <apps-discuss@ietfa.amsl.com>; Mon, 10 Sep 2012 21:06:27 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id 5A78621F8746 for <apps-discuss@ietf.org>; Mon, 10 Sep 2012 21:06:27 -0700 (PDT)
Received: from sydney (rrcs-98-101-148-48.midsouth.biz.rr.com [98.101.148.48]) (authenticated bits=0) by dublin.packetizer.com (8.14.5/8.14.5) with ESMTP id q8B46O91018481 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 11 Sep 2012 00:06:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1347336385; bh=WRwRAUwJ4gcnxRVUYHpYSoN3bStiHsT5gLmUzAkMzGs=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type; b=KEbVaVe8sJSKuCSpfgNXLU2Hqrte22G8GsQvf3WNynexwKpts1WLIQ7c1cPaZcCtH 1ZA8IWhV7CzwcXK/3o+r8/o2d1Oxp4mylzSCHFdrMODLh/P308lwRYse+qGLb1ZPpI 6av87c+5FAn8C/3yGUK2lNqt0xib62RzsL+q/Oy0=
From: "Paul E. Jones" <paulej@packetizer.com>
To: 'John Panzer' <jpanzer@google.com>, 'John Bradley' <ve7jtb@ve7jtb.com>
References: <F80C8C9C-7AB8-4B7E-BFD2-4D69499D21A1@mnot.net> <4E1F6AAD24975D4BA5B168042967394366574F93@TK5EX14MBXC283.redmond.corp.microsoft.com> <CABP7RbfNXx8HtsRBcVf=AVaDTyg=xQYHWAyCkHWx1n+JBQ8=Zw@mail.gmail.com> <CAMm+Lwg20rfr=P66=vZadL8Ga5KDXmfizZE5v6dXiZMTvZKY=Q@mail.gmail.com> <44C43601-A355-44B7-8C8E-1F435E4E567A@ve7jtb.com> <CAMm+LwgM57++oqE-5meECxE0S=kU2kVHJLumyDSBciJ13QvuoA@mail.gmail.com> <CABP7RbctkibSKr6r_Ay34z4Wr67tU6qG5G5gLCZovGx_hWYHYQ@mail.gmail.com> <DF4591C5-A5AE-4D2A-BB3A-FF4DAFBBD98A@ve7jtb.com> <CABP7RbefS9Sy2m0GsiSx2VZopf78DhqU1fjfsDn5z926Q_--GA@mail.gmail.com> <CAJu8rwUeAKEtAS-g6X3xJqyu-Xy6yQnfdeNj3mGC__D3zijwzA@mail.gmail.com> <35550AA9-E003-4917-B08C-93CB6CC2CB07@mnot.net> <CAJu8rwWKa7ehr+k=zDWD=OMzPTEt56inPW0tvZaNUmdcL3ygoQ@mail.gmail.com> <503CDF26.8050000@aol.com> <02a301cd8551$be7ab390$3b701ab0$@packetizer.com> <3BE24613-9CA0-4B2C-AB33-274026D534FB@ve7jtb.com> <032d01cd8597$aac7f740$0057e5c0$@packetizer.com> <046501cd860c$da464420$8ed2cc60$@packe! tizer.com> <287CDD14-DE C2-40AD-AD5D-DC102D5AAAE6@ve7jtb.com> <CAJu8rwX=F8o8U2tv3vJbL+p2dnGVGDtccKOk+ukn4jtSXNwDxg@mail.gmail.com>
In-Reply-To: <CAJu8rwX=F8o8U2tv3vJbL+p2dnGVGDtccKOk+ukn4jtSXNwDxg@mail.gmail.com>
Date: Tue, 11 Sep 2012 00:06:28 -0400
Message-ID: <07cb01cd8fd2$d2320510$76960f30$@packetizer.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_07CC_01CD8FB1.4B23C070"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFb3Wt68HpLZ7ZyHnoKMrZHlzcyBQH14U4xAZ6Br/cCWNrQtwIOUYf2AgMXr+8B4HmqlgGhGIVxAUAhVLECgOqLOADUaqV0Ain7f7cBffnLSQIkbXUiAp1soAQC/kiSjgGrOFrXAhluBTcBspR9LJdQQTGg
Content-Language: en-us
Cc: 'Mark Nottingham' <mnot@mnot.net>, 'IETF Apps Discuss' <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Looking at Webfinger
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2012 04:06:36 -0000
John, I've hosted my domains with the smallest providers and I manage my primary domain myself. In all cases, I've been able to use 3xx to redirect requests. Do you think this will not be workable for any domain owners? I agree that if we had to do it all over again, we could explore lots of options. I do like the idea of a URI DNS record, but I'm not sure if any clients would query for it even if we mandated it at this point. We could specify a special name like "_webfinger.example.com". However, we run into the same issues: clients may not query for that. Perhaps equally important, this shifts us away from the ".well-known" work that was defined. What we do not want, of course, is a solution that is DOA. If there is anything about WF that is going to halt adoption, let's fix it now. Otherwise, I suggest we live with what has been specified. Paul From: John Panzer [mailto:jpanzer@google.com] Sent: Wednesday, August 29, 2012 2:13 PM To: John Bradley Cc: Paul E. Jones; Mark Nottingham; IETF Apps Discuss Subject: Re: [apps-discuss] Looking at Webfinger Based on experience, I'd prefer to avoid things that depend on the bare ("naked") domain (example.com instead of www.example.com or webfinger.example.com). I could write up the reasons but it'd take some time. Unfortunately, webfinger as originally spec'd requires this. If we were to start over, and get to vote for whatever I wanted, and were going to allow DNS records at all, I would probably vote for something like webfinger.example.com as a special magic name (with the actual name chosen so as not to collide with any existing DNS entries). Any normal hosting mechanisms will work here, including A records and CNAMEs and HTTP redirects, but I'd also require everything be done via TLS with correctly signed certificates for that subdomain (argh! the pain!). Organizationally, this would mean that any part of the organization