Re: [apps-discuss] The acct: scheme question

"Paul E. Jones" <> Tue, 22 May 2012 18:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B0DB321F861E for <>; Tue, 22 May 2012 11:01:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id baRhnYPgHuiB for <>; Tue, 22 May 2012 11:01:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 91F5421F8494 for <>; Tue, 22 May 2012 11:01:58 -0700 (PDT)
Received: from sydney ( []) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id q4MI1Xs6029311 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 22 May 2012 14:01:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=dublin; t=1337709694; bh=QBs68GZWXyIWfyLxAGqv6Xu7jRauGwTXYNPv5mMdyS4=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=GDmVjEs/0QcHVZ2FGLYarga/oKaYqSfvVksUVqMXFeojL94A5DMyUMMY1xHLGGB7J cRpIoEJ91fRZGtsqvBwo2lFnijfYyytKhRNii52MSCsoxBPpeKbGtuy07kJfzTmG22 3oW29Pef7NjfKEOf1LIuKWl7QXX3dPaco0TnzN9g=
From: "Paul E. Jones" <>
To: 'Graham Klyne' <>
References: <> <028401cd3822$cba40520$62ec0f60$> <>
In-Reply-To: <>
Date: Tue, 22 May 2012 14:01:37 -0400
Message-ID: <02ea01cd3844$eef7c800$cce75800$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHACExhZgXedi2je/bJAOmWfz8jRwEhQWyqAeOxTsqW2EDG8A==
Content-Language: en-us
Subject: Re: [apps-discuss] The acct: scheme question
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 May 2012 18:01:59 -0000


> It's a clever idea to use the URI scheme to get information about
> different kinds of account.  But I find myself deeply uneasy about it,
> though not yet entirely sure why...
> Maybe it's because it seems to violate the Web architectural principle of
> Opacity:

As the above referenced text says, the "acct" URI "is designed so that
agents communicate resource information state through representations, not
identifiers".  Having an acct URI in hand does not tell you the kind of
document you will get (e.g., XML or JSON).  It merely specifies the location
of the account information, much as "mailto:" specifies the location of an
email server (discovered through MX records) or "sip:" indicates the
location of one's SIP server (discovered through SRV records).

Like the other URI scheme, "" tells the client
that there is account information located at  The client
then follows the already-defined procedures of using HTTP(S) to query the
server "" at the location /.well-known/host-meta.  The URI is
then passed as a parameter or inserted into templates found in the XRD or
JRD document.

> OTOH, it seems quite reasonable to me that (say) one might use
> to reference information about different kinds of account.  They're just
> different URIs referencing different stuff.  So why not the same for
> different scheme names?

RFC 6415 is designed such that any kind of URI might be passed.  Those above
URIs would be just as valid as any other.  So, I could issue a query like

  GET /.well-known/host-meta?resource=

This tells the WebFinger server to return information about that URL.  What
is that URL?  Is this a web page or a special identifier to refer to a
user's XMPP server?  If it were constructed like this:

It might be clearer as to its meaning, but then that gets confused with
"".  WebFinger allows that URI to be used today.
Any valid URI may be passed to the domain's WebFinger server and an XRD or
JRD representation returned.

Basically, we are at a point where almost everything related to discovery is
already defined.  The question is simply "if I want to discover information
about Paul Jones and I know his ID is '" then how do I
package it in such a way as to successfully query to get that information?"

Proposals have been no scheme at all (which stands at odds with RFC 6415),
using "mailto:", using any URI scheme (sip:, h323:, mailto:, xmpp:, etc).
They could all work, but we should have one identifier that refers to the
users account and not to his other services, IMO.
> Unlike a path component in an HTTP URI, a scheme name comes with some
> quite deep wired-in semantics: administrative, technical or both.  What
> assurances do we have that the webfinger use of the scheme name will not
> end up conflicting with the scheme's own semantics?

I don't understand your question.  Can you clarify?  (If I do understand the
question, I think the usage would be safe since there is a well-defined
usage for "acct" with a limited scope.)

> If the URI is a
> simply a name for routing a request for information, and nothing more,
> which is what seems to be the case when looking at
>, then the case for having a
> special URI scheme acct: appears to be rather weak - it seems to me that a
> URN namespace, or any other form of URI created to refer to a users
> personal information would serve just as well.

Since WebFinger returns information about any URI, that would work.   We
could have this:

My concern with this is that WebFinger operates on URIs, not re-purposed
HTTP identifiers.  The "acct" URI scheme defines a specific kind of URI,
just like "sip:", "mailto:", "xmpp:", and others.   Querying the above might
seem to make sense, but one is then treading on namespace on web servers
that might actually be used for something.  Suppose a web site used "/acct/"
as the URI to log into one's account.  Then using Webfinger to query that
URL would be valid and should return information about the web page.  What
we need is a URI that returns information about an account.

I looked into using URNs.  We could use something like this:

However, URNs are location-independent (like OIDs or ISBN numbers).  Thus,
the above is technically incorrect, as it has location information
associated with it (namely
> If, on the other hand, webfinger makes additional operational,
> administrative or technical associations with an acct: URI, the whole idea
> of using an arbitrary scheme name for accessing different information
> seems to be dangerous, as the scheme has been loaded with additional
> semantics that might conceivably conflict with semantics of existing
> schemes.

It should not.  The "acct" URI should exist for the solitary purpose of
querying information about a user's account via WebFinger.