IETF Logo Mail Archive

Re: [apps-discuss] Webfinger discussion

Bob Wyman <bob@wyman.us> Tue, 27 March 2012 18:13 UTC

Return-Path: <bobwyman@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D575A21F87D7 for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 11:13:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[AWL=0.424, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDtcA0+9jpHM for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 11:13:14 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id A9F8421F87D6 for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 11:13:14 -0700 (PDT)
Received: by qaea16 with SMTP id a16so320157qae.10 for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 11:13:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=VEDHtSy5caLf8IdTNVtdEhZTpEVdrBkWNVnc5OCB92A=; b=itpi6q8gsYVBfkIHEBu6ERs/fRlou+S0PxTY1IiYZ7MmU+ybaMjNOmNvp3cc3txRQr Dme1PbDnJVvkSilz8CqmZwF+vE2C+uhOkIfIErLnkVfHnq3DKdLIT0PFQcCtPJoc/jvR 8pPbnU/3QPap7uSuGBfrCXV3QaBhruFsrkB9mdiFAQhGzBt5VgveFV9uX+KobBIPUpd8 Otv4HAltwr1LQo74Q4340wKk31BnsR/Gwn7gcCMp9Bis+XHHdNp/pY+/u82Hp2HmAVA8 K9P/mLq7Rm+M224yUb2EpdyLb/HPA+fyN2n/Zy08P9WJ4bfP5uT13iExUQnTnA/GqYMG Tjrg==
MIME-Version: 1.0
Received: by 10.224.73.12 with SMTP id o12mr33681949qaj.98.1332871992067; Tue, 27 Mar 2012 11:13:12 -0700 (PDT)
Sender: bobwyman@gmail.com
Received: by 10.229.157.16 with HTTP; Tue, 27 Mar 2012 11:13:12 -0700 (PDT)
In-Reply-To: <00f701cd0c44$48cb87e0$da6297a0$@packetizer.com>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com> <CABP7RbdtMYtqgV=NepJMNintjF9hb4h6wv2ttc5bDVqE=yAvPA@mail.gmail.com> <00d201cd0c3a$b3672410$1a356c30$@packetizer.com> <CAA1s49W4aRxwEygedk2FEg3KX3vK57yJTadOaqQZbCpcMvTYtA@mail.gmail.com> <00f701cd0c44$48cb87e0$da6297a0$@packetizer.com>
Date: Tue, 27 Mar 2012 14:13:12 -0400
X-Google-Sender-Auth: YxuNvWctKXp-11bVr6aHQSiArMk
Message-ID: <CAA1s49Urtu76BQU7SbJ0PLZ6A44H3HnSE5tjtgMewzsG7T7Lrg@mail.gmail.com>
From: Bob Wyman <bob@wyman.us>
To: "Paul E. Jones" <paulej@packetizer.com>
Content-Type: multipart/alternative; boundary="20cf3074b5a29e461704bc3d712a"
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 18:13:16 -0000

im: and pres: were defined as protocol independent URI's in order to make
things simpler than having to work with XMPP, SIP, and potentially even
APEX, etc. as alternative presence or messaging protocols. But, yeah...
nobody seems to use the stuff. The fact remains that messaging and presence
are still distinct services. So, perhaps an xmpp: URI tagged as both
"instant-messaging" and "presence" would make more sense.

bob wyman

On Tue, Mar 27, 2012 at 2:06 PM, Paul E. Jones <paulej@packetizer.com>wrote:

