Re: [apps-discuss] Webfinger discussion
"Paul E. Jones" <paulej@packetizer.com> Wed, 28 March 2012 21:49 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8750621E8097 for <apps-discuss@ietfa.amsl.com>; Wed, 28 Mar 2012 14:49:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.492
X-Spam-Level:
X-Spam-Status: No, score=-2.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WZDiHToMubs9 for <apps-discuss@ietfa.amsl.com>; Wed, 28 Mar 2012 14:49:32 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id 8051B21E801E for <apps-discuss@ietf.org>; Wed, 28 Mar 2012 14:49:32 -0700 (PDT)
Received: from sydney (rrcs-98-101-148-48.midsouth.biz.rr.com [98.101.148.48]) (authenticated bits=0) by dublin.packetizer.com (8.14.5/8.14.5) with ESMTP id q2SLnSg6029133 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 28 Mar 2012 17:49:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1332971369; bh=0TlalVdtAu7aBdUkkc/amxw0T+TwlvIRrGCk4+Vbgac=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=tV7RAqtFN/4jKeEoaQDm9F8y+9Wc4k9OsJq8o/vgFhKb9prdXTKta9lJrKlEmbogi H2amD5V20lAyc38DDsYp0caccpqftissE7/1jr/cVlx/n2p57SNCN9BvIS9KBwUNxB fyLD0oD6eWrUIDUA9OcvbFFHRtqNLfO6SsyGYL1o=
From: "Paul E. Jones" <paulej@packetizer.com>
To: 'James M Snell' <jasnell@gmail.com>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com> <CABP7RbdtMYtqgV=NepJMNintjF9hb4h6wv2ttc5bDVqE=yAvPA@mail.gmail.com> <00d201cd0c3a$b3672410$1a356c30$@packetizer.com> <CABP7Rbdcb_xTjLv+Y8brzvhuNiae0pOJKm-9qhHrQMg+xUYPVw@mail.gmail.com>
In-Reply-To: <CABP7Rbdcb_xTjLv+Y8brzvhuNiae0pOJKm-9qhHrQMg+xUYPVw@mail.gmail.com>
Date: Wed, 28 Mar 2012 17:49:34 -0400
Message-ID: <023901cd0d2c$aa665e10$ff331a30$@packetizer.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEg174HJISLlkWDD0VVkXSpmVuZQwKMareXAWwgTx8BwaaRJQGG5wouAU3B5AYBuFTkWgIDrH2Cl3ZNHSA=
Content-Language: en-us
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 21:49:33 -0000
James, I really like this idea. It makes an attempt to short-cut some of the procedures, very much in line with what the "resource" parameter does in Section 4.2 of the Webfinger draft. I don't have a particular love for the using MD5, preferring something like this: GET /.well-known/webfinger?resource=acct%3Abob%40example.com&rel=blog HTTP/1.1 Since any reply might have multiple links, then the 204 reply including links would likely be necessary. Using 302 would not be right, since that has a different meaning: the client would go to Location trying to resolve the original request. A 204 with any number of Link headers would be good. Using the resource parameter means we make a query and get a JRD or XRD document. What we cannot do is query for one specific type of content. Changing Webfinger so drastically is a challenge since Webfinger builds on RFC 6415. But, I do like the idea of querying for a very specific value like this: GET /.well-known/host-meta.json?resource=acct%3Abob%40example.com&rel=blog HTTP/1.1 Perhaps this might return a reply like this: HTTP/1.1 204 No Content Link: <http://blogs.example.org/bob/>; rel="blog" A challenge with this, though, is that it means the application has to deal with two different formats. Either JRD/XRD or an HTTP header with Links. We could introduce this and make it mandatory if the resource parameter is supported. However, would it make the client-side code simpler? Support for the "resource" parameter is already optional. (We could make it mandatory, but I did get pushback on that.) Paul > -----Original Message----- > From: James M Snell [mailto:jasnell@gmail.com] > Sent: Tuesday, March 27, 2012 2:19 PM > To: Paul E. Jones > Cc: Andrew Sullivan; apps-discuss@ietf.org > Subject: Re: [apps-discuss] Webfinger discussion > > They are rather technical in nature and speak to the overall operation of > the protocol. I've written up a detailed version of my feedback here [1] > > [1] http://chmod777self.blogspot.com/2012/03/thoughts-on-webfinger.html > > The summary version is this: I believe we can make this even simpler > without sacrificing basic operation by saying simply: > > If I want to know about user "bob@example.org", send a GET request to: > http://example.org/.well-known/finger/{md5(acct:bob@example.org)} and > see what I get back. > > The requirement to use XRD/JRD and first look up information about the > LRDD service in host-meta is quite unnecessary. Also note that the ID is > hashed in the request URI for privacy/security purposes... > > We can expand on that basic idea further to say: > > If I want to know if "bob@example.org" has a "blog" and where it is > located, > I could simply send a request to: > http://example.org/.well- > known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/blog > > and the server can respond with a redirect to the proper location: > > HTTP/1.1 302 Found > Location: http://blogs.example.org/bob > > The "/blog" portion of the request URI specifies a Link rel... if I