Re: [apps-discuss] Webfinger discussion

Paul,
Examples are very powerful means of setting expectations for usage of
standards... So, perhaps it would be useful to include in the examples a
pointer to a user's "pres:" URI, defined by RFC3859 "Common Profile for
Presence", as the endpoint that should be used to obtain "presence"
information.

bob wyman

On Tue, Mar 27, 2012 at 12:57 PM, Paul E. Jones <paulej@packetizer.com>wrote:

> James,
>
> If the other items are editorial, perhaps just direct them to me.  If they
> are items that others might want to weigh in on, then this list is the
> appropriate venue.
>
> Paul
>
> > -----Original Message-----
> > From: James M Snell [mailto:jasnell@gmail.com]
> > Sent: Tuesday, March 27, 2012 12:39 PM
> > To: Paul E. Jones
> > Cc: Andrew Sullivan; apps-discuss@ietf.org
> > Subject: Re: [apps-discuss] Webfinger discussion
> >
> > To be fair, there are ways of dealing with the potential for security
> > leaks of this nature with WebFinger that did not really exist with the
> > original Finger protocol. OAuth 2, for instance. A WebFinger endpoint
> > could choose to serve up only the most basic static information to
> > unauthenticated requesters, but then provide a means for a requester to
> > authenticate and request permission from the target user or provider to
> > acquire additional information as part of the response.
> >
> > On a side note to Paul: I did have some additional general comments on
> the
> > WebFinger spec itself, I wanted to ask where such comments would be best
> > directed for discussion.
> >
> > - James
> >
> > On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com>
> > wrote:
> > > I agree it would be useful to add text about sharing information that
> > > might be dynamic in nature (e.g., current user location).
> > >
> > > We'll add text along those lines to the next draft.  Any other
> > > security considerations we should note?
> > >
> > > Paul
> > >
> > >> -----Original Message-----
> > >> From: apps-discuss-bounces@ietf.org
> > >> [mailto:apps-discuss-bounces@ietf.org]
> > >> On Behalf Of Andrew Sullivan
> > >> Sent: Tuesday, March 27, 2012 4:47 AM
> > >> To: apps-discuss@ietf.org
> > >> Subject: Re: [apps-discuss] Webfinger discussion
> > >>
> > >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote:
> > >>
> > >> > un-recommended!). If people did, in fact, use WebFinger to record
> > >> > such stuff, the concerns you mentioned would be relevant. Thus, it
> > >> > might make sense for the Security Considerations section to suggest
> > >> > that one should think carefully before using WebFinger to provide
> > >> > such dynamic
> > >> information.
> > >>
> > >> Right, that's most of what I was trying to say.  I do have a concern
> > >> that collecting a bunch of different information about a given person
> > >> and linking it together in a single, easy to access repository has
> > >> some potential security side effects (not just privacy ones, but
> > >> those too, of
> > >> course) that are not clearly highlighted in the security
> > considerations.
> > >> I suppose one could argue that facebook's (or pick your poison) user
> > >> population shows nobody cares about that, but I think it would still
> > >> be good to have some observations about those effects.
> > >>
> > >> Best,
> > >>
> > >> A
> > >>
> > >> --
> > >> Andrew Sullivan
> > >> ajs@anvilwalrusden.com
> > >> _______________________________________________
> > >> apps-discuss mailing list
> > >> apps-discuss@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/apps-discuss
> > >
> > > _______________________________________________
> > > apps-discuss mailing list
> > > apps-discuss@ietf.org
> > > https://www.ietf.org/mailman/listinfo/apps-discuss
>
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>