[apps-discuss] delegation of acct URIs (was: Re: [webfinger] Working Group Last Call for draft-ietf-appsawg-webfinger-09)
Peter Saint-Andre <stpeter@stpeter.im> Tue, 05 February 2013 03:27 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5038021F8A48 for <apps-discuss@ietfa.amsl.com>; Mon, 4 Feb 2013 19:27:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.571
X-Spam-Level:
X-Spam-Status: No, score=-102.571 tagged_above=-999 required=5 tests=[AWL=-0.016, BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IqobteVRIxkN for <apps-discuss@ietfa.amsl.com>; Mon, 4 Feb 2013 19:27:01 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 493F121F88F7 for <apps-discuss@ietf.org>; Mon, 4 Feb 2013 19:27:00 -0800 (PST)
Received: from [192.168.1.5] (unknown [71.237.13.154]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id E9D8440A5E; Mon, 4 Feb 2013 20:33:36 -0700 (MST)
Message-ID: <51103CA0.1080609@stpeter.im>
Date: Mon, 04 Feb 2013 15:56:32 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: James M Snell <jasnell@gmail.com>
References: <5106BFDC.2030706@ericsson.com> <5106C090.8080403@ericsson.com> <CABP7RbfetMuyBObfKES7VToE_=-oEVmmuN7_rJKEOuHOJcNyNw@mail.gmail.com>
In-Reply-To: <CABP7RbfetMuyBObfKES7VToE_=-oEVmmuN7_rJKEOuHOJcNyNw@mail.gmail.com>
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: [apps-discuss] delegation of acct URIs (was: Re: [webfinger] Working Group Last Call for draft-ietf-appsawg-webfinger-09)
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2013 03:27:02 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ changing both message subject and discssion venue ] On 1/29/13 11:03 AM, James M Snell wrote: > I'm really just now starting to turn my attention to the acct uri > aspect of the WebFinger discussion.. generally speaking I'm +1 on > the current draft. When going through various implementation > scenarios, however, one thought did strike me, although it may be a > bit too late in the game to put this on the table at all. I > apologize for making this late suggestion... > > In some scenarios, such as hosted cloud application environments, > a service provider may wish to host the information about a given > user within a different domain. For instance, suppose Company > Foo.com utilizes services from ISV Bar.com. The user accounts, > however, are drawn from Foo.com, but Bar.com is the provider that > actually hosts the profiles and account information. What I want is > something that identifies the user account AND the service > provider. > > Example: > > acct:john.doe@foo.com?provider=bar.com > <http://acct:john.doe@foo.com?provider=bar.com> > > In a WebFinger type of scenario, resolving this would involve > something like... > > GET /.well-known/webfinger?resource=john.doe@foo.com > <mailto:john.doe@foo.com> Host: bar.com <http://bar.com> > > Encoding the third party provider into the URL in this way provides > a fairly flexible way of enabling the third party support without > complicated redirects from foo.com <http://foo.com> to bar.com > <http://bar.com>. It also gives domains a way of enabling bits of > information to be shared from multiple sources... > acct:john.doe@foo.com?provider=isv1.com > <http://acct:john.doe@foo.com?provider=isv1.com> vs. > acct:john.doe@foo.com?provider=isv2.com > <http://acct:john.doe@foo.com?provider=isv2.com> > > To enable this kind of thing, it would be helpful if the basic acct > URI syntax allowed for optional parameters like the mailto URI > scheme does (RFC2368). The specific parameters themselves can be > figured out later... <snark> Um, isn't that what SRV records are for? Oh, yeah, I forgot, there's no SRV for HTTP. ;-) </snark> There are all sorts of security issues with this kind of delegation. In XMPP we have delegation via SRV and it's only recently (with the promise of wider availability for DNSSEC) that we've started to describe best practices for secure delegation. With regard to WebFinger and 'acct' URIs, first of all we're discouraging people from doing things like this: <a href='acct:john.doe@foo.com'>more about John</a> However, people keep assuming they can do that kind of thing, so I really do need to add some strong language to the spec discouraging it, eh? Second, unless such a link (with your suggested "?provider=bar.com" query) is served over HTTPS, the delegation can't be secure. Third, you'd need to ensure that the domainpart of the 'acct' URI matched the domain to which you sent the HTTP request that resulted in the return of an HTML page (say) containing said hyperlink. Fourth, even a match there might not indicate that the author of the HTML page (say) is authorized to say that requests for information about john.doe@foo.com can legitimately be served by bar.com. IMHO this kind of delegation needs to happen at the DNS layer with DNSSEC to be anything close to secure. However, you *might* be able to do something slightly more secure than query parameters on the 'acct' URI using an approach similar to the "PKIX Over Secure HTTP" proposal that Matt Miller and I have been working on for XMPP: http://tools.ietf.org/id/draft-miller-xmpp-posh-prooftype-01.txt In any case, I think this is way beyond the scope of the 'acct' URI scheme and needs to be pursued in other ways. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEQPKAACgkQNL8k5A2w/vxwsgCdEkiU7jiI+2guubPeh6nPOOrC ziIAn0dcRD0dCgspsfEELREbqUUGoi8q =udaO -----END PGP SIGNATURE-----
- [apps-discuss] Working Group Last Call for draft-… Salvatore Loreto
- Re: [apps-discuss] [webfinger] Working Group Last… Paul E. Jones
- Re: [apps-discuss] [webfinger] Working Group Last… Salvatore Loreto
- Re: [apps-discuss] [webfinger] Working Group Last… Mike Jones
- Re: [apps-discuss] [webfinger] Working Group Last… James M Snell
- Re: [apps-discuss] Working Group Last Call for dr… Salvatore Loreto
- Re: [apps-discuss] [webfinger] Working Group Last… Peter Saint-Andre
- [apps-discuss] delegation of acct URIs (was: Re: … Peter Saint-Andre
- Re: [apps-discuss] delegation of acct URIs (was: … James M Snell
- Re: [apps-discuss] delegation of acct URIs Peter Saint-Andre