Re: [apps-discuss] Looking at Webfinger
George Fletcher <gffletch@aol.com> Wed, 29 August 2012 15:38 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 799EB21F8546 for <apps-discuss@ietfa.amsl.com>; Wed, 29 Aug 2012 08:38:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.165
X-Spam-Level:
X-Spam-Status: No, score=-2.165 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MR0VPAvxui4g for <apps-discuss@ietfa.amsl.com>; Wed, 29 Aug 2012 08:38:09 -0700 (PDT)
Received: from imr-ma04.mx.aol.com (imr-ma04.mx.aol.com [64.12.206.42]) by ietfa.amsl.com (Postfix) with ESMTP id 34EB721F84FA for <apps-discuss@ietf.org>; Wed, 29 Aug 2012 08:38:09 -0700 (PDT)
Received: from mtaout-ma04.r1000.mx.aol.com (mtaout-ma04.r1000.mx.aol.com [172.29.41.4]) by imr-ma04.mx.aol.com (8.14.1/8.14.1) with ESMTP id q7TFbtSN017360; Wed, 29 Aug 2012 11:37:55 -0400
Received: from palantir.office.aol.com (palantir.office.aol.com [10.181.186.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma04.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 37737E000112; Wed, 29 Aug 2012 11:37:55 -0400 (EDT)
Message-ID: <503E3753.3060604@aol.com>
Date: Wed, 29 Aug 2012 11:37:55 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: "Paul E. Jones" <paulej@packetizer.com>
References: <F80C8C9C-7AB8-4B7E-BFD2-4D69499D21A1@mnot.net> <4E1F6AAD24975D4BA5B168042967394366574F93@TK5EX14MBXC283.redmond.corp.microsoft.com> <CABP7RbfNXx8HtsRBcVf=AVaDTyg=xQYHWAyCkHWx1n+JBQ8=Zw@mail.gmail.com> <CAMm+Lwg20rfr=P66=vZadL8Ga5KDXmfizZE5v6dXiZMTvZKY=Q@mail.gmail.com> <44C43601-A355-44B7-8C8E-1F435E4E567A@ve7jtb.com> <CAMm+LwgM57++oqE-5meECxE0S=kU2kVHJLumyDSBciJ13QvuoA@mail.gmail.com> <CABP7RbctkibSKr6r_Ay34z4Wr67tU6qG5G5gLCZovGx_hWYHYQ@mail.gmail.com> <DF4591C5-A5AE-4D2A-BB3A-FF4DAFBBD98A@ve7jtb.com> <CABP7RbefS9Sy2m0GsiSx2VZopf78DhqU1fjfsDn5z926Q_--GA@mail.gmail.com> <CAJu8rwUeAKEtAS-g6X3xJqyu-Xy6yQnfdeNj3mGC__D3zijwzA@mail.gmail.com> <35550AA9-E003-4917-B08C-93CB6CC2CB07@mnot.net> <CAJu8rwWKa7ehr+k=zDWD=OMzPTEt56inPW0tvZaNUmdcL3ygoQ@mail.gmail.com> <503CDF26.8050000@aol.com> <02a301cd8551$be7ab390$3b701ab0$@packetizer.com>
In-Reply-To: <02a301cd8551$be7ab390$3b701ab0$@packetizer.com>
Content-Type: multipart/alternative; boundary="------------090807020002030003070302"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20110426; t=1346254675; bh=6as3WZWQ19r9VeFN0+ylvyUIsr3oeEP5a4rFIw5pHlI=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=PqGIVrQL7xVgEhCiXfawvM4hDr5NoMwFURqKL9YP2C72FsTV4iFnNsEabywy35FU8 u1AAqcYFLW1xLn17gLThZi/oDnC23Do5+w6QxZ7uq6KRFfNXs0qrd9bBTsAgHEgskf QhE0iYZNlkCVY+DKyUPu0quSvKjQBNFYUo6GxFyQ=
X-AOL-SCOLL-SCORE: 1:2:491361152:93952408
X-AOL-SCOLL-URL_COUNT: 1
x-aol-sid: 3039ac1d2904503e375326c6
X-AOL-IP: 10.181.186.254
Cc: 'Mark Nottingham' <mnot@mnot.net>, 'IETF Apps Discuss' <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Looking at Webfinger
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2012 15:38:12 -0000
On 8/28/12 3:17 PM, Paul E. Jones wrote: > > George, > > I believe it might be useful to introduce those who break your > WebFinger server to Louisville Slugger. :) > :) > > Your pain is understood, but I do not see a way to avoid it. We could > introduce something in DNS, but that would also present challenges. > No matter where we "root" the discovery process, there is a potential > somebody could break it. It could be rooted somewhere other than the > root of the domain (e.g., webfinger.example.com), but we either need > to decide in advance of such a location or introduce a way to > discovery the discovery resources. > > Do you have a suggestion that would make this less likely to be broken? > Well this is one reason I liked XRD and host-meta:) I could put one static file on the CDN and get it served up by the right domain. Not so difficult. With Simple Web Discovery, there is support for a "global" redirect so I can again add yet another