Re: [apps-discuss] AppsDir Review of draft-ietf-appsawg-webfinger-11

[Dave Cridland <dave@cridland.net>]

On Fri, Mar 22, 2013 at 3:16 PM, Paul E. Jones <paulej@packetizer.com>wrote:

>  Dave,
>
>
> On 3/22/2013 5:32 AM, Dave Cridland wrote:
>
>  >>> RFC 5988 also allows URIs with fragments, but WebFinger does not.
>
> Your current draft makes no restriction on whether a Link Relation Type
> may have a fragment or not. It stipulates an absolute URI, which in RFC
> 3986 may have a fragment; therefore this restriction is not in the draft as
> written. Neither is it in RFC 5988; however if you do intend adding this
> restriction then this represents a deviation.
>
>
> The WF spec says link relation types MUST be either absolute URIs or
> registered a registered relation type.  Per RFC 3986, absolute URIs do not
> have fragments (See Section 4.3).  RFC 5988 also requires use of absolute
> URIs when used in Link Headers.  Perhaps the intent was to always require
> absolute URIs?  I don't know, since the text limits the statement to "Link
> Headers".  WebFinger wants the same restriction, so we inserted an explicit
> statement.
>
>
Ah, there's my error, then - I'd made the mistake of assuming "absolute"
meant the same as "not relative".

I still think that first sentence might be reworded, but it's good enough
as is.

> My issue here is not a matter of the good things that might reasonably
> happen from careful use of simple URIs with arbitrary schemes; my concern
> is that there may be bad things with odd cases and there's no evidence that
> these have been thought through.
>
>
> Nothing "bad" can happen.
>

Oh, well that's OK, then. :-)

> At the very least, I'd suggest that you add a security consideration
>
>
> What should we add?  I'm not seeing any new or different security issues
> arising from use of any particular URI scheme.  Every URI returns either a
> JRD or it does not.  What would be different with mailto, http, sip, tel,
> gopher, or any other scheme?
>

sip, simple mailto, acct, xmpp, and so on - those URIs which refer
explicitly to an individual - are, I think, adequately considered in the
specification.

http seems to be considered only when referring to a person. However, in
general http resources can have links anyway, so I'm not concerned about
these - however I'm not sure that the fragment identifier needs to be sent.

I'm entirely willing to believe you've considered these considerably more
than that, however there's no evidence of it in the specification as
written.

I've spent very little time considering what might happen (beyond a 404)
with arbitrary URI schemes. Should a client ever send a file: URI, for
example? I'm not concerned with what information in the JRD it might be
expecting, or whether or not the WF server understands it, but what
information transfer has occurred and whether this is safe and can
reasonably be expected to be interoperable.

For example, I'd expect a sensible WF client to only ever send a simple
mailto:local-part@domain URI to a server, and if the initial input was one
of the deliciously complex forms, to strip away the header fields and body
and extract (if needed) the To field value. I have no clue what a WF server
might usefully do with a subject line, mind, whether it's malicious or not
- I just think it doesn't need to have it.

I'd suggest simply stating that the security considerations and protocol
are scoped to consider only URIs identifying an individual entity, (perhaps
give some simple examples), and that use beyond that may involve further
security considerations. Then everyone's happy.

Dave.