> Bob,****
>
> ** **
>
> Is “pres:” being used in practice?  Does it refer to SIP or XMPP or other
> presence protocol?****
>
> ** **
>
> I’ll note that adding this one might incite additional concerns for
> privacy.  I assume that whatever protocol to which pres: refers (which is
> unclear to me) would handle the authorization aspects.  But, I’m left
> wondering… if one knows a person’s SIP or XMPP URI, why would one need
> pres:?****
>
> ** **
>
> Paul****
>
> ** **
>
> *From:* bobwyman@gmail.com [mailto:bobwyman@gmail.com] *On Behalf Of *Bob
> Wyman
> *Sent:* Tuesday, March 27, 2012 1:18 PM
> *To:* Paul E. Jones
> *Cc:* apps-discuss@ietf.org
>
> *Subject:* Re: [apps-discuss] Webfinger discussion****
>
> ** **
>
> Paul,****
>
> Examples are very powerful means of setting expectations for usage of
> standards... So, perhaps it would be useful to include in the examples a
> pointer to a user's "pres:" URI, defined by RFC3859 "Common Profile for
> Presence", as the endpoint that should be used to obtain "presence"
> information. ****
>
> ** **
>
> bob wyman****
>
> ** **
>
> On Tue, Mar 27, 2012 at 12:57 PM, Paul E. Jones <paulej@packetizer.com>
> wrote:****
>
> James,
>
> If the other items are editorial, perhaps just direct them to me.  If they
> are items that others might want to weigh in on, then this list is the
> appropriate venue.
>
> Paul****
>
>
> > -----Original Message-----
> > From: James M Snell [mailto:jasnell@gmail.com]
> > Sent: Tuesday, March 27, 2012 12:39 PM
> > To: Paul E. Jones
> > Cc: Andrew Sullivan; apps-discuss@ietf.org
> > Subject: Re: [apps-discuss] Webfinger discussion
> >
> > To be fair, there are ways of dealing with the potential for security
> > leaks of this nature with WebFinger that did not really exist with the
> > original Finger protocol. OAuth 2, for instance. A WebFinger endpoint
> > could choose to serve up only the most basic static information to
> > unauthenticated requesters, but then provide a means for a requester to
> > authenticate and request permission from the target user or provider to
> > acquire additional information as part of the response.
> >
> > On a side note to Paul: I did have some additional general comments on
> the
> > WebFinger spec itself, I wanted to ask where such comments would be best
> > directed for discussion.
> >
> > - James
> >
> > On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com>
> > wrote:
> > > I agree it would be useful to add text about sharing information that
> > > might be dynamic in nature (e.g., current user location).
> > >
> > > We'll add text along those lines to the next draft.  Any other
> > > security considerations we should note?
> > >
> > > Paul
> > >
> > >> -----Original Message-----
> > >> From: apps-discuss-bounces@ietf.org
> > >> [mailto:apps-discuss-bounces@ietf.org]
> > >> On Behalf Of Andrew Sullivan
> > >> Sent: Tuesday, March 27, 2012 4:47 AM
> > >> To: apps-discuss@ietf.org
> > >> Subject: Re: [apps-discuss] Webfinger discussion
> > >>
> > >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote:
> > >>
> > >> > un-recommended!). If people did, in fact, use WebFinger to record
> > >> > such stuff, the concerns you mentioned would be relevant. Thus, it
> > >> > might make sense for the Security Considerations section to suggest
> > >> > that one should think carefully before using WebFinger to provide
> > >> > such dynamic
> > >> information.
> > >>
> > >> Right, that's most of what I was trying to say.  I do have a concern
> > >> that collecting a bunch of different information about a given person
> > >> and linking it together in a single, easy to access repository has
> > >> some potential security side effects (not just privacy ones, but
> > >> those too, of
> > >> course) that are not clearly highlighted in the security
> > considerations.
> > >> I suppose one could argue that facebook's (or pick your poison) user
> > >> population shows nobody cares about that, but I think it would still
> > >> be good to have some observations about those effects.
> > >>
> > >> Best,
> > >>
> > >> A
> > >>
> > >> --
> > >> Andrew Sullivan
> > >> ajs@anvilwalrusden.com
> > >> _______________________________________________
> > >> apps-discuss mailing list
> > >> apps-discuss@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/apps-discuss
> > >
> > > _______________________________________________
> > > apps-discuss mailing list
> > > apps-discuss@ietf.org
> > > https://www.ietf.org/mailman/listinfo/apps-discuss
>
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss****
>
> ** **
>

v2.23.0 | Report a Bug | By Email