Re: [apps-discuss] webfinger privacy question/suggestion

[Evan Prodromou <evan@status.net>]

I'd suggest a mechanism like the following:

 1. Always provide some discovery data at the endpoint, even if it's empty.
 2. If some form of authentication is given, show additional items in
    full for the authenticated user.

Dialback authentication would probably work [1], but otherwise we don't 
have a lot of reasonable remote authentication systems.

Local authentication (HTTP Basic, Digest, OAuth, whatever) is also 
reasonable although I think this kind intra-domain discovery more often 
happens with e.g. directory services.

-Evan

[1] http://www.ietf.org/id/draft-prodromou-dialback-00.txt

On 12-10-30 01:54 PM, James M Snell wrote:
>
> Agreed, doing too much in this particular draft would be a mistake. 
> What I want, however, is an incremental strip in the right direction. 
> Right now, hashing the identifier is not an option. It should be. 
> Doing so would allow more complex solutions to be built... solutions 
> that take privacy, confidentiality, authorization and authentication 
> into full account and allow us to span from "only sharing public data" 
> to "sharing any data".
>
> - James
>
> On Oct 30, 2012 10:33 AM, "Evan Prodromou" <evan@status.net 
> <mailto:evan@status.net>> wrote:
>
>     There may be some use to having private sharing of discovery data.
>
>     However, it's such a complicated and difficult problem, that
>     trying to solve it with this version of Webfinger will effectively
>     disallow public discovery.
>
>     That is: it's a terrible morass, which will sink this effort.
>
>     I suggest making a note in the security considerations that
>     Webfinger links are visible to all, so don't put private stuff in
>     there, full stop.
>
>     -Evan
>
>     On 12-10-30 01:18 PM, SM wrote:
>
>         At 03:16 30-10-2012, Hannes Tschofenig wrote:
>
>             Have a look at:
>             http://tools.ietf.org/html/draft-iab-privacy-considerations-04
>
>
>         Hmm, that draft was mentioned several months ago [1].
>
>             I have raised these privacy issues already last year. My
>             comments got ignored.
>
>
>         The following question was asked around 11 months ago [2]:
>
>           "What are you planning to do to ensure the draft properly
>         addresses
>            security, privacy, and netiquette issues?"
>
>         The current plan seems to be: do nothing.
>
>         Regards,
>         -sm
>
>         1.
>         http://www.ietf.org/mail-archive/web/apps-discuss/current/msg04747.html
>         2.
>         http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03804.html
>         _______________________________________________
>         apps-discuss mailing list
>         apps-discuss@ietf.org <mailto:apps-discuss@ietf.org>
>         https://www.ietf.org/mailman/listinfo/apps-discuss
>
>
>
>     -- 
>     Evan Prodromou, CEO and Founder, StatusNet Inc.
>     1124 rue Marie-Anne Est #32, Montreal, Quebec, Canada H2J 2B7
>     E: evan@status.net <mailto:evan@status.net> P: +1-514-554-3826
>
>     _______________________________________________
>     apps-discuss mailing list
>     apps-discuss@ietf.org <mailto:apps-discuss@ietf.org>
>     https://www.ietf.org/mailman/listinfo/apps-discuss
>


-- 
Evan Prodromou, CEO and Founder, StatusNet Inc.
1124 rue Marie-Anne Est #32, Montreal, Quebec, Canada H2J 2B7
E: evan@status.net P: +1-514-554-3826