Re: [apps-discuss] Webfinger discussion
"Paul E. Jones" <paulej@packetizer.com> Wed, 28 March 2012 21:07 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4AB021F8543 for <apps-discuss@ietfa.amsl.com>; Wed, 28 Mar 2012 14:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.486
X-Spam-Level:
X-Spam-Status: No, score=-2.486 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Nynqw4VdD+G for <apps-discuss@ietfa.amsl.com>; Wed, 28 Mar 2012 14:07:21 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id D1D6A21F8537 for <apps-discuss@ietf.org>; Wed, 28 Mar 2012 14:07:20 -0700 (PDT)
Received: from sydney (rrcs-98-101-148-48.midsouth.biz.rr.com [98.101.148.48]) (authenticated bits=0) by dublin.packetizer.com (8.14.5/8.14.5) with ESMTP id q2SL7Jv5028494 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 28 Mar 2012 17:07:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1332968840; bh=YIuumMXznq0+ZwNwYjgOZic1PyS2QvybhVDafDE4Ces=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type; b=cWVRa1BvJr1H7SdeOy5u+ljgO7SUfK0QyEuF1cxMoLcdBrQoVp4viJiN4PSNhiSSa SjvZW/CFc/2T8AjPBbiVcc/UnAQN2PFPKIPxs7m9wdzVwT5pExNt4ul64BTdJuD9IN WaH6Zi+N8cheQdQsDAU3nu4OzXmrWvw+uHlAEMf8=
From: "Paul E. Jones" <paulej@packetizer.com>
To: 'Bob Wyman' <bob@wyman.us>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com> <CABP7RbdtMYtqgV=NepJMNintjF9hb4h6wv2ttc5bDVqE=yAvPA@mail.gmail.com> <00d201cd0c3a$b3672410$1a356c30$@packetizer.com> <CAA1s49W4aRxwEygedk2FEg3KX3vK57yJTadOaqQZbCpcMvTYtA@mail.gmail.com> <00f701cd0c44$48cb87e0$da6297a0$@packetizer.com> <CAA1s49Urtu76BQU7SbJ0PLZ6A44H3HnSE5tjtgMewzsG7T7Lrg@mail.gmail.com>
In-Reply-To: <CAA1s49Urtu76BQU7SbJ0PLZ6A44H3HnSE5tjtgMewzsG7T7Lrg@mail.gmail.com>
Date: Wed, 28 Mar 2012 17:07:24 -0400
Message-ID: <021301cd0d26$c6b0db50$541291f0$@packetizer.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0214_01CD0D05.3FA0C1F0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEg174HJISLlkWDD0VVkXSpmVuZQwKMareXAWwgTx8BwaaRJQGG5wouAU3B5AYBuFTkWgH4n5esAoBkcbkB4jKGpJdTg6EA
Content-Language: en-us
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 21:07:23 -0000
Bob, Given I'm not sure how to really use these off-hand, I'd prefer we did not put them into examples. It would be reasonable to define an "im" link relation, though. Then the href can refer to something concrete like xmpp:paulej@packetizer.com. Paul From: bobwyman@gmail.com [mailto:bobwyman@gmail.com] On Behalf Of Bob Wyman Sent: Tuesday, March 27, 2012 2:13 PM To: Paul E. Jones Cc: apps-discuss@ietf.org Subject: Re: [apps-discuss] Webfinger discussion im: and pres: were defined as protocol independent URI's in order to make things simpler than having to work with XMPP, SIP, and potentially even APEX, etc. as alternative presence or messaging protocols. But, yeah... nobody seems to use the stuff. The fact remains that messaging and presence are still distinct services. So, perhaps an xmpp: URI tagged as both "instant-messaging" and "presence" would make more sense. bob wyman On Tue, Mar 27, 2012 at 2:06 PM, Paul E. Jones <paulej@packetizer.com> wrote: Bob, Is "pres:" being used in practice? Does it refer to SIP or XMPP or other presence protocol? I'll note that adding this one might incite additional concerns for privacy. I assume that whatever protocol to which pres: refers (which is unclear to me) would handle the authorization aspects. But, I'm left wondering. if one knows a person's SIP or XMPP URI, why would one need pres:? Paul From: bobwyman@gmail.com [mailto:bobwyman@gmail.com] On Behalf Of Bob Wyman Sent: Tuesday, March 27, 2012 1:18 PM To: Paul E. Jones Cc: apps-discuss@ietf.org Subject: Re: [apps-discuss] Webfinger discussion Paul, Examples are very powerful means of setting expectations for usage of standards... So, perhaps it would be useful to include in the examples a pointer to a user's "pres:" URI, defined by RFC3859 "Common Profile for Presence", as the endpoint that should be used to obtain "presence" information. bob wyman On Tue, Mar 27, 