Re: [apps-discuss] Webfinger discussion

["Paul E. Jones" <paulej@packetizer.com>]

That said. vcard defines addresses like IM.  We ought not duplicate
information, but I'm not sure where to draw the line.

 

Paul

 

From: Paul E. Jones [mailto:paulej@packetizer.com] 
Sent: Wednesday, March 28, 2012 5:07 PM
To: 'Bob Wyman'
Cc: 'apps-discuss@ietf.org'
Subject: RE: [apps-discuss] Webfinger discussion

 

Bob,

 

Given I'm not sure how to really use these off-hand, I'd prefer we did not
put them into examples.  It would be reasonable to define an "im" link
relation, though.  Then the href can refer to something concrete like
xmpp:paulej@packetizer.com.

 

Paul

 

From: bobwyman@gmail.com [mailto:bobwyman@gmail.com] On Behalf Of Bob Wyman
Sent: Tuesday, March 27, 2012 2:13 PM
To: Paul E. Jones
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Webfinger discussion

 

im: and pres: were defined as protocol independent URI's in order to make
things simpler than having to work with XMPP, SIP, and potentially even
APEX, etc. as alternative presence or messaging protocols. But, yeah...
nobody seems to use the stuff. The fact remains that messaging and presence
are still distinct services. So, perhaps an xmpp: URI tagged as both
"instant-messaging" and "presence" would make more sense.

 

bob wyman

On Tue, Mar 27, 2012 at 2:06 PM, Paul E. Jones <paulej@packetizer.com>
wrote:

Bob,

 

Is "pres:" being used in practice?  Does it refer to SIP or XMPP or other
presence protocol?

 

I'll note that adding this one might incite additional concerns for privacy.
I assume that whatever protocol to which pres: refers (which is unclear to
me) would handle the authorization aspects.  But, I'm left wondering. if one
knows a person's SIP or XMPP URI, why would one need pres:?

 

Paul

 

From: bobwyman@gmail.com [mailto:bobwyman@gmail.com] On Behalf Of Bob Wyman
Sent: Tuesday, March 27, 2012 1:18 PM
To: Paul E. Jones
Cc: apps-discuss@ietf.org


Subject: Re: [apps-discuss] Webfinger discussion

 

Paul,

Examples are very powerful means of setting expectations for usage of
standards... So, perhaps it would be useful to include in the examples a
pointer to a user's "pres:" URI, defined by RFC3859 "Common Profile for
Presence", as the endpoint that should be used to obtain "presence"
information. 

 

bob wyman

 

On Tue, Mar 27, 2012 at 12:57 PM, Paul E. Jones <paulej@packetizer.com>
wrote:

James,

If the other items are editorial, perhaps just direct them to me.  If they
are items that others might want to weigh in on, then this list is the
appropriate venue.

Paul


> -----Original Message-----
> From: James M Snell [mailto:jasnell@gmail.com]
> Sent: Tuesday, March 27, 2012 12:39 PM
> To: Paul E. Jones
> Cc: Andrew Sullivan; apps-discuss@ietf.org
> Subject: Re: [apps-discuss] Webfinger discussion
>
> To be fair, there are ways of dealing with the potential for security
> leaks of this nature with WebFinger that did not really exist with the
> original Finger protocol. OAuth 2, for instance. A WebFinger endpoint
> could choose to serve up only the most basic static information to
> unauthenticated requesters, but then provide a means for a requester to
> authenticate and request permission from the target user or provider to
> acquire additional information as part of the response.
>
> On a side note to Paul: I did have some additional general comments on the
> WebFinger spec itself, I wanted to ask where such comments would be best
> directed for discussion.
>
> - James
>
> On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com>
> wrote:
> > I agree it would be useful to add text about sharing information that
> > might be dynamic in nature (e.g., current user location).
> >
> > We'll add text along those lines to the next draft.  Any other
> > security considerations we should note?
> >
> > Paul
> >
> >> -----Original Message-----
> >> From: apps-discuss-bounces@ietf.org
> >> [mailto:apps-discuss-bounces@ietf.org]
> >> On Behalf Of Andrew Sullivan
> >> Sent: Tuesday, March 27, 2012 4:47 AM
> >> To: apps-discuss@ietf.org
> >> Subject: Re: [apps-discuss] Webfinger discussion
> >>
> >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote:
> >>
> >> > un-recommended!). If people did, in fact, use WebFinger to record
> >> > such stuff, the concerns you mentioned would be relevant. Thus, it
> >> > might make sense for the Security Considerations section to suggest
> >> > that one should think carefully before using WebFinger to provide
> >> > such dynamic
> >> information.
> >>
> >> Right, that's most of what I was trying to say.  I do have a concern
> >> that collecting a bunch of different information about a given person
> >> and linking it together in a single, easy to access repository has
> >> some potential security side effects (not just privacy ones, but
> >> those too, of
> >> course) that are not clearly highlighted in the security
> considerations.
> >> I suppose one could argue that facebook's (or pick your poison) user
> >> population shows nobody cares about that, but I think it would still
> >> be good to have some observations about those effects.
> >>
> >> Best,
> >>
> >> A
> >>
> >> --
> >> Andrew Sullivan
> >> ajs@anvilwalrusden.com
> >> _______________________________________________
> >> apps-discuss mailing list
> >> apps-discuss@ietf.org
> >> https://www.ietf.org/mailman/listinfo/apps-discuss
> >
> > _______________________________________________
> > apps-discuss mailing list
> > apps-discuss@ietf.org
> > https://www.ietf.org/mailman/listinfo/apps-discuss

_______________________________________________
apps-discuss mailing list
apps-discuss@ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss