Re: [apps-discuss] Webfinger discussion
James M Snell <jasnell@gmail.com> Tue, 27 March 2012 18:19 UTC
Return-Path: <jasnell@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A028021E80B3 for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 11:19:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[AWL=-3.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzU4FrI1vHFB for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 11:19:41 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id D30D921E808D for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 11:19:39 -0700 (PDT)
Received: by werb10 with SMTP id b10so144411wer.31 for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 11:19:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=8zqo8tDuzir5hBY19Q7Bg8NjcfTShFaOJNZugL9E0J4=; b=kpaBvl/wsSgfRJV1oKMrkqYHBHPE41b76pQHdLH0gfqCI+lONMiyD84ctPT0FVYBC0 beBDMrx4P6VfeLF4rSaqustZMtCvSRq6LIkDdbIyaKcWpTcFS30nGjLxzTDWHOXn2msq Eq4G/SQNAhaan5Bm4Q4AE5eaN4CN55BESW0QNhpEjFRSUqeXS4Vz9uRARuabeXVeRtZi AmvTBYQS9YrrRnpiF9Crx411wZGX6DNtRh3EZiOlJiS3YMdnVqp4Dc0p+wsBw3R0mdmJ rO9eXWPx4vZtp8f+MNOK5fcD3rB3wfzbN/gQ2xqoD1PGiPuFoK3ugijk1H5NtoT2YPfJ Cxlg==
Received: by 10.216.132.151 with SMTP id o23mr15022940wei.120.1332872343688; Tue, 27 Mar 2012 11:19:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.89.138 with HTTP; Tue, 27 Mar 2012 11:18:43 -0700 (PDT)
In-Reply-To: <00d201cd0c3a$b3672410$1a356c30$@packetizer.com>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com> <CABP7RbdtMYtqgV=NepJMNintjF9hb4h6wv2ttc5bDVqE=yAvPA@mail.gmail.com> <00d201cd0c3a$b3672410$1a356c30$@packetizer.com>
From: James M Snell <jasnell@gmail.com>
Date: Tue, 27 Mar 2012 11:18:43 -0700
Message-ID: <CABP7Rbdcb_xTjLv+Y8brzvhuNiae0pOJKm-9qhHrQMg+xUYPVw@mail.gmail.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 18:19:42 -0000
They are rather technical in nature and speak to the overall operation of the protocol. I've written up a detailed version of my feedback here [1] [1] http://chmod777self.blogspot.com/2012/03/thoughts-on-webfinger.html The summary version is this: I believe we can make this even simpler without sacrificing basic operation by saying simply: If I want to know about user "bob@example.org", send a GET request to: http://example.org/.well-known/finger/{md5(acct:bob@example.org)} and see what I get back. The requirement to use XRD/JRD and first look up information about the LRDD service in host-meta is quite unnecessary. Also note that the ID is hashed in the request URI for privacy/security purposes... We can expand on that basic idea further to say: If I want to know if "bob@example.org" has a "blog" and where it is located, I could simply send a request to: http://example.org/.well-known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/blog and the server can respond with a redirect to the proper location: HTTP/1.1 302 Found Location: http://blogs.example.org/bob The "/blog" portion of the request URI specifies a Link rel... if I want to discover some other type of service... say, the users profile or avatar, I simply link the different rel attribute value there.. e.g. http://example.org/.well-known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/avatar http://example.org/.well-known/finger/f49c533fa0f0bc7ee9cc8c88902302ba/profile If there are multiple links for a particular rel, the server can respond with a 300 Multiple Options response. The point is that requiring XRD/JRD isn't actually necessary, and requiring the initial host metadata step isn't required also. Requiring CORS is also isn't necessary. Anyway, that's the basic rundown. - James On Tue, Mar 27, 2012 at 9:57 AM, Paul E. Jones <paulej@packetizer.com> wrote: > James, > > If the other items are editorial, perhaps just direct them to me. If they are items that others might want to weigh in on, then this list is the appropriate venue. > > Paul > >> -----Original Message----- >> From: James M Snell [mailto:jasnell@gmail.com] >> Sent: Tuesday, March 27, 2012 12:39 PM >> To: Paul E. Jones >> Cc: Andrew Sullivan; apps-discuss@ietf.org >> Subject: Re: [apps-discuss] Webfinger discussion >> >> To be fair, there are ways of dealing with the potential for security >> leaks of this nature with WebFinger that did not really exist with the >> original Finger protocol. OAuth 2, for instance. A WebFinger endpoint >> could choose to serve up only the most basic static information to >> unauthenticated requesters, but then provide a means for a requester to >> authenticate and request permission from the target user or provider to >> acquire additional information as part of the response. >> >> On a side note to Paul: I did have some additional general comments on the >> WebFinger spec itself, I wanted to ask where such comments would be best >> directed for discussion. >> >> - James >> >> On Tue, Mar 27, 2012 at 9:15 AM, Paul E. Jones <paulej@packetizer.com> >> wrote: >> > I agree it would be useful to add text about sharing information that >> > might be dynamic in nature (e.g., current user location). >> > >> > We'll add text along those lines to the next draft. Any other >> > security considerations we should note? >> > >> > Paul >> > >> >> -----Original Message----- >> >> From: apps-discuss-bounces@ietf.org >> >> [mailto:apps-discuss-bounces@ietf.org] >> >> On Behalf Of Andrew Sullivan >> >> Sent: Tuesday, March 27, 2012 4:47 AM >> >> To: apps-discuss@ietf.org >> >> Subject: Re: [apps-discuss] Webfinger discussion >> >> >> >> On Mon, Mar 26, 2012 at 02:31:30PM -0400, Bob Wyman wrote: >> >> >> >> > un-recommended!). If people did, in fact, use WebFinger to record >> >> > such stuff, the concerns you mentioned would be relevant. Thus, it >> >> > might make sense for the Security Considerations section to suggest >> >> > that one should think carefully before using WebFinger to provide >> >> > such dynamic >> >> information. >> >> >> >> Right, that's most of what I was trying to say. I do have a concern >> >> that collecting a bunch of different information about a given person >> >> and linking it together in a single, easy to access repository has >> >> some potential security side effects (not just privacy ones, but >> >> those too, of >> >> course) that are not clearly highlighted in the security >> considerations. >> >> I suppose one could argue that facebook's (or pick your poison) user >> >> population shows nobody cares about that, but I think it would still >> >> be good to have some observations about those effects. >> >> >> >> Best, >> >> >> >> A >> >> >> >> -- >> >> Andrew Sullivan >> >> ajs@anvilwalrusden.com >> >> _______________________________________________ >> >> apps-discuss mailing list >> >> apps-discuss@ietf.org >> >> https://www.ietf.org/mailman/listinfo/apps-discuss >> > >> > _______________________________________________ >> > apps-discuss mailing list >> > apps-discuss@ietf.org >> > https://www.ietf.org/mailman/listinfo/apps-discuss >
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Peter Saint-Andre
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- Re: [apps-discuss] Webfinger discussion John C Klensin
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion 'Andrew Sullivan'
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion SM
- [apps-discuss] R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] Webfinger discussion John C Klensin
- [apps-discuss] What auth server supplies email ad… Alessandro Vesely
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- [apps-discuss] R: R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] Webfinger discussion Eran Hammer
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely