IETF Logo Mail Archive

Re: [apps-discuss] R: Webfinger discussion

Bob Wyman <bob@wyman.us> Wed, 28 March 2012 15:00 UTC

Return-Path: <bobwyman@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E498721E82A0 for <apps-discuss@ietfa.amsl.com>; Wed, 28 Mar 2012 08:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.658
X-Spam-Level:
X-Spam-Status: No, score=-2.658 tagged_above=-999 required=5 tests=[AWL=0.318, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0YNHky3u1fCK for <apps-discuss@ietfa.amsl.com>; Wed, 28 Mar 2012 08:00:39 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 86FE621E8296 for <apps-discuss@ietf.org>; Wed, 28 Mar 2012 08:00:38 -0700 (PDT)
Received: by qcsq13 with SMTP id q13so829466qcs.31 for <apps-discuss@ietf.org>; Wed, 28 Mar 2012 08:00:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=By61DNv0C33L3zbhTixgu/hQFVbcfgiFTBpFyy/igOE=; b=pCfMWTdlzX21RzF4gmrwjWXNnVqdSNkiteTqbH7MWFi9BqudC2stCWGtndj9//Eiio EwyF+2HJ7BDWjpKUC8cl/0Pg7cwh9s83M653krxIB+tDhQWVyOfWwUMNDaHqlANFYw3H x+3+BQsZlFiKMazE6z8kC3TlXLH4I7uXLpn2xIcAJY1ubdEUDtbNRXFIaMh5A9j6A0ab BO3r+/WRaKqSZZelKFdmgLq8DoY4GOr3b1UclGkrkQgmyZ4MqxOwPHOFaVoFyWxvncGw yqLlxOqFSg3jIIjw2Utzdp4sSLFF/NFgPl8ijhyde+b2QUU6orOgDtgsBws8iviHrVpm 8CSA==
MIME-Version: 1.0
Received: by 10.224.31.203 with SMTP id z11mr38943543qac.72.1332946829688; Wed, 28 Mar 2012 08:00:29 -0700 (PDT)
Sender: bobwyman@gmail.com
Received: by 10.229.157.16 with HTTP; Wed, 28 Mar 2012 08:00:29 -0700 (PDT)
In-Reply-To: <A09A9E0A4B9C654E8672D1DC003633AE52EDC52117@GRFMBX704BA020.griffon.local>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com> <CABP7RbdtMYtqgV=NepJMNintjF9hb4h6wv2ttc5bDVqE=yAvPA@mail.gmail.com> <00d201cd0c3a$b3672410$1a356c30$@packetizer.com> <CABP7Rbdcb_xTjLv+Y8brzvhuNiae0pOJKm-9qhHrQMg+xUYPVw@mail.gmail.com> <A09A9E0A4B9C654E8672D1DC003633AE52EDC52117@GRFMBX704BA020.griffon.local>
Date: Wed, 28 Mar 2012 11:00:29 -0400
X-Google-Sender-Auth: zvn1-T4wS3EpXouyoVEkItJwuMM
Message-ID: <CAA1s49U8ncuwEmT9QWAvQk0n1kBDFGpvTSbjsd3RvJTduNRB9Q@mail.gmail.com>
From: Bob Wyman <bob@wyman.us>
To: Goix Laurent Walter <laurentwalter.goix@telecomitalia.it>
Content-Type: multipart/alternative; boundary="20cf3074afc249c04f04bc4ede23"
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] R: Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 15:00:43 -0000

On Wed, Mar 28, 2012 at 2:55 AM, Goix Laurent Walter <
laurentwalter.goix@telecomitalia.it> wrote:
> more a protocol for accessing user info rather than discovery
Forgive me if I'm being dense, but could you expand a bit on the difference
between "accessing user info" and "discovery?"

> - regarding OAuth it can be valuable in case webfinger is queried
directly by applications.
Certainly, OAuth would be useful when combined with WebFinger. I would like
to be able to have the equivalent of ACLs that would be used to vary the
WebFinger responses based on who authenticates. For instance, in mapping
from acct: URI to mailto:, I might want one group of people to receive one
mailto: and another group to see a different value or no value.

