IETF Logo Mail Archive

Re: [apps-discuss] WebFinger Draft Updated - draft-ietf-appsawg-webfinger-01

Christian Weiske <cweiske@cweiske.de> Sun, 21 October 2012 07:37 UTC

Return-Path: <cweiske@cweiske.de>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 472B421F88CF for <apps-discuss@ietfa.amsl.com>; Sun, 21 Oct 2012 00:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOSwoQlJs3CY for <apps-discuss@ietfa.amsl.com>; Sun, 21 Oct 2012 00:37:30 -0700 (PDT)
Received: from mail.cweiske.de (mail.cweiske.de [IPv6:2a01:488:66:1000:53a9:7c6:0:1]) by ietfa.amsl.com (Postfix) with ESMTP id 264BC21F88BD for <apps-discuss@ietf.org>; Sun, 21 Oct 2012 00:37:29 -0700 (PDT)
Received: by mail.cweiske.de (Postfix, from userid 65534) id 31F6B1043801F; Sun, 21 Oct 2012 09:37:28 +0200 (CEST)
Received: from bogo (p54BD7959.dip.t-dialin.net [84.189.121.89]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mail.cweiske.de (Postfix) with ESMTPSA id 68CDD1043801E; Sun, 21 Oct 2012 09:37:26 +0200 (CEST)
Date: Sun, 21 Oct 2012 09:37:28 +0200
From: Christian Weiske <cweiske@cweiske.de>
To: webfinger@googlegroups.com
Message-ID: <20121021093728.590d2898@bogo>
In-Reply-To: <00c501cdaf13$13ef6d30$3bce4790$@packetizer.com>
References: <025b01cdae61$591e9690$0b5bc3b0$@packetizer.com> <5082C526.3050100@status.net> <00c501cdaf13$13ef6d30$3bce4790$@packetizer.com>
X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="PGP-SHA1"; boundary="Sig_/p0rMIiX/SNZDSozf70ROj3y"; protocol="application/pgp-signature"
X-Mailman-Approved-At: Sun, 21 Oct 2012 10:41:13 -0700
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] WebFinger Draft Updated - draft-ietf-appsawg-webfinger-01
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Oct 2012 07:37:31 -0000

Hello Paul,


>> *	Section 7 makes support for CORS a MUST and then turns
>> around and said if you have a good reason not to support it, you
>> SHOULD NOT. I suggest that support for CORS should just be a SHOULD.
>> I can figure out myself whether I want to be the exception.
> PEJ: You're entirely right about that and that text bugged me, too.
> There was a strong desire for CORS to the point I was asked to make
> it a MUST, yet there was the desire to allow an enterprise do
> something more restrictive. I have no strong preference, myself, but
> I do think that if we make it a SHOULD, though, that it will make it
> impossible to build a client in a browser.  What does the group want
> here?

Not supporting CORS does not make the data any more secure. If someone
wants security for their intranet, they have to implement real security
measurements, e.g. based on IP whitelists.

Please leave CORS support a MUST.

-- 
Regards/Mit freundlichen Grüßen
Christian Weiske

-=≡ Geeking around in the name of science since 1982 ≡=-

v2.23.0 | Report a Bug | By Email