2012 at 12:57 PM, Paul E. Jones <paulej@packetizer.com> wrote: James, If the other items are editorial, perhaps just direct them to me. If they are items that others might want to weigh in on, then this list is the appropriate venue. Paul > -----Original Message----- > From: James M Snell [mailto:jasnell@gmail.com] > Sent: Tuesday, March 27, 2012 12:39 PM > To: Paul E. Jones > Cc: Andrew Sullivan; apps-discuss@ietf.org > Subject: Re: [apps-discuss] Webfinger discussion > > To be fair, there are ways of dealing with the potential for security > leaks of this nature with WebFinger that did not really exist with the > original Finger protocol. OAuth 2, for instance. A WebFinger endpoint > could choose to serve up only the most basic static information to > unauthenticated requesters, but then provide a means for a requester to > authenticate and request permission from the target user or provider to > acquire additional information as part of the response. > > On a side note to Paul: I did have some additional general comments on the > WebFinger spec itself, I wanted to ask where such comments would be best > directed for discussion. > > - James > > On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com> > wrote: > > I agree it would be useful to add text about sharing information that > > might be dynamic in nature (e.g., current user location). > > > > We'll add text along those lines to the next draft. Any other > > security considerations we should note? > > > > Paul > > > >> -----Original Message----- > >> From: apps-discuss-bounces@ietf.org > >> [mailto:apps-discuss-bounces@ietf.org] > >> On Behalf Of Andrew Sullivan > >> Sent: Tuesday, March 27, 2012 4:47 AM > >> To: apps-discuss@ietf.org > >> Subject: Re: [apps-discuss] Webfinger discussion > >> > >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote: > >> > >> > un-recommended!). If people did, in fact, use WebFinger to record > >> > such stuff, the concerns you mentioned would be relevant. Thus, it > >> > might make sense for the Security Considerations section to suggest > >> > that one should think carefully before using WebFinger to provide > >> > such dynamic > >> information. > >> > >> Right, that's most of what I was trying to say. I do have a concern > >> that collecting a bunch of different information about a given person > >> and linking it together in a single, easy to access repository has > >> some potential security side effects (not just privacy ones, but > >> those too, of > >> course) that are not clearly highlighted in the security > considerations. > >> I suppose one could argue that facebook's (or pick your poison) user > >> population shows nobody cares about that, but I think it would still > >> be good to have some observations about those effects. > >> > >> Best, > >> > >> A > >> > >> -- > >> Andrew Sullivan > >> ajs@anvilwalrusden.com > >> _______________________________________________ > >> apps-discuss mailing list > >> apps-discuss@ietf.org > >> https://www.ietf.org/mailman/listinfo/apps-discuss > > > > _______________________________________________ > > apps-discuss mailing list > > apps-discuss@ietf.org > > https://www.ietf.org/mailman/listinfo/apps-discuss _______________________________________________ apps-discuss mailing list apps-discuss@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Peter Saint-Andre
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- Re: [apps-discuss] Webfinger discussion John C Klensin
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion 'Andrew Sullivan'
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion SM
- [apps-discuss] R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] Webfinger discussion John C Klensin
- [apps-discuss] What auth server supplies email ad… Alessandro Vesely
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- [apps-discuss] R: R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] Webfinger discussion Eran Hammer
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely