IETF Logo Mail Archive

[apps-discuss] R: Last Call: <draft-ietf-appsawg-webfinger-10.txt> (WebFinger) to Proposed Standard

Goix Laurent Walter <laurentwalter.goix@telecomitalia.it> Tue, 19 March 2013 16:03 UTC

Return-Path: <laurentwalter.goix@telecomitalia.it>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D404511E80A5; Tue, 19 Mar 2013 09:03:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.718
X-Spam-Level:
X-Spam-Status: No, score=-1.718 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jhn8X6jKHATt; Tue, 19 Mar 2013 09:03:29 -0700 (PDT)
Received: from GRFEDG702BA020.telecomitalia.it (grfedg702ba020.telecomitalia.it [156.54.233.201]) by ietfa.amsl.com (Postfix) with ESMTP id EEEC011E80A4; Tue, 19 Mar 2013 09:03:27 -0700 (PDT)
Content-Type: multipart/mixed; boundary="_93e49596-2ac1-406f-86ed-24ce46fe7460_"
Received: from GRFHUB703BA020.griffon.local (10.188.101.113) by GRFEDG702BA020.telecomitalia.it (10.188.45.101) with Microsoft SMTP Server (TLS) id 8.3.297.1; Tue, 19 Mar 2013 17:03:26 +0100
Received: from GRFMBX704BA020.griffon.local ([10.188.101.16]) by GRFHUB703BA020.griffon.local ([10.188.101.113]) with mapi; Tue, 19 Mar 2013 17:03:26 +0100
From: Goix Laurent Walter <laurentwalter.goix@telecomitalia.it>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "ietf@ietf.org" <ietf@ietf.org>
Date: Tue, 19 Mar 2013 17:03:22 +0100
Thread-Topic: [apps-discuss] Last Call: <draft-ietf-appsawg-webfinger-10.txt> (WebFinger) to Proposed Standard
Thread-Index: Ac4kqV8zPtGIPZ0sTiO0onBkg3e+5wAEVK/g
Message-ID: <A09A9E0A4B9C654E8672D1DC003633AE53A7C5743E@GRFMBX704BA020.griffon.local>
References: <20130304202430.31062.82246.idtracker@ietfa.amsl.com> <trinity-5a12ace7-cf4e-4158-81f2-a31386cea633-1363701294259@3capp-gmx-bs53>
In-Reply-To: <trinity-5a12ace7-cf4e-4158-81f2-a31386cea633-1363701294259@3capp-gmx-bs53>
Accept-Language: en-US, it-IT
Content-Language: it-IT
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, it-IT
x-ti-disclaimer: Disclaimer1
MIME-Version: 1.0
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: [apps-discuss] R: Last Call: <draft-ietf-appsawg-webfinger-10.txt> (WebFinger) to Proposed Standard
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 16:03:30 -0000

Hello hannes, all,
[snip]
The usage of the WebFinger mechanism requires the requestor to have access to the full username@domain identifier. While this may be OK in some cases when the response relates very much to the specific user account it may be a problem in other cases. For example, in the OAuth case there is the idea that the user identifier may be hidden from the relying party but you have just required that identifier to be provided to the relying party to start the entire OAuth exchange (in the discovery).

The example in Section 3.1 returns information that relates to the specific username and therefore it makes sense to provide the username part of the identifier to the service that constructs the query. For the OpenID Connect discovery procedure described in Section 3.2 I wonder whether this is always desirable.

Could you expand the description a bit to explain why the relying party in this case has to obtain the username part as well? The returned information does not seem to be specific to a certain user. It is the server configuration. It would be nice if the configuration of an identity provider software (e.g., OpenID Connect) is not different for every user.

[walter] for host-wide information you may query for /.well-known/webfinger?resource=http://example.com although it looks quite odd to me (but technically feasible) and certainly isn’t called out in the current text to know. Or you could (better) rely on the host-meta endpoint (rfc6415) and use xrd or jrd representation, optionally over https if you care about security. This is the approach we took within OMA to autoconfigure the client based on the pure domain information (the rp does not necessarily have the knowledge of the username and shouldn’t ask the user for it). This way you can discover the oauth2 endpoints for example and get the user login on his favorite portal to obtain his token.


I believe it is just fair to ask for a warning to be added to the security consideration section indicating that WebFinger may have an impact on your privacy expectation since it shares information with the relying party that other mechanisms do not provide. So, if you think that this just works like other discovery mechanisms the IETF had worked on in the past then you might be surprised.

I would even volunteer to provide text but I fear that you are not going to like it.

Ciao
Hannes
Gesendet: Montag, 04. März 2013 um 21:24 Uhr
Von: "The IESG" <iesg-secretary@ietf.org>
An: IANA <drafts-lastcall@icann.org>
Cc: apps-discuss@ietf.org
Betreff: [apps-discuss] Last Call: <draft-ietf-appsawg-webfinger-10.txt> (WebFinger) to Proposed Standard

The IESG has received a request from the Applications Area Working Group
WG (appsawg) to consider the following document:
- 'WebFinger'
<draft-ietf-appsawg-webfinger-10.txt> as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2013-03-18. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


This specification defines the WebFinger protocol, which can be used
to discover information about people or other entities on the
Internet using standard HTTP methods. WebFinger discovers
information for a URI that might not be usable as a locator
otherwise, such as account or email URIs.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ballot/


No IPR declarations have been submitted directly on this I-D.


_______________________________________________
apps-discuss mailing list
apps-discuss@ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss

Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.

This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.

[cid:00000000000000000000000000000003@TI.Disclaimer]Rispetta l'ambiente. Non stampare questa mail se non è necessario.

v2.23.0 | Report a Bug | By Email