that can stand up a separate SSL service on a new subdomain can provide webfinger services. On Wed, Aug 29, 2012 at 10:57 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: I am not the best person to represent Google's needs. However as I understand it Google hosts applications such as email documents openID for tens of thousands of domains. Google themselves don't control the DNS. The people using the service generally add some MX records for aspmx.l.google.com. and a Cname for mail.example.com to ghs.google.com. The A record for the bare domain typically points off to some Content management site the company uses for their web pages. I think this is probably typical of Yahoo's mail hosting services and others. The service hosing the email/authentication/openID is not the one that controls the web server for company. Saying the CMS venders will provide WebFinger services doesn't seem all that likely, especially in virtual hosting environments. Getting a typical company to do anything more than enter a cname for webfinger.example.org is wildly optimistic. I am entirely open to Ideas on this. However the previous solution of having every RP check with google first to see if they host the email and provide the XRDS seems horribly flawed to me. I would like to see a workable solution at the discovery layer that accommodates how people deploy there sites. I think Bill suggested at one point using the MX record to find the webfinger host. That has a bunch of problems I would prefer to avoid. John B. On 2012-08-29, at 1:36 PM, "Paul E. Jones" <paulej@packetizer.com> wrote: John, Well, we need to figure out how to address this. Would it be reasonable to redirect requests from /.well-known/host-meta.json and /.well-known/host-meta to Google? Are there other services or files under /.well-known that Google's customers would not want Google to host? If they were OK with Google's servers responding to anything , then one could put an A (or CNAME) record in place for <http://example.com> example.com that points to Google. Not being familiar with what Google offers, I'm a bit challenged to understand exactly what is and is not possible. Paul From: John Bradley [mailto:ve7jtb@ve7jtb.com] Sent: Wednesday, August 29, 2012 10:14 AM To: Paul E. Jones Cc: 'George Fletcher'; 'Mark Nottingham'; 'IETF Apps Discuss' Subject: Re: [apps-discuss] Looking at Webfinger There mite be a A record but that typically goes off to some virtual web hosting company and not the email service provider. I think I have also heard William say this is a problem for Yahoo. Google was not able to get people to deploy XRDS for hosted domains. They came up with a proprietary extension to openID discovery to make hosted google apps domains work with some subset of RP. The problem is that the company hosting a small businesses website is unlikely to provide the web finger infrastructure and there is no way for the email/openID provider to do it without their cooperation. Adding a A record rather than a CNAME is generally not a good idea if it can be avoided. In the event of the provider changing an IP address it breaks all the customers if they have used A records, but that is separate issue. You can set up webfinger on your web server and manage it. It just won't work for large numbers of people as we have it now. If webfinger won't work for Google Apps for Domains and other hosted services like that then It will significantly impact adoption in my opinion. We will also need to work around that for Connect. We don't want another proprietary work around with the security problems that can entail. John B. On 2012-08-28, at 11:37 PM, "Paul E. Jones" < <mailto:paulej@packetizer.com> paulej@packetizer.com> wrote: John, If Google is hosting the domain or any other service provider, wouldn't there still be an A record for the domain (e.g., <http://packetizer.com> packetizer.com)? I know there is for virtually every web hosting company I've used. It seems like this might just be one more hosted service Google could provide to its customers, no? I do not know exactly how this hosted service works, but what's hosted? I assume it's just email. If web, then I see no issue. If only email, then the user just needs to have MX records pointing to Google and an A record pointing to whatever service runs the WebFinger service. In any case, if they can add a CNAME or MX record, I think we can get them to add an A record. I think it would be far more challenging for SMBs to add a host like <http://webfinger.example.com> webfinger.example.com. That would still require an A record and a service provider capable of supporting it. Paul From: John Bradley [mailto:ve7jtb@ <http://ve7jtb.com> ve7jtb.com] Sent: Tuesday, August 28, 2012 3:29 PM To: Paul E. Jones Cc: 'George Fletcher'; 'Mark Nottingham'; 'IETF Apps Discuss' Subject: Re: [apps-discuss] Looking at Webfinger There are cases where there are hosted domains (Google etc) that may not have a http host for the domain name used in the users email address. There may be merit to having a <http://webfinger.example.com> webfinger.example.com fallback where the client can't reach the .well-known for the primary host. I know that some sort of SRV record would be the correct way to do it, but in the real world SMB don't enter SRV records even if there DNS provider support them. The most you can get them to do is add a CNAME or MX record. Supporting these sorts of domains somehow is a important issue. John B. On 2012-08-28, at 3:17 PM, "Paul E. Jones" < <mailto:paulej@packetizer.com> paulej@packetizer.com> wrote: George, I believe it might be useful to introduce those who break your WebFinger server to Louisville Slugger. :) Your pain is understood, but I do not see a way to avoid it. We could introduce something in DNS, but that would also present challenges. No matter where we "root" the discovery process, there is a potential somebody could break it. It could be rooted somewhere other than the root of the domain (e.g., <http://webfinger.example.com> webfinger.example.com), but we either need to decide in advance of such a location or introduce a way to discovery the discovery resources. Do you have a suggestion that would make this less likely to be broken? Paul From: <mailto:apps-discuss-bounces@ietf.org> apps-discuss-bounces@ietf.org [mailto:apps- <mailto:discuss-bounces@ietf.org> discuss-bounces@ietf.org] On Behalf Of George Fletcher Sent: Tuesday, August 28, 2012 11:09 AM To: Mark Nottingham Cc: IETF Apps Discuss Subject: Re: [apps-discuss] Looking at Webfinger Way "late to the party" but I can speak from experience that deployment can be a real issue in some environments. It's all really straight forward in a small company or an environment where the identity team "owns" the root domain (e.g. <http://example.com> example.com). However, if an entire other group in a large organization "owns" the root domain (home page for the site) and the identity team then needs to get them to make changes, the deployment solution gets brittle pretty quick. I've had our webfinger support broken at least twice because the "other" team didn't know that certain configs were required:) Also, installing the "dynamic pluming" can be more problematic is these cases. It is possible to get apache rewrite rules or netscaler magic in place to make it work, it's just a more brittle deployment architecture. Thanks, George On 7/4/12 6:58 PM, John Panzer wrote: Mark -- Of course I was speaking about practical realities of typical web server administration and deployment. In practical terms, adding a new mod_rewrite rule or moral equivalent is going to be easier than adding a new PHP script that connects to a database. The latter is just always going to be a much higher bar. And, something that returns per-user data is generally going to need a dynamic service of some kind, unless your site has just a handful of users and you don't mind going through a publishing exercise each time you add or change a user... None of this has anything to do with the interface, just deployment realities. And in reality all of this is going to need a dynamic service somewhere for each non-trivial site, this is all just a question of how to hook it up. -- John Panzer / Google <mailto:jpanzer@google.com> jpanzer@google.com / <http://www.abstractioneer.org/> abstractioneer.org / @jpanzer On Wed, Jul 4, 2012 at 3:36 PM, Mark Nottingham < <mailto:mnot@mnot.net> mnot@mnot.net> wrote: On 05/07/2012, at 8:16 AM, John Panzer wrote: > Just as a historical note. The envisioned usage of host-meta was originally to avoid a specification which mandated a particular dynamic URL API at a particular /.well-known endpoint (because it may not be feasible to do that across all organizations and deployments). The host-meta document itself would be highly cacheable and so wouldn't incur an additional network trip in the common case. > > Having a 3xx redirect is a reasonable alternative that allows a similar escape hatch via something like mod_rewrite, albeit at the cost of needing an additional network trip each time. Since a deployment can always avoid the 3xx redirect with additional dynamic plumbing behind the well-known endpoint, I don't think that's a