Re: [apps-discuss] Webfinger discussion
'Andrew Sullivan' <ajs@anvilwalrusden.com> Tue, 27 March 2012 19:33 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85D4321E80EB for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 12:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AYqRWSdQHtol for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 12:33:05 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 95A2C21E80EC for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 12:33:05 -0700 (PDT)
Received: from mail.yitter.info (unknown [83.145.64.161]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id B587F1ECB420 for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 19:33:04 +0000 (UTC)
Date: Tue, 27 Mar 2012 15:32:54 -0400
From: 'Andrew Sullivan' <ajs@anvilwalrusden.com>
To: apps-discuss@ietf.org
Message-ID: <20120327193247.GA12201@mail.yitter.info>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 19:33:06 -0000
On Tue, Mar 27, 2012 at 12:15:21PM -0400, Paul E. Jones wrote: > We'll add text along those lines to the next draft. Any other security > considerations we should note? I wish I had something more intelligent to say than, "Is anyone [else] worried about the aggregation of this information amd what it does to the security profile of the aggregated things?" Note this isn't exactly the privacy issue, though there's that. As nearly as I can tell, one natural use case (or anyway, something people said) was that you can aggregate information across services so that, for instance, it would be easy to tell about the relationships among me@service1, me@service2, and me@service3. If I'm misunderstanding (this happens a lot, note, so don't be afraid to point and laugh), please correct me. If I understood correctly, it seems to me that disclosing something about the relationship of these three accounts is in effect a new disclosure, and that it offers potential for analysis (and therefore attacks) that might not have been available given the individual accounts alone. But beyond that hand-wavy unease, I haven't the tools to say anything really sensible. Maybe there's some sort of secdir guidance for this sort of thing? (Note that I'm not a security guy, and I don't play one on TV either. This is just the sort of thing they warned me about when I was a kid, and I think that's why I have the heebie-jeebies about this. Maybe I'm just superstitious.) Thanks for putting up with the hand-waving (which will stop now), A -- Andrew Sullivan ajs@anvilwalrusden.com
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Peter Saint-Andre
- Re: [apps-discuss] Webfinger discussion Andrew Sullivan
- Re: [apps-discuss] Webfinger discussion John C Klensin
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion James M Snell
- Re: [apps-discuss] Webfinger discussion 'Andrew Sullivan'
- Re: [apps-discuss] Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion SM
- [apps-discuss] R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] Webfinger discussion John C Klensin
- [apps-discuss] What auth server supplies email ad… Alessandro Vesely
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- [apps-discuss] R: R: Webfinger discussion Goix Laurent Walter
- Re: [apps-discuss] R: Webfinger discussion Bob Wyman
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] Webfinger discussion Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] Webfinger discussion Eran Hammer
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely
- Re: [apps-discuss] What auth server supplies emai… Paul E. Jones
- Re: [apps-discuss] What auth server supplies emai… Alessandro Vesely