Re: [apps-discuss] Webfinger discussion
Bob Wyman <bob@wyman.us> Tue, 27 March 2012 17:18 UTC
Return-Path: <bobwyman@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B28521F8855 for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 10:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.468
X-Spam-Level:
X-Spam-Status: No, score=-2.468 tagged_above=-999 required=5 tests=[AWL=0.508, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kM4ooeKWItTk for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 10:18:11 -0700 (PDT)
Received: from mail-qa0-f43.google.com (mail-qa0-f43.google.com [209.85.216.43]) by ietfa.amsl.com (Postfix) with ESMTP id DA58421F8842 for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 10:18:10 -0700 (PDT)
Received: by qadb15 with SMTP id b15so4060887qad.16 for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 10:18:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=1kJMAvTIvg5IjfrQhKCAAlUphK8bz9VZpTKjTDXpa9w=; b=XO5myRZetl1jkScWtG3hgnz9+bgLpi4KKshaNX8AXLP4rD925kCCeEDtFiuwjTZQts dREEeEdtk0QXmZaUYo1JEGJaazLSIUw+qrZQDV4W/tnjue4n3elBpsWJl/7CpyKQkjRi 4+hifAicIboZIsZeo5gJKWj2CWyofYeA/4QCaFr8pTCd9ObnBmyUPcXxNQgC9x3/+sbl Zi4dJPx61W5cmphk7aqET4TMkQTspGWWwoNx3s7SUuQiJJ092xVbHLm5wEtJzHcbVxpI bAtDwfyZqo73WH0/ARfe/A1bgDElj3oztduxrEGqt0XOHURZAJyVVPAjLyOSBKRTkY+f IZQg==
MIME-Version: 1.0
Received: by 10.224.210.129 with SMTP id gk1mr33679760qab.85.1332868689011; Tue, 27 Mar 2012 10:18:09 -0700 (PDT)
Sender: bobwyman@gmail.com
Received: by 10.229.157.16 with HTTP; Tue, 27 Mar 2012 10:18:08 -0700 (PDT)
In-Reply-To: <00d201cd0c3a$b3672410$1a356c30$@packetizer.com>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com> <CABP7RbdtMYtqgV=NepJMNintjF9hb4h6wv2ttc5bDVqE=yAvPA@mail.gmail.com> <00d201cd0c3a$b3672410$1a356c30$@packetizer.com>
Date: Tue, 27 Mar 2012 13:18:08 -0400
X-Google-Sender-Auth: UkRHihUDTKn_YM6eFMi0apl7fIg
Message-ID: <CAA1s49W4aRxwEygedk2FEg3KX3vK57yJTadOaqQZbCpcMvTYtA@mail.gmail.com>
From: Bob Wyman <bob@wyman.us>
To: "Paul E. Jones" <paulej@packetizer.com>
Content-Type: multipart/alternative; boundary="20cf300faca1bda4ba04bc3cac00"
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 17:18:12 -0000
Paul, Examples are very powerful means of setting expectations for usage of standards... So, perhaps it would be useful to include in the examples a pointer to a user's "pres:" URI, defined by RFC3859 "Common Profile for Presence", as the endpoint that should be used to obtain "presence" information. bob wyman On Tue, Mar 27, 2012 at 12:57 PM, Paul E. Jones <paulej@packetizer.com>wrote: > James, > > If the other items are editorial, perhaps just direct them to me. If they > are items that others might want to weigh in on, then this list is the > appropriate venue. > > Paul > > > -----Original Message----- > > From: James M Snell [mailto:jasnell@gmail.com] > > Sent: Tuesday, March 27, 2012 12:39 PM > > To: Paul E. Jones > > Cc: Andrew Sullivan; apps-discuss@ietf.org > > Subject: Re: [apps-discuss] Webfinger discussion > > > > To be fair, there are ways of dealing with the potential for security > > leaks of this nature with WebFinger that did not really exist with the > > original Finger protocol. OAuth 2, for instance. A WebFinger endpoint > > could choose to serve up only the most basic static information to > > unauthenticated requesters, but then provide a means for a requester to > > authenticate and request permission from the target user or provider to > > acquire additional information as part of the response. > > > > On a side note to Paul: I did have some additional general comments on > the > > WebFinger spec itself, I wanted to ask where such comments would be best > > directed for discussion. > > > > - James > > > > On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com> > > wrote: > > > I agree it would be useful to add text about sharing information that > > > might be dynamic in nature (e.g., current user location). > > > > > > We'll add text along those lines to the next draft. Any other > > > security considerations we should note? > > > > > > Paul > > > > > >> -----Original Message----- > > >> From: apps-discuss-bounces@ietf.org > > >> [mailto:apps-discuss-bounces@ietf.org] > > >> On Behalf Of Andrew Sullivan > > >> Sent: Tuesday, March 27, 2012 4:47 AM > > >> To: apps-discuss@ietf.org > > >> Subject: Re: [apps-discuss] Webfinger discussion > > >> > > >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote: > > >> > > >> > un-recommended!). If people did, in fact, use WebFinger to record > > >> > such stuff, the concerns you mentioned would be relevant. Thus, it > > >> > might make sense for the Security Considerations section to suggest > > >> > that one should think carefully before using WebFinger to provide > > >> > such dynamic > > >> information. > > >> > > >> Right, that's most of what I was trying to say. I do have a concern > > >> that collecting a bunch of different information about a given person > > >> and linking it together in a single, easy to access repository has > > >> some potential security side effects (not just privacy ones, but > > >> those too, of > > >> course) that are not clearly highlighted in the security > > considerations. > > >> I suppose one could argue that facebook's (or pick your poison) user > > >> population shows nobody cares about that, but I think it would still > > >> be good to have some observations about those effects. > > >> > > >> Best, > > >> > > >> A > > >> > > >> -- > > >> Andrew Sullivan > > >> ajs@anvilwalrusden.com > > >> _______________________________________________ > > >> apps-discuss mailing list > > >> apps-discuss@ietf.org > > >> https://www.ietf.org/mailman/listinfo/apps-discuss > > > > > > _______________________________________________ > > > apps-discuss mailing list > > > apps-discuss@ietf.org > > > https://www.ietf.org/mailman/listinfo/apps-discuss > > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss >
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Peter Saint-Andre
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- Re: [apps-discuss] Webfinger discussion John C Klensin
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion 'Andrew Sullivan'
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion SM
- [apps-discuss] R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] Webfinger discussion John C Klensin
- [apps-discuss] What auth server supplies email ad… Alessandro Vesely
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- [apps-discuss] R: R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] Webfinger discussion Eran Hammer
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely