Re: [apps-discuss] webfinger privacy question/suggestion
William Mills <wmills@yahoo-inc.com> Thu, 01 November 2012 02:42 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6317F21F847C for <apps-discuss@ietfa.amsl.com>; Wed, 31 Oct 2012 19:42:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.165
X-Spam-Level:
X-Spam-Status: No, score=-17.165 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FdPPNaQluzPs for <apps-discuss@ietfa.amsl.com>; Wed, 31 Oct 2012 19:42:47 -0700 (PDT)
Received: from nm1.bullet.mail.bf1.yahoo.com (nm1.bullet.mail.bf1.yahoo.com [98.139.212.160]) by ietfa.amsl.com (Postfix) with ESMTP id EB1A021F84E9 for <apps-discuss@ietf.org>; Wed, 31 Oct 2012 19:42:45 -0700 (PDT)
Received: from [98.139.212.148] by nm1.bullet.mail.bf1.yahoo.com with NNFMP; 01 Nov 2012 02:42:41 -0000
Received: from [98.139.212.213] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 01 Nov 2012 02:42:41 -0000
Received: from [127.0.0.1] by omp1022.mail.bf1.yahoo.com with NNFMP; 01 Nov 2012 02:42:41 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 449334.68344.bm@omp1022.mail.bf1.yahoo.com
Received: (qmail 9694 invoked by uid 60001); 1 Nov 2012 02:42:41 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1351737760; bh=4udpnwrQnJ0tUxftsSHWFRJUTalBsbzoWHprPYf7XX0=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=WosJqau7TKZ5CDQ6tbL3GX9A3P55SQUpeBVUlX8hIuJ+xKYAGxpgDCbzyczWYXfoeHr3iCdWj8/Uv0PQWUq9Buw7e05mtZ2Kuqrc7LC1BjQLgco2QNheWT1sUux29jKtj5x78YQ0cKMRFNWDZcMjZQ1mtllZhn9bx4B1IaOOONQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Fc5ZNnzodgO6PkVY8UHsbSdkZL9och10Lt+kHBkf/NYTQgORg4DnwCctH7pjMVZvqCzpZJgQTI5J8XmQPyjCsRLNhrjfRCyD2oQrL5EfyM+Y+PGPpr+LOfIGpYzP0cS9UNc2O2YInxCMGoT1hrS2uqmm7yL28dXtHLJFEkPs2Pc=;
X-YMail-OSG: WTpasjgVM1k0PITQwqk5_SsT6yD7LWfIGEqCnaWVD9iLBUf Tk2DXYbfVFdu12N6lgsjiTva9Ff8Xw9D22IK9lbQYm4dFVQY8lZgGDUZ6EtP oaa2L1sGoBeZOjyCbmybDBOXC2AXqB3bO_MGQ3j9bs41JR77QLaYr8Bihu3O So8TUQymvvEHyzVNA9vO4q4bpxrMOZ0q.83qyPBm73X9AvJiER_n4oWQNuq1 4zuQfDsrO6DXimmlHeXSBPRqOckuJm3NtOomf3qZg_x8RAtzkoUPHxs1tCYX acGD5S0YAuJ7khz4xbMwzxS8gRj807er0frWYgGiVA1xyo7pxqWaJp2PkUut 7C3mSyF0RaHMZSReHdAKlZoCNSBzOlZqzO6mxKTFrlYj1sbLpuw6wPB6ELD9 FIk7EfW7tLrgrgPMicaR32fRI8fu6Xyr56Dx4A6Ruzx4mmMcnowlbFAbz3Od SLGjzI0PFaNsb5g--
Received: from [99.31.212.42] by web31803.mail.mud.yahoo.com via HTTP; Wed, 31 Oct 2012 19:42:40 PDT
X-Rocket-MIMEInfo: 001.001, SXQgaXMgcHJvYmFibHkgdXAgdG8gdGhlIHNlcnZpY2UgdG8gZGV0ZXJtaW5lIHdoZXRoZXIgdGhleSByZXR1cm4gZGlmZmVyZW50IGluZm9ybWF0aW9uIHRvIGFuIGF1dGhlbnRpY2F0ZWQgY29udGV4dC7CoCBBdXRoIG1ldGhvZCBhbmQgYmVoYXZpb3IgaXMgb3V0c2llZCB0aGUgc2NvcGUgb2YgV0YgSSB0aGluay4KCgoKCgo.X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KPiBGcm9tOiBQYXVsIEUuIEpvbmVzIDxwYXVsZWpAcGFja2V0aXplci5jb20.Cj5UbzogJ0hhbm5lcyBUc2Nob2ZlbmlnJyABMAEBAQE-
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.123.460
References: <508E66FB.4070708@cs.tcd.ie> <0b3b01cdb61c$981dc600$c8595200$@packetizer.com> <508F0870.9050402@cs.tcd.ie> <0b9901cdb636$bf951480$3ebf3d80$@packetizer.com> <508F2B78.2000006@cs.tcd.ie> <0be001cdb64b$eb574560$c205d020$@packetizer.com> <508FA55F.5020608@cs.tcd.ie> <5FC89052-EE84-4C80-BEE8-ABAD7C784F5A@gmx.net> <6.2.5.6.2.20121030093556.0a82b130@resistor.net> <00ee01cdb701$7a68ef00$6f3acd00$@packetizer.com> <6.2.5.6.2.20121030230234.0b40f3c8@resistor.net> <CAMm+LwhomffUFiUhV1S=b2CADTCOCoVEnswnh4CJtHZ0EAUvGA@mail.gmail.com> <EBC702B1-BDC2-4FEE-8DC1-179D09CC27C6@gmx.net> <00c201cdb7bb$a0dfc7c0$e29f5740$@packetizer.com>
Message-ID: <1351737760.135.YahooMailNeo@web31803.mail.mud.yahoo.com>
Date: Wed, 31 Oct 2012 19:42:40 -0700
From: William Mills <wmills@yahoo-inc.com>
To: "Paul E. Jones" <paulej@packetizer.com>, 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>, 'Phillip Hallam-Baker' <hallam@gmail.com>
In-Reply-To: <00c201cdb7bb$a0dfc7c0$e29f5740$@packetizer.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1502656925-1171564928-1351737760=:135"
Cc: 'General discussion of application-layer protocols' <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] webfinger privacy question/suggestion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 02:42:49 -0000
It is probably up to the service to determine whether they return different information to an authenticated context. Auth method and behavior is outsied the scope of WF I think. >________________________________ > From: Paul E. Jones <paulej@packetizer.com> >To: 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>; 'Phillip Hallam-Baker' <hallam@gmail.com> >Cc: 'General discussion of application-layer protocols' <apps-discuss@ietf.org> >Sent: Wednesday, October 31, 2012 4:01 PM >Subject: Re: [apps-discuss] webfinger privacy question/suggestion > >Hannes, > >I'm not sure if it is possible to use OAuth with >/.well-known/host-meta.json. > >Can OAuth be used to protect any resource on the Internet? If so, it could >be used to control access to /.well-known/host-meta.*. For certain, all of >the link relations provided could be protected with any authentication >scheme. Just because my WF server provides the link to my address book does >not mean anyone would have authorization to retrieve it. > >Sometimes I wonder if people have forgotten or not considered that fact. >Certain information is revealed just from the JRD document itself (e.g., the >very fact I have some piece of data published), but the actual referenced >document can be tightly controlled. > >Within a corporate environment, I would even expect an internal WF query to >return different results than an external one. That would not require >OAuth, but would be controlled based on whatever mechanism is used to >determine if a person has access rights as an employee. > >Paul > >> -----Original Message----- >> From: apps-discuss-bounces@ietf.org [mailto:apps-discuss- >> bounces@ietf.org] On Behalf Of Hannes Tschofenig >> Sent: Wednesday, October 31, 2012 9:06 AM >> To: Phillip Hallam-Baker >> Cc: General discussion of application-layer protocols >> Subject: Re: [apps-discuss] webfinger privacy question/suggestion >> >> Hi Phillip, >> >> On Oct 31, 2012, at 2:20 PM, Phillip Hallam-Baker wrote: >> >> > Javascript which basically was designed by people who only cared about >> goosing their stock options. >> >> I do not disagree with you here but WebFinger by itself does not >> necessarily need to be implemented in JavaScript(*). >> >> > 'is Web finger helping people to do the sorts of things that users >> want without unexpected privacy side effects' >> >> There are use cases where people want to use WebFinger as a discovery >> mechanism (such as OAuth) where the current design of WebFinger >> introduces privacy problems (unnecessarily). I raised this issue last >> year in May: >> http://www.ietf.org/mail-archive/web/oauth/current/msg08965.html >> >> It seems that WebFinger has become a solution in search of a problem for >> some people. >> >> Ciao >> Hannes >> >> PS: (*) In the context of the use case I care about (namely identity >> management) implementations of JavaScript tend to have serious security >> problems. >> _______________________________________________ >> apps-discuss mailing list >> apps-discuss@ietf.org >> https://www.ietf.org/mailman/listinfo/apps-discuss > >_______________________________________________ >apps-discuss mailing list >apps-discuss@ietf.org >https://www.ietf.org/mailman/listinfo/apps-discuss > > >
- [apps-discuss] webfinger privacy question/suggest… Stephen Farrell
- Re: [apps-discuss] webfinger privacy question/sug… SM
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… Stephen Farrell
- Re: [apps-discuss] webfinger privacy question/sug… James M Snell
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… Stephen Farrell
- Re: [apps-discuss] webfinger privacy question/sug… Blaine Cook
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… SM
- Re: [apps-discuss] webfinger privacy question/sug… Stephen Farrell
- Re: [apps-discuss] webfinger privacy question/sug… Hannes Tschofenig
- Re: [apps-discuss] webfinger privacy question/sug… James M Snell
- Re: [apps-discuss] webfinger privacy question/sug… SM
- Re: [apps-discuss] webfinger privacy question/sug… Evan Prodromou
- Re: [apps-discuss] webfinger privacy question/sug… James M Snell
- Re: [apps-discuss] webfinger privacy question/sug… Evan Prodromou
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… SM
- Re: [apps-discuss] webfinger privacy question/sug… Stephen Farrell
- Re: [apps-discuss] webfinger privacy question/sug… Mikael Nordfeldth
- Re: [apps-discuss] webfinger privacy question/sug… Stephen Farrell
- Re: [apps-discuss] webfinger privacy question/sug… Phillip Hallam-Baker
- Re: [apps-discuss] webfinger privacy question/sug… Hannes Tschofenig
- Re: [apps-discuss] webfinger privacy question/sug… SM
- Re: [apps-discuss] webfinger privacy question/sug… SM
- Re: [apps-discuss] webfinger privacy question/sug… Phillip Hallam-Baker
- Re: [apps-discuss] webfinger privacy question/sug… James M Snell
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… Evan Prodromou
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… James M Snell
- Re: [apps-discuss] webfinger privacy question/sug… James M Snell
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… Paul E. Jones
- Re: [apps-discuss] webfinger privacy question/sug… William Mills
- Re: [apps-discuss] webfinger privacy question/sug… William Mills
- Re: [apps-discuss] webfinger privacy question/sug… William Mills
- Re: [apps-discuss] webfinger privacy question/sug… Gonzalo Salgueiro
- [apps-discuss] Private fields in Webfinger output… Evan Prodromou
- [apps-discuss] Using obfuscated resource identifi… Evan Prodromou
- Re: [apps-discuss] webfinger privacy question/sug… SM
- Re: [apps-discuss] Using obfuscated resource iden… Evan Prodromou
- Re: [apps-discuss] webfinger privacy question/sug… Joe Gregorio