horrible thing. > > An application-level redirect would be almost equivalent to an HTTP redirect, but then there are two ways to do the same thing. If _only_ an application-level redirect is allowed, then you have to have at least a minimal dynamic service at the well-known endpoint (no more mod_rewrite). But the whole reason for this is to avoid the requirement for a dynamic service behind well-known... "dynamic" and "static" are properties of the implementation, not the interface. HTTP doesn't require that any particular URL be "dynamic"; anything can, with the right metadata, be cached (and indeed, I've cached many, many things with the wrong metadata, because of silly site operators and their ideas about "dynamic"). Now, if people want to target a particular implementation that makes it easier to serve a particular style of URL without writing code, fine, but let's not confuse things. E.g., a URL like <http://example.com/.well-known/user/bob> http://example.com/.well-known/user/bob is easy to serve in pretty much any way you like with Apache. I'm also going to push back on the "it may not be feasible to do that across all organizations and deployments" motivation. This is a race to the bottom. The trick is to make it accessible enough to get sufficient traction to pull everyone along, without pandering to *everyone*'s requirements. Regards, -- Mark Nottingham <http://www.mnot.net/> http://www.mnot.net/ _______________________________________________ apps-discuss mailing list <mailto:apps-discuss@ietf.org> apps-discuss@ietf.org <https://www.ietf.org/mailman/listinfo/apps-discuss> https://www.ietf.org/mailman/listinfo/apps-discuss _______________________________________________ apps-discuss mailing list <mailto:apps-discuss@ietf.org> apps-discuss@ietf.org <https://www.ietf.org/mailman/listinfo/apps-discuss> https://www.ietf.org/mailman/listinfo/apps-discuss _______________________________________________ apps-discuss mailing list apps-discuss@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss
- [apps-discuss] Looking at Webfinger Mark Nottingham
- Re: [apps-discuss] Looking at Webfinger Mike Jones
- Re: [apps-discuss] Looking at Webfinger Mark Nottingham
- Re: [apps-discuss] Looking at Webfinger William Mills
- Re: [apps-discuss] Looking at Webfinger Melvin Carvalho
- Re: [apps-discuss] Looking at Webfinger Michiel de Jong
- Re: [apps-discuss] Looking at Webfinger George Fletcher
- Re: [apps-discuss] Looking at Webfinger Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Peter Saint-Andre
- [apps-discuss] the need for acct (was: Re: Lookin… Peter Saint-Andre
- Re: [apps-discuss] Looking at Webfinger Julian Reschke
- Re: [apps-discuss] the need for acct (was: Re: Lo… Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] the need for acct (was: Re: Lo… William Mills
- Re: [apps-discuss] Looking at Webfinger Barry Leiba
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger James M Snell
- Re: [apps-discuss] Looking at Webfinger Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger Murray S. Kucherawy
- Re: [apps-discuss] Looking at Webfinger Melvin Carvalho
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger James M Snell
- Re: [apps-discuss] Looking at Webfinger William Mills
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger James M Snell
- Re: [apps-discuss] Looking at Webfinger John Panzer
- Re: [apps-discuss] Looking at Webfinger Mark Nottingham
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger John Panzer
- Re: [apps-discuss] Looking at Webfinger Martin J. Dürst
- Re: [apps-discuss] the need for acct (was: Re: Lo… Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger Melvin Carvalho
- Re: [apps-discuss] Looking at Webfinger Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- [apps-discuss] R: the need for acct (was: Re: Loo… Goix Laurent Walter
- Re: [apps-discuss] Looking at Webfinger George Fletcher
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger George Fletcher
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger John Panzer
- Re: [apps-discuss] Looking at Webfinger William Mills
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger Patrik Fältström
- Re: [apps-discuss] Looking at Webfinger William Mills
- Re: [apps-discuss] Looking at Webfinger Patrik Fältström
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Patrik Fältström
- Re: [apps-discuss] Looking at Webfinger James M Snell
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Bob Wyman
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Nat Sakimura
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger Salvatore Loreto