I think we need to also consider that there are alternatives to existing
practice of providing "values" directly in the WebFinger XRD/JRDs. An
alternative would be to provide  pointers to other services that can
provide the desired answers. (i.e. Adding yet another level of
indirection...) in other words, rather than providing the mailto: address
that corresponds to a particular acct: URI, the XRD/JRD could point to a
service which uses OAuth and that can be queried to provide whichever of
several mailto: addresses that are appropriate -- depending on the results
of authentication.

bob wyman

On Wed, Mar 28, 2012 at 2:55 AM, Goix Laurent Walter <
laurentwalter.goix@telecomitalia.it> wrote:

> Hello james, all,
>
> I could see many sort of threads going in parallel in this discussion
> addressing different types of concerns. I don't want to enter the
> "security" discussion here but rather comment on some specific technical
> points related to the "protocol":
>
> - the "finger" (or lrdd) well-known endpoint could be a shortcut to
> consider to directly invoke the webfinger endpoint without the need for the
> host-meta. This skips one http transaction, although I would imagine in
> most cases that the host-meta xrd 1) can be cached by the invoking client,
> 2) can contain additional useful info (eg OExchange endpoint link).
>
> - I am not sure about the exact value brought by the md5 hash, also
> considering that APIs already exist (e.g. OpenSocial) that use plain
> identifiers as part of the path. I cannot see much difference here wrt
> security that justifies this need for webfinger. In any case support for
> md5 hash would probably need to be declared by the server, eg using
> {md5uri} instead of {uri} in the lrdd template.
>
> - regarding the shortcuts to link rel types this is becoming more a
> protocol for accessing user info rather than discovery. i can see this as a
> direct/standard API/URL to access user information (e.g. avatar,
> profile-page). This misses the "type" (content-type) which may vary within
> a single rel (although this could be addressed by Accept: headers) and is
> significantly different from the original scope of webfinger for discovery
> only (I could imagine you could further extend your proposal to perform
> CRUD operations on the single rels, which tends to become close to
> opensocial apis).
> The information contained in the xrd/jrd can in fact easily be cached
> altogether for subsequent use and not for immediate consumption of all rel
> types. I would assume this is not more complex than parsing the various
> Link: headers in the responses.
> But i can understand there may be some new use case where a user is only
> interested in 1-2 rels for instant consumption, and some solution may be
> investigated for this.
>
> - regarding OAuth it can be valuable in case webfinger is queried directly
> by applications. However in most current usages (ostatus, diaspora, etc)
> the webfinger discovery process is performed by a server of another domain,
> thus limiting the possible usage of oauth in that case.
>
> walter
>
> -----Messaggio originale-----
> Da: apps-discuss-bounces@ietf.org [mailto:apps-discuss-bounces@ietf.org]
> Per conto di James M Snell
> Inviato: martedì 27 marzo 2012 20.19
> A: Paul E. Jones
> Cc: apps-discuss@ietf.org
> Oggetto: Re: [apps-discuss] Webfinger discussion
>
> They are rather technical in nature and speak to the overall operation
> of the protocol. I've written up a detailed version of my feedback
> here [1]
>
> [1] http://chmod777self.blogspot.com/2012/03/thoughts-on-webfinger.html
>
> The summary version is this: I believe we can make this even simpler
> without sacrificing basic operation by saying simply:
>
>  If I want to know about user "bob@example.org", send a GET request to:
>  http://example.org/.well-known/finger/{md5(acct:bob@example.org)} and
>  see what I get back.
>
> The requirement to use XRD/JRD and first look up information about the
> LRDD service in host-meta is quite unnecessary. Also note that the ID
> is hashed in the request URI for privacy/security purposes...
>
> We can expand on that basic idea further to say:
>
>  If I want to know if "bob@example.org" has a "blog" and where it is
> located,
>  I could simply send a request to:
>
> http://example.org/.well-known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/blog
>
>  and the server can respond with a redirect to the proper location:
>
>  HTTP/1.1 302 Found
>  Location: http://blogs.example.org/bob
>
> The "/blog" portion of the request URI specifies a Link rel... if I
> want to discover some other type of service... say, the users profile
> or avatar, I simply link the different rel attribute value there..
> e.g.
>
>
> http://example.org/.well-known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/avatar