want > to discover some other type of service... say, the users profile or > avatar, I simply link the different rel attribute value there.. > e.g. > > http://example.org/.well- > known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/avatar > http://example.org/.well- > known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/profile > > If there are multiple links for a particular rel, the server can respond > with a 300 Multiple Options response. > > The point is that requiring XRD/JRD isn't actually necessary, and > requiring the initial host metadata step isn't required also. > > Requiring CORS is also isn't necessary. > > Anyway, that's the basic rundown. > > - James > > On Tue, Mar 27, 2012 at 9:57 AM, Paul E. Jones <paulej@packetizer.com> > wrote: > > James, > > > > If the other items are editorial, perhaps just direct them to me. If > they are items that others might want to weigh in on, then this list is > the appropriate venue. > > > > Paul > > > >> -----Original Message----- > >> From: James M Snell [mailto:jasnell@gmail.com] > >> Sent: Tuesday, March 27, 2012 12:39 PM > >> To: Paul E. Jones > >> Cc: Andrew Sullivan; apps-discuss@ietf.org > >> Subject: Re: [apps-discuss] Webfinger discussion > >> > >> To be fair, there are ways of dealing with the potential for security > >> leaks of this nature with WebFinger that did not really exist with > >> the original Finger protocol. OAuth 2, for instance. A WebFinger > >> endpoint could choose to serve up only the most basic static > >> information to unauthenticated requesters, but then provide a means > >> for a requester to authenticate and request permission from the > >> target user or provider to acquire additional information as part of > the response. > >> > >> On a side note to Paul: I did have some additional general comments > >> on the WebFinger spec itself, I wanted to ask where such comments > >> would be best directed for discussion. > >> > >> - James > >> > >> On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones > >> <paulej@packetizer.com> > >> wrote: > >> > I agree it would be useful to add text about sharing information > >> > that might be dynamic in nature (e.g., current user location). > >> > > >> > We'll add text along those lines to the next draft. Any other > >> > security considerations we should note? > >> > > >> > Paul > >> > > >> >> -----Original Message----- > >> >> From: apps-discuss-bounces@ietf.org > >> >> [mailto:apps-discuss-bounces@ietf.org] > >> >> On Behalf Of Andrew Sullivan > >> >> Sent: Tuesday, March 27, 2012 4:47 AM > >> >> To: apps-discuss@ietf.org > >> >> Subject: Re: [apps-discuss] Webfinger discussion > >> >> > >> >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote: > >> >> > >> >> > un-recommended!). If people did, in fact, use WebFinger to > >> >> > record such stuff, the concerns you mentioned would be relevant. > >> >> > Thus, it might make sense for the Security Considerations > >> >> > section to suggest that one should think carefully before using > >> >> > WebFinger to provide such dynamic > >> >> information. > >> >> > >> >> Right, that's most of what I was trying to say. I do have a > >> >> concern that collecting a bunch of different information about a > >> >> given person and linking it together in a single, easy to access > >> >> repository has some potential security side effects (not just > >> >> privacy ones, but those too, of > >> >> course) that are not clearly highlighted in the security > >> considerations. > >> >> I suppose one could argue that facebook's (or pick your poison) > >> >> user population shows nobody cares about that, but I think it > >> >> would still be good to have some observations about those effects. > >> >> > >> >> Best, > >> >> > >> >> A > >> >> > >> >> -- > >> >> Andrew Sullivan > >> >> ajs@anvilwalrusden.com > >> >> _______________________________________________ > >> >> apps-discuss mailing list > >> >> apps-discuss@ietf.org > >> >> https://www.ietf.org/mailman/listinfo/apps-discuss > >> > > >> > _______________________________________________ > >> > apps-discuss mailing list > >> > apps-discuss@ietf.org > >> > https://www.ietf.org/mailman/listinfo/apps-discuss > >
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Peter Saint-Andre
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- Re: [apps-discuss] Webfinger discussion John C Klensin
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion 'Andrew Sullivan'
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion SM
- [apps-discuss] R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] Webfinger discussion John C Klensin
- [apps-discuss] What auth server supplies email ad… Alessandro Vesely
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- [apps-discuss] R: R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] Webfinger discussion Eran Hammer
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely