[apps-discuss] Webfinger discussion
"Paul E. Jones" <paulej@packetizer.com> Mon, 26 March 2012 14:35 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FB4A21E809C for <apps-discuss@ietfa.amsl.com>; Mon, 26 Mar 2012 07:35:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.49
X-Spam-Level:
X-Spam-Status: No, score=-2.49 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R-lIF-Ex34ZW for <apps-discuss@ietfa.amsl.com>; Mon, 26 Mar 2012 07:35:55 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id EE26021E80B3 for <apps-discuss@ietf.org>; Mon, 26 Mar 2012 07:35:52 -0700 (PDT)
Received: from sydney (rrcs-98-101-148-48.midsouth.biz.rr.com [98.101.148.48]) (authenticated bits=0) by dublin.packetizer.com (8.14.5/8.14.5) with ESMTP id q2QEZpM4017520 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <apps-discuss@ietf.org>; Mon, 26 Mar 2012 10:35:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1332772552; bh=EKpXO5wdq0DKHSCtzzGrgS/L73y2G/EcVJV7AIs7d88=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=M1y5aGnf4FH0udJZuanGPhYcj5UebV2f20a84Z/OATsRVFAdL/RHHPyAzA/pORHfX MWcXUcEynnqEo5catpbJPodjXoRi7U40q5Sm1ZYVZjxty6fltTiuH6DFP84ikejGBk 0ec2rK4FfFJlMprfeiqG9v+kZTqu7gLpU84oSeRU=
From: "Paul E. Jones" <paulej@packetizer.com>
To: apps-discuss@ietf.org
Date: Mon, 26 Mar 2012 10:35:54 -0400
Message-ID: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac0LWmibUdNYkiEqSDOmM+1w+wpGVQ==
Content-Language: en-us
Subject: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2012 14:35:56 -0000
Folks, I saw the notes regarding the Webfinger discussion today. Unfortunately, I could not be there, so please indulge me while I ask questions related to the notes: > Thomas Roessler: CORS is in last call This is good to know. So, was the group in favor of leaving it in as mandatory? ?: Good idea. Work going on in other orgs that reference this. > Hannes Tschofenig: People like the whole idea, but is bizarre to mandate CORS Yeah, we have a choice to make. If we mandate it, then (in theory) it should be possible to query a Webfinger server via a JavaScript application in the browser. Without it, we would not be able to get beyond the single-origin rules. > Paul Hoffman: needs to have consensus calls, so should be in APPSAWG Not sure what this meant. Are you suggesting we make the document a WG item? For sure, I'd like to progress the document. > Leif Johannsen: people don't have their own email servers anymore This is true, which is one reason people have favored using "acct". Now, people have identifiers on social networks, but the user@domain notation is convenient and understood. > Andrew Sullivan: when I was a kid, they told us to turn off finger, so I'm > concerned about security That was due to the fact the finger protocol implementations had security holes. It was also possible to do things like "ln /etc/password .plan" and that was a bad thing :-) > Dave Crocker: email is the same as it's always been. Email is good as > identifier, even if there's no mailbox. Nice service to have, but needs > lots of input to get correct. Might need more work than APPSAWG. Might > need its own WG. I would hope it does not go so far as to needing its own WG. Much of the "Webfinger" functionality is really formally describing it as such and using existing RFCs. The "new" bits are the "acct" URI scheme, link relation, requirement to use CORS, and requirement to implement JRD. The "acct" URI scheme is already used "in the wild" and is needed because some social networks provide user accounts, but not email addresses. To somebody else's point, some do not run their own email servers anymore and certainly many social networks are not going to provide email services, as there is little to no value in doing so. Yet, a "Webfinger" service has value. > Mike Jones: (speaking as openid/oauth contributer) we don't use this; > it doesn't have the right properties Webfinger is not intended to be used by OpenID directly. Actually, how I stumbled into this area, though, was through OpenID. As I implemented my OpenID server, I wanted to find a way to get rid of forcing people to have OpenID identifiers that had to enter on sites like https://openid.packetizer.com/paulej. People pointed me to the work on Webfinger. Webfinger does not replace the OpenID identifier, but merely provides makes it easily discoverable. So, when I visit a web site, I can enter paulej@packetizer.com. This would result in a Webfinger query for acct:paulej@packetizer.com. What would be returned is several pieces of information one of which is https://openid.packetizer.com/paulej using the link relation http://specs.openid.net/auth/2.0/provider. (I'm not too favorable to that particular link relation, since it's not a pointer to the provider, but a pointer to my identifier. But, that seems to be the predominant value used.) The service I'm trying to log into now has my identifier in hand and would go through the same login procedures. Security should not be compromised, because the Webfinger account information should have been provided securely and the login process within the OpenID provider should either be automatic (because the provider already recognizes your browser) or would prompt for credentials. Nothing about OpenID has been weakened in the process, as nothing about OpenID changed. Further, there is never a requirement to use Webfinger -- it's an option for OpenID. > John Bradley: (speaking as author of XRD) JRD is doc'd in blog post, > concerned about security/privacy, needs more work before could be used > in OpenID/Connect. JRD is documented now in standards-track RFC 6415. It defines a direct mapping from XRD to JRD. I will not disagree that thought may need to be considered in for use in OpenID or OpenID Connect, but that is not an issue for Webfinger itself. Webfinger merely provides pointers to information or other identifiers. I understand how this would work in OpenID and I don't see risk there. I'm not familiar with how OpenID Connect is supposed to work. I had seen some proposals, but nothing recent. Those proposals I had seen suggested that I enter my credentials for my identify provider on the site that I was visiting. Hopefully, that's now how it works now, because there's no way I would do that :-) So, what was the opinion of the group? It's important to note that RFC 6415 essentially defines all of the mechanisms already, so it's out there and people can use it. The Webfinger draft is there to formalize the name and to introduce the needed "acct" URI and link relation values. Paul
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Peter Saint-Andre
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- Re: [apps-discuss] Webfinger discussion John C Klensin
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion 'Andrew Sullivan'
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion SM
- [apps-discuss] R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] Webfinger discussion John C Klensin
- [apps-discuss] What auth server supplies email ad… Alessandro Vesely
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- [apps-discuss] R: R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] Webfinger discussion Eran Hammer
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely