IETF Logo Mail Archive

Re: [apps-discuss] delegation of acct URIs (was: Re: [webfinger] Working Group Last Call for draft-ietf-appsawg-webfinger-09)

James M Snell <jasnell@gmail.com> Tue, 05 February 2013 03:39 UTC

Return-Path: <jasnell@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3CA921F87B2 for <apps-discuss@ietfa.amsl.com>; Mon, 4 Feb 2013 19:39:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.361
X-Spam-Level:
X-Spam-Status: No, score=-2.361 tagged_above=-999 required=5 tests=[AWL=0.238, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jRkvg5I1wAw5 for <apps-discuss@ietfa.amsl.com>; Mon, 4 Feb 2013 19:39:39 -0800 (PST)
Received: from mail-ie0-x232.google.com (ie-in-x0232.1e100.net [IPv6:2607:f8b0:4001:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id A260821F8682 for <apps-discuss@ietf.org>; Mon, 4 Feb 2013 19:39:39 -0800 (PST)
Received: by mail-ie0-f178.google.com with SMTP id c13so6857121ieb.9 for <apps-discuss@ietf.org>; Mon, 04 Feb 2013 19:39:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=i3maFM7WbYtOZlBGNscbk1Uqi1yhjZ02Vqlp/1Snluw=; b=SDEVaTmTG5U1GknXxX/N8rELXG/mMtURPt3fNi+RN7ktXzvXB/EmBmJhqy1k1sqW1R Sm2DBj/iEHBBM354nilXgp06o+NlEjo35kVbfOUeLdG1HKB3EfF1AAlUo2yIWc+zmCv5 ohHpdA3yTmXX6Mgm+SGhlaBboN6B871ByxW2PJQ5X/VO+tbgIOyOiLK15RKAYkjr3tp7 knlEvVv1qrqNUfy00ava6NgvF1H9kzJQw3u1PWtVUELX+AhGmvQfRqaZvUdjvZos+LHg Qi2Uhg8bzv5dUoOclU9f6G2t35jEzHBZUDQO5T914zH17ALYq6XDvdD65yC/xiGyvpLn KDmw==
X-Received: by 10.50.76.168 with SMTP id l8mr10485192igw.97.1360035579056; Mon, 04 Feb 2013 19:39:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.53.237 with HTTP; Mon, 4 Feb 2013 19:39:18 -0800 (PST)
In-Reply-To: <51103CA0.1080609@stpeter.im>
References: <5106BFDC.2030706@ericsson.com> <5106C090.8080403@ericsson.com> <CABP7RbfetMuyBObfKES7VToE_=-oEVmmuN7_rJKEOuHOJcNyNw@mail.gmail.com> <51103CA0.1080609@stpeter.im>
From: James M Snell <jasnell@gmail.com>
Date: Mon, 04 Feb 2013 19:39:18 -0800
Message-ID: <CABP7RbewONyX-0RB9SOCC5ONc6F3aYY9qrAjALsB3qkbW5m6kA@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: multipart/alternative; boundary="e89a8f3bae0f9253c304d4f1f568"
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] delegation of acct URIs (was: Re: [webfinger] Working Group Last Call for draft-ietf-appsawg-webfinger-09)
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2013 03:39:41 -0000

Certainly not going to argue any of those points... the only thing I will
say is that, for now, all I'm advocating is that the acct URI ought to
allow for optional query parameters... without defining exactly what those
parameters are or what the relevant concerns are about their specific use.

- James


On Mon, Feb 4, 2013 at 2:56 PM, Peter Saint-Andre <stpeter@stpeter.im>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> [ changing both message subject and discssion venue ]
>
> On 1/29/13 11:03 AM, James M Snell wrote:
> > I'm really just now starting to turn my attention to the acct uri
> > aspect of the WebFinger discussion.. generally speaking I'm +1 on
> > the current draft. When going through various implementation
> > scenarios, however, one thought did strike me, although it may be a
> > bit too late in the game to put this on the table at all. I
> > apologize for making this late suggestion...
> >
> > In some scenarios, such as hosted cloud application environments,
> > a service provider may wish to host the information about a given
> > user within a different domain. For instance, suppose Company
> > Foo.com utilizes services from ISV Bar.com. The user accounts,
> > however, are drawn from Foo.com, but Bar.com is the provider that
> > actually hosts the profiles and account information. What I want is
> > something that identifies the user account AND the service
> > provider.
> >
> > Example:
> >
> > acct:john.doe@foo.com?provider=bar.com
> > <http://acct:john.doe@foo.com?provider=bar.com>
> >
> > In a WebFinger type of scenario, resolving this would involve
> > something like...
> >
> > GET /.well-known/webfinger?resource=john.doe@foo.com
> > <mailto:john.doe@foo.com> Host: bar.com <http://bar.com>
> >
> > Encoding the third party provider into the URL in this way provides
> > a fairly flexible way of enabling the third party support without
> > complicated redirects from foo.com <http://foo.com> to bar.com
> > <http://bar.com>. It also gives domains a way of enabling bits of
> > information to be shared from multiple sources...
> > acct:john.doe@foo.com?provider=isv1.com
> > <http://acct:john.doe@foo.com?provider=isv1.com> vs.
> > acct:john.doe@foo.com?provider=isv2.com
> > <http://acct:john.doe@foo.com?provider=isv2.com>
> >
> > To enable this kind of thing, it would be helpful if the basic acct
> > URI syntax allowed for optional parameters like the mailto URI
> > scheme does (RFC2368). The specific parameters themselves can be
> > figured out later...
>
> <snark>
> Um, isn't that what SRV records are for? Oh, yeah, I forgot, there's
> no SRV for HTTP. ;-)
> </snark>
>
> There are all sorts of security issues with this kind of delegation.
> In XMPP we have delegation via SRV and it's only recently (with the
> promise of wider availability for DNSSEC) that we've started to
> describe best practices for secure delegation.
>
> With regard to WebFinger and 'acct' URIs, first of all we're
> discouraging people from doing things like this:
>
> <a href='acct:john.doe@foo.com'>more about John</a>
>
> However, people keep assuming they can do that kind of thing, so I
> really do need to add some strong language to the spec discouraging
> it, eh?
>
> Second, unless such a link (with your suggested "?provider=bar.com"
> query) is served over HTTPS, the delegation can't be secure.
>
> Third, you'd need to ensure that the domainpart of the 'acct' URI
> matched the domain to which you sent the HTTP request that resulted in
> the return of an HTML page (say) containing said hyperlink.
>
> Fourth, even a match there might not indicate that the author of the
> HTML page (say) is authorized to say that requests for information
> about john.doe@foo.com can legitimately be served by bar.com.
>
> IMHO this kind of delegation needs to happen at the DNS layer with
> DNSSEC to be anything close to secure. However, you *might* be able to
> do something slightly more secure than query parameters on the 'acct'
> URI using an approach similar to the "PKIX Over Secure HTTP" proposal
> that Matt Miller and I have been working on for XMPP:
>
> http://tools.ietf.org/id/draft-miller-xmpp-posh-prooftype-01.txt
>
> In any case, I think this is way beyond the scope of the 'acct' URI
> scheme and needs to be pursued in other ways.
>
> Peter
>
> - --
> Peter Saint-Andre
> https://stpeter.im/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlEQPKAACgkQNL8k5A2w/vxwsgCdEkiU7jiI+2guubPeh6nPOOrC
> ziIAn0dcRD0dCgspsfEELREbqUUGoi8q
> =udaO
> -----END PGP SIGNATURE-----
>

v2.23.0 | Report a Bug | By Email