>
> http://example.org/.well-known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/profile
>
> If there are multiple links for a particular rel, the server can
> respond with a 300 Multiple Options response.
>
> The point is that requiring XRD/JRD isn't actually necessary, and
> requiring the initial host metadata step isn't required also.
>
> Requiring CORS is also isn't necessary.
>
> Anyway, that's the basic rundown.
>
> - James
>
> On Tue, Mar 27, 2012 at 9:57 AM, Paul E. Jones <paulej@packetizer.com>
> wrote:
> > James,
> >
> > If the other items are editorial, perhaps just direct them to me.  If
> they are items that others might want to weigh in on, then this list is the
> appropriate venue.
> >
> > Paul
> >
> >> -----Original Message-----
> >> From: James M Snell [mailto:jasnell@gmail.com]
> >> Sent: Tuesday, March 27, 2012 12:39 PM
> >> To: Paul E. Jones
> >> Cc: Andrew Sullivan; apps-discuss@ietf.org
> >> Subject: Re: [apps-discuss] Webfinger discussion
> >>
> >> To be fair, there are ways of dealing with the potential for security
> >> leaks of this nature with WebFinger that did not really exist with the
> >> original Finger protocol. OAuth 2, for instance. A WebFinger endpoint
> >> could choose to serve up only the most basic static information to
> >> unauthenticated requesters, but then provide a means for a requester to
> >> authenticate and request permission from the target user or provider to
> >> acquire additional information as part of the response.
> >>
> >> On a side note to Paul: I did have some additional general comments on
> the
> >> WebFinger spec itself, I wanted to ask where such comments would be best
> >> directed for discussion.
> >>
> >> - James
> >>
> >> On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com>
> >> wrote:
> >> > I agree it would be useful to add text about sharing information that
> >> > might be dynamic in nature (e.g., current user location).
> >> >
> >> > We'll add text along those lines to the next draft.  Any other
> >> > security considerations we should note?
> >> >
> >> > Paul
> >> >
> >> >> -----Original Message-----
> >> >> From: apps-discuss-bounces@ietf.org
> >> >> [mailto:apps-discuss-bounces@ietf.org]
> >> >> On Behalf Of Andrew Sullivan
> >> >> Sent: Tuesday, March 27, 2012 4:47 AM
> >> >> To: apps-discuss@ietf.org
> >> >> Subject: Re: [apps-discuss] Webfinger discussion
> >> >>
> >> >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote:
> >> >>
> >> >> > un-recommended!). If people did, in fact, use WebFinger to record
> >> >> > such stuff, the concerns you mentioned would be relevant. Thus, it
> >> >> > might make sense for the Security Considerations section to suggest
> >> >> > that one should think carefully before using WebFinger to provide
> >> >> > such dynamic
> >> >> information.
> >> >>
> >> >> Right, that's most of what I was trying to say.  I do have a concern
> >> >> that collecting a bunch of different information about a given person
> >> >> and linking it together in a single, easy to access repository has
> >> >> some potential security side effects (not just privacy ones, but
> >> >> those too, of
> >> >> course) that are not clearly highlighted in the security
> >> considerations.
> >> >> I suppose one could argue that facebook's (or pick your poison) user
> >> >> population shows nobody cares about that, but I think it would still
> >> >> be good to have some observations about those effects.
> >> >>
> >> >> Best,
> >> >>
> >> >> A
> >> >>
> >> >> --
> >> >> Andrew Sullivan
> >> >> ajs@anvilwalrusden.com
> >> >> _______________________________________________
> >> >> apps-discuss mailing list
> >> >> apps-discuss@ietf.org
> >> >> https://www.ietf.org/mailman/listinfo/apps-discuss
> >> >
> >> > _______________________________________________
> >> > apps-discuss mailing list
> >> > apps-discuss@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/apps-discuss
> >
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>
> Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle
> persone indicate. La diffusione, copia o qualsiasi altra azione derivante
> dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora
> abbiate ricevuto questo documento per errore siete cortesemente pregati di
> darne immediata comunicazione al mittente e di provvedere alla sua
> distruzione, Grazie.
>
> This e-mail and any attachments is confidential and may contain privileged
> information intended for the addressee(s) only. Dissemination, copying,
> printing or use by anybody else is unauthorised. If you are not the
> intended recipient, please delete this message and any attachments and
> advise the sender by return e-mail, Thanks.
>
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>

v2.23.0 | Report a Bug | By Email