static file to the CDN to point the discovery service elsewhere. Not ideal but probably manageable. However, making the .well-known URLs dynamic makes this more difficult. I suppose if I can some how ignore all the "per user" paths or query parameters and webfinger supports a global redirect for the domain, I can probably use my Louisville Slugger to get it to stick:) Thanks, George > > Paul > > *From:*apps-discuss-bounces@ietf.org > [mailto:apps-discuss-bounces@ietf.org] *On Behalf Of *George Fletcher > *Sent:* Tuesday, August 28, 2012 11:09 AM > *To:* Mark Nottingham > *Cc:* IETF Apps Discuss > *Subject:* Re: [apps-discuss] Looking at Webfinger > > Way "late to the party" but I can speak from experience that > deployment can be a real issue in some environments. It's all really > straight forward in a small company or an environment where the > identity team "owns" the root domain (e.g. example.com). However, if > an entire other group in a large organization "owns" the root domain > (home page for the site) and the identity team then needs to get them > to make changes, the deployment solution gets brittle pretty quick. > I've had our webfinger support broken at least twice because the > "other" team didn't know that certain configs were required:) > > Also, installing the "dynamic pluming" can be more problematic is > these cases. It is possible to get apache rewrite rules or netscaler > magic in place to make it work, it's just a more brittle deployment > architecture. > > Thanks, > George > > On 7/4/12 6:58 PM, John Panzer wrote: > > Mark -- Of course I was speaking about practical realities of > typical web server administration and deployment. In practical > terms, adding a new mod_rewrite rule or moral equivalent is going > to be easier than adding a new PHP script that connects to a > database. The latter is just always going to be a much higher bar. > > And, something that returns per-user data is generally going to > need a dynamic service of some kind, unless your site has just a > handful of users and you don't mind going through a publishing > exercise each time you add or change a user... > > None of this has anything to do with the interface, just > deployment realities. And in reality all of this is going to need > a dynamic service somewhere for each non-trivial site, this is all > just a question of how to hook it up. > > > -- > John Panzer / Google > jpanzer@google.com <mailto:jpanzer@google.com> / > abstractioneer.org <http://www.abstractioneer.org/> / @jpanzer > > On Wed, Jul 4, 2012 at 3:36 PM, Mark Nottingham <mnot@mnot.net > <mailto:mnot@mnot.net>> wrote: > > On 05/07/2012, at 8:16 AM, John Panzer wrote: > > > Just as a historical note. The envisioned usage of host-meta > was originally to avoid a specification which mandated a > particular dynamic URL API at a particular /.well-known endpoint > (because it may not be feasible to do that across all > organizations and deployments). The host-meta document itself > would be highly cacheable and so wouldn't incur an additional > network trip in the common case. > > > > Having a 3xx redirect is a reasonable alternative that allows a > similar escape hatch via something like mod_rewrite, albeit at the > cost of needing an additional network trip each time. Since a > deployment can always avoid the 3xx redirect with additional > dynamic plumbing behind the well-known endpoint, I don't think > that's a horrible thing. > > > > An application-level redirect would be almost equivalent to an > HTTP redirect, but then there are two ways to do the same thing. > If _only_ an application-level redirect is allowed, then you have > to have at least a minimal dynamic service at the well-known > endpoint (no more mod_rewrite). But the whole reason for this is > to avoid the requirement for a dynamic service behind well-known... > > "dynamic" and "static" are properties