IETF Logo Mail Archive

Re: [apps-discuss] Webfinger discussion

James M Snell <jasnell@gmail.com> Tue, 27 March 2012 16:39 UTC

Return-Path: <jasnell@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF9AD21E80F4 for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 09:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[AWL=-3.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6XaNnhQqyp6L for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 09:39:55 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by ietfa.amsl.com (Postfix) with ESMTP id 871B221E80ED for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 09:39:46 -0700 (PDT)
Received: by wibhr17 with SMTP id hr17so4896235wib.1 for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 09:39:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=KePBJG03YLHMIvMNRh1rWNn7GE5tPHC/SWIzI3u1UM4=; b=pl+fHj8hW6KmwMOTwLjebxwaj1EZAonvRpcmJUyXmusMktQqK/D6vQX1RCiaIr834F 1wSa1LaPSCBvwSdxY1mwu6l32aUri1n/nvNzvnPVtjFCu15LAvDHHdCrqIxIl6N2usqB 3ejCy8DXWMcP2ckOmtQEIxZpp5kdmrXlcZBWwLJio02Yn+42ju/+o4+ZSEEQy+iLK0af Nf02jkq8wP/tdj4qLf69YIQasSbsJ1awxTN/2QH7c4/b0FVXCIcJf7vo8w7DtaoAyNgt 0Basp5yNggffopq20zc/KL91V7DA3j8w4M0S/62SJiK3s7vH+R/iQOsHNQFGM+oo/UGA bHCQ==
Received: by 10.216.132.151 with SMTP id o23mr14845265wei.120.1332866385559; Tue, 27 Mar 2012 09:39:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.89.138 with HTTP; Tue, 27 Mar 2012 09:39:25 -0700 (PDT)
In-Reply-To: <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com>
From: James M Snell <jasnell@gmail.com>
Date: Tue, 27 Mar 2012 09:39:25 -0700
Message-ID: <CABP7RbdtMYtqgV=NepJMNintjF9hb4h6wv2ttc5bDVqE=yAvPA@mail.gmail.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 16:39:58 -0000

To be fair, there are ways of dealing with the potential for security
leaks of this nature with WebFinger that did not really exist with the
original Finger protocol. OAuth 2, for instance. A WebFinger endpoint
could choose to serve up only the most basic static information to
unauthenticated requesters, but then provide a means for a requester
to authenticate and request permission from the target user or
provider to acquire additional information as part of the response.

On a side note to Paul: I did have some additional general comments on
the WebFinger spec itself, I wanted to ask where such comments would
be best directed for discussion.

- James

On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com> wrote:
> I agree it would be useful to add text about sharing information that might
> be dynamic in nature (e.g., current user location).
>
> We'll add text along those lines to the next draft.  Any other security
> considerations we should note?
>
> Paul
>
>> -----Original Message-----
>> From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-bounces@ietf.org]
>> On Behalf Of Andrew Sullivan
>> Sent: Tuesday, March 27, 2012 4:47 AM
>> To: apps-discuss@ietf.org
>> Subject: Re: [apps-discuss] Webfinger discussion
>>
>> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote:
>>
>> > un-recommended!). If people did, in fact, use WebFinger to record such
>> > stuff, the concerns you mentioned would be relevant. Thus, it might
>> > make sense for the Security Considerations section to suggest that one
>> > should think carefully before using WebFinger to provide such dynamic
>> information.
>>
>> Right, that's most of what I was trying to say.  I do have a concern that
>> collecting a bunch of different information about a given person and
>> linking it together in a single, easy to access repository has some
>> potential security side effects (not just privacy ones, but those too, of
>> course) that are not clearly highlighted in the security considerations.
>> I suppose one could argue that facebook's (or pick your poison) user
>> population shows nobody cares about that, but I think it would still be
>> good to have some observations about those effects.
>>
>> Best,
>>
>> A
>>
>> --
>> Andrew Sullivan
>> ajs@anvilwalrusden.com
>> _______________________________________________
>> apps-discuss mailing list
>> apps-discuss@ietf.org
>> https://www.ietf.org/mailman/listinfo/apps-discuss
>
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

v2.23.0 | Report a Bug | By Email