IETF Logo Mail Archive

[apps-discuss] AppsDir Review of draft-ietf-appsawg-webfinger-11

Dave Cridland <dave@cridland.net> Mon, 11 March 2013 15:23 UTC

Return-Path: <dave@cridland.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37F8D11E8108 for <apps-discuss@ietfa.amsl.com>; Mon, 11 Mar 2013 08:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5VMBNhU0xjQ for <apps-discuss@ietfa.amsl.com>; Mon, 11 Mar 2013 08:23:21 -0700 (PDT)
Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by ietfa.amsl.com (Postfix) with ESMTP id E059821F8A89 for <apps-discuss@ietf.org>; Mon, 11 Mar 2013 08:23:20 -0700 (PDT)
Received: by mail-oa0-f41.google.com with SMTP id i10so4678273oag.0 for <apps-discuss@ietf.org>; Mon, 11 Mar 2013 08:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=V89eZ/V8MC2kquAhi/AUvifxKgJyL6Z5aSehH07F26s=; b=MiKIxTecbIVxymYFv9Ozww+pWK9I0dGLQGEvlH2R0bG3fkpGWnhaISeLYsBVuZJrUf auC6ajvir+QBzIwR/crIBaT7eyqWBliOM6lv/7mQMeX5Wv5ugo6RKVcTpK6zXuVcRwrC fDDhfB3W5jAb9togDxA1pjLVu9KkyH2gCcIfo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=V89eZ/V8MC2kquAhi/AUvifxKgJyL6Z5aSehH07F26s=; b=Bs7eJxB492rnNyDVozPRk4s0mE9kI2G4CYhiUILi42QvC0dtFpUeUeElpl+bM22kFw m/7I1/W5XXw9Ei1sr9FIRjZcJDEuciEb7g2HsIWNDBlsD8KxMjGGdg4EkTKCF7ELrog+ /Cq3whMZFKE22NNNaKQZ47IDoehMjoNbbLWO/aFp5JN98jbvhBuywPR6LXu7jwYR67E6 NxW4qMs9gMbPJ8BXuhrvQVRaA/wgxyqzoSmfr6c8nMXV8TMh0LLLd9GlxHw5wj9mLFfH 938Pt+WBwpryv306ZcgQQP7rDBFlH22/8mlDAMdcs002zQgHTTGM/hgww3pCGthzI+ag YrVg==
MIME-Version: 1.0
X-Received: by 10.182.156.103 with SMTP id wd7mr8912046obb.33.1363015400451; Mon, 11 Mar 2013 08:23:20 -0700 (PDT)
Received: by 10.60.19.40 with HTTP; Mon, 11 Mar 2013 08:23:20 -0700 (PDT)
Date: Mon, 11 Mar 2013 15:23:20 +0000
Message-ID: <CAKHUCzxc8_Ye6M__t9y-+fYAKRVWi8q5hcMGopzE3nKhMywiyQ@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, draft-ietf-appsawg-webfinger.all@tools.ietf.org, iesg@ietf.org
Content-Type: multipart/alternative; boundary="f46d0444e835c4a47f04d7a7c054"
X-Gm-Message-State: ALoCoQnqgbQzWBRb4uOSgUqAuuRJp6N0EXpz455+k6VhyUrouh84nbC7cpaLsIzomnwY1H00Yz/V
Subject: [apps-discuss] AppsDir Review of draft-ietf-appsawg-webfinger-11
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2013 15:23:22 -0000

I have been selected as the Applications Area Directorate reviewer for this
draft (for background on appsdir, please see 
http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate ).

Please resolve these comments along with any other Last Call comments you
may receive. Please wait for direction from your document shepherd or AD
before posting a new version of the draft.
Document: draft-ietf-appsawg-webfinger-11
Title: Webfinger
Reviewer: Dave Cridland
Review Date: 2013/03/11
IESG Telechat Date: 2013/03/28
Summary: Close to ready for publication as standards track; some comments
which suggest a new version may be required and/or technical discussion
needed.

Minor Comments:

1) There's some suggestions that webfinger could be used for email
autoconfig; I suspect this is at best going to cause confusion especially
when there's a BOF tomorrow on the subject. This feels like text that
doesn't need to be present.

Also, it's a cursed subject anyway; see ACAP. :-)

Major Comments:

1) I note that §4.4.4.1 describes a 'rel' such that it redefines and
repeats RFC 5988's §4; I think this should be deferred explicitly to RFC
5988 in entirety, rather than specifically only for registered link
relation types.

The good news is that this should simplify the text rather a lot:

"""
The value of the "rel" member is a string containing a link relation type
(see RFC 5988 [4]). Both registered and extended relation types are
permitted.
"""

2) The use of webfinger with arbitrary URIs is something I had not
previously realised. This raises some concerns for me, as it's not clear
whether this is either genuinely desirable or whether it introduces
considerations (security and otherwise) beyond those discussed within the
document.

I would in general rather the mechanism were restricted to acct, http,
https, and perhaps mailto.

3) There is no use of SRV here; I would prefer an SRV resolution step for
at least acct and mailto scheme URIs, and possibly http/https as well. My
concern is that a corporate webserver is typically unlikely to be capable
of providing webfinger services (being often externally hosted), and while
this could be solved by handling redirects, or by reverse proxying, SRV
feels like a more stable solution here.

I'd be curious as to whether this has been discussed.

4) It would make §8 more readable if it were split into subsections. I
think the first three paragraphs form a discussion about the transport
security, the middle paragraphs discuss privacy, and the final paragraph
discusses information reliability.

I suspect there is one more case to be concerned about, which is that it
may be possible for an attacker to use webfinger resources to test the
existence of a hypothetical user; that is, one might use webfinger as a
harvesting mechanism.

Dave.

v2.23.0 | Report a Bug | By Email