of the implementation, not > the interface. HTTP doesn't require that any particular URL be > "dynamic"; anything can, with the right metadata, be cached (and > indeed, I've cached many, many things with the wrong metadata, > because of silly site operators and their ideas about "dynamic"). > > Now, if people want to target a particular implementation that > makes it easier to serve a particular style of URL without writing > code, fine, but let's not confuse things. > > E.g., a URL like > > http://example.com/.well-known/user/bob > > is easy to serve in pretty much any way you like with Apache. > > I'm also going to push back on the "it may not be feasible to do > that across all organizations and deployments" motivation. This is > a race to the bottom. The trick is to make it accessible enough to > get sufficient traction to pull everyone along, without pandering > to *everyone*'s requirements. > > Regards, > > > -- > Mark Nottingham http://www.mnot.net/ > > > > > > _______________________________________________ > > apps-discuss mailing list > > apps-discuss@ietf.org <mailto:apps-discuss@ietf.org> > > https://www.ietf.org/mailman/listinfo/apps-discuss >
- [apps-discuss] Looking at Webfinger Mark Nottingham
- Re: [apps-discuss] Looking at Webfinger Mike Jones
- Re: [apps-discuss] Looking at Webfinger Mark Nottingham
- Re: [apps-discuss] Looking at Webfinger William Mills
- Re: [apps-discuss] Looking at Webfinger Melvin Carvalho
- Re: [apps-discuss] Looking at Webfinger Michiel de Jong
- Re: [apps-discuss] Looking at Webfinger George Fletcher
- Re: [apps-discuss] Looking at Webfinger Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Peter Saint-Andre
- [apps-discuss] the need for acct (was: Re: Lookin… Peter Saint-Andre
- Re: [apps-discuss] Looking at Webfinger Julian Reschke
- Re: [apps-discuss] the need for acct (was: Re: Lo… Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] the need for acct (was: Re: Lo… William Mills
- Re: [apps-discuss] Looking at Webfinger Barry Leiba
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger James M Snell
- Re: [apps-discuss] Looking at Webfinger Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger Murray S. Kucherawy
- Re: [apps-discuss] Looking at Webfinger Melvin Carvalho
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger James M Snell
- Re: [apps-discuss] Looking at Webfinger William Mills
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger James M Snell
- Re: [apps-discuss] Looking at Webfinger John Panzer
- Re: [apps-discuss] Looking at Webfinger Mark Nottingham
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger John Panzer
- Re: [apps-discuss] Looking at Webfinger Martin J. Dürst
- Re: [apps-discuss] the need for acct (was: Re: Lo… Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger Melvin Carvalho
- Re: [apps-discuss] Looking at Webfinger Phillip Hallam-Baker
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- [apps-discuss] R: the need for acct (was: Re: Loo… Goix Laurent Walter
- Re: [apps-discuss] Looking at Webfinger George Fletcher
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger George Fletcher
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger John Panzer
- Re: [apps-discuss] Looking at Webfinger William Mills
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger Patrik Fältström
- Re: [apps-discuss] Looking at Webfinger William Mills
- Re: [apps-discuss] Looking at Webfinger Patrik Fältström
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Patrik Fältström
- Re: [apps-discuss] Looking at Webfinger James M Snell
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Bob Wyman
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Nat Sakimura
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger John Bradley
- Re: [apps-discuss] Looking at Webfinger Paul E. Jones
- Re: [apps-discuss] Looking at Webfinger Salvatore Loreto