IETF Logo Mail Archive

[apps-discuss] What auth server supplies email addresses? Was webfinger discussion

Alessandro Vesely <vesely@tana.it> Wed, 28 March 2012 11:28 UTC

Return-Path: <vesely@tana.it>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B7AD21F889F for <apps-discuss@ietfa.amsl.com>; Wed, 28 Mar 2012 04:28:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.719
X-Spam-Level:
X-Spam-Status: No, score=-4.719 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rGYCMnVfp3ia for <apps-discuss@ietfa.amsl.com>; Wed, 28 Mar 2012 04:28:12 -0700 (PDT)
Received: from wmail.tana.it (www.tana.it [62.94.243.226]) by ietfa.amsl.com (Postfix) with ESMTP id 88A7621F889A for <apps-discuss@ietf.org>; Wed, 28 Mar 2012 04:28:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=test; t=1332934091; bh=rPEaATDRAwLjJzEi82Xj3NVLbrbjklfBFFKx+m1XU3U=; l=1293; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Content-Transfer-Encoding; b=cHwIAtv58w6d20+D7bsXhUrQUQC6/pZkDh8beytOaZP4gz1Mi9FafWnKy2+L4I3Wh QHW34U8ywGHY4av/RbP0RryE55HHPVMlBS1XTmEdMk+AEwPc/Vz79g6eNrlfTHSXk7 OBGPZNcmPbqP0kGtMLoieiB5EoGNSp4dWFedfrF0=
Received: from [10.216.6.120] ([93.158.42.127]) (AUTH: PLAIN 515, TLS: TLS1.0,256bits,RSA_AES_256_CBC_SHA1) by wmail.tana.it with ESMTPSA; Wed, 28 Mar 2012 13:28:08 +0200 id 00000000005DC039.000000004F72F5C9.00005C3A
Message-ID: <4F72F5C0.70106@tana.it>
Date: Wed, 28 Mar 2012 13:28:00 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:11.0) Gecko/20120312 Thunderbird/11.0
MIME-Version: 1.0
To: apps-discuss@ietf.org
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com> <CABP7RbdtMYtqgV=NepJMNintjF9hb4h6wv2ttc5bDVqE=yAvPA@mail.gmail.com> <00d201cd0c3a$b3672410$1a356c30$@packetizer.com> <CABP7Rbdcb_xTjLv+Y8brzvhuNiae0pOJKm-9qhHrQMg+xUYPVw@mail.gmail.com>
In-Reply-To: <CABP7Rbdcb_xTjLv+Y8brzvhuNiae0pOJKm-9qhHrQMg+xUYPVw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: [apps-discuss] What auth server supplies email addresses? Was webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 11:28:13 -0000

I reproach myself for having missed the Internet Society Panel on OpenID and
OAuth yesterday morning.  I'll try and find the recording.  Meanwhile, does
someone know if there is a way to get an email address from an id?

On Wed 28/Mar/2012 12:40:20 +0200 James M Snell wrote:
> 
>   If I want to know about user "bob@example.org", send a GET request to:
>   http://example.org/.well-known/finger/{md5(acct:bob@example.org)} and
>   see what I get back.

That implies the address is known.  Couldn't one use just

   http://example.org/.well-known/finger/{opaque-token}

and, possibly,

   http://example.org/.well-known/finger/{opaque-token}/email-addr?

The idea is that the relevant user, well, Bob in this case, can be logged in
more or less at the same time as he triggered an automatic query of that url.
For example, he might be buying a DVD at Amazon's.  Bob's server might let
him choose whether to supply his plain email address or any variant thereof,
possibly offering to update Sieve scripts while it's at it.

Is perhaps SCIM, or whatever other framework, nearer to such kind of use
cases?  It could be used as a better double-opt-in...  (Yes, I'm the one who
asked what's the difference between Webfinger and SCIM on Monday, and I'm
apparently still unclear on that.)

v2.23.0 | Report a Bug | By Email