Re: [apps-discuss] Webfinger discussion

James,

If the other items are editorial, perhaps just direct them to me.  If they are items that others might want to weigh in on, then this list is the appropriate venue.

Paul

> -----Original Message-----
> From: James M Snell [mailto:jasnell@gmail.com]
> Sent: Tuesday, March 27, 2012 12:39 PM
> To: Paul E. Jones
> Cc: Andrew Sullivan; apps-discuss@ietf.org
> Subject: Re: [apps-discuss] Webfinger discussion
> 
> To be fair, there are ways of dealing with the potential for security
> leaks of this nature with WebFinger that did not really exist with the
> original Finger protocol. OAuth 2, for instance. A WebFinger endpoint
> could choose to serve up only the most basic static information to
> unauthenticated requesters, but then provide a means for a requester to
> authenticate and request permission from the target user or provider to
> acquire additional information as part of the response.
> 
> On a side note to Paul: I did have some additional general comments on the
> WebFinger spec itself, I wanted to ask where such comments would be best
> directed for discussion.
> 
> - James
> 
> On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com>
> wrote:
> > I agree it would be useful to add text about sharing information that
> > might be dynamic in nature (e.g., current user location).
> >
> > We'll add text along those lines to the next draft.  Any other
> > security considerations we should note?
> >
> > Paul
> >
> >> -----Original Message-----
> >> From: apps-discuss-bounces@ietf.org
> >> [mailto:apps-discuss-bounces@ietf.org]
> >> On Behalf Of Andrew Sullivan
> >> Sent: Tuesday, March 27, 2012 4:47 AM
> >> To: apps-discuss@ietf.org
> >> Subject: Re: [apps-discuss] Webfinger discussion
> >>
> >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote:
> >>
> >> > un-recommended!). If people did, in fact, use WebFinger to record
> >> > such stuff, the concerns you mentioned would be relevant. Thus, it
> >> > might make sense for the Security Considerations section to suggest
> >> > that one should think carefully before using WebFinger to provide
> >> > such dynamic
> >> information.
> >>
> >> Right, that's most of what I was trying to say.  I do have a concern
> >> that collecting a bunch of different information about a given person
> >> and linking it together in a single, easy to access repository has
> >> some potential security side effects (not just privacy ones, but
> >> those too, of
> >> course) that are not clearly highlighted in the security
> considerations.
> >> I suppose one could argue that facebook's (or pick your poison) user
> >> population shows nobody cares about that, but I think it would still
> >> be good to have some observations about those effects.
> >>
> >> Best,
> >>
> >> A
> >>
> >> --
> >> Andrew Sullivan
> >> ajs@anvilwalrusden.com
> >> _______________________________________________
> >> apps-discuss mailing list
> >> apps-discuss@ietf.org
> >> https://www.ietf.org/mailman/listinfo/apps-discuss
> >
> > _______________________________________________
> > apps-discuss mailing list
> > apps-discuss@ietf.org
> > https://www.ietf.org/mailman/listinfo/apps-discuss