IETF Logo Mail Archive

Re: [apps-discuss] Webfinger discussion

SM <sm@resistor.net> Tue, 27 March 2012 22:22 UTC

Return-Path: <sm@resistor.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF7AA21E80D3 for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 15:22:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.624
X-Spam-Level:
X-Spam-Status: No, score=-102.624 tagged_above=-999 required=5 tests=[AWL=-0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GA3DeqqbN-6s for <apps-discuss@ietfa.amsl.com>; Tue, 27 Mar 2012 15:22:02 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0DC21E8011 for <apps-discuss@ietf.org>; Tue, 27 Mar 2012 15:22:02 -0700 (PDT)
Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id q2RMLpDd013000; Tue, 27 Mar 2012 15:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1332886916; i=@resistor.net; bh=0ISVKaMbM/7AEMwIEoav7Wltv6RTyVGD1zjfiLKuCj0=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=BkBqs62MYZ0c3C0e8ARbC+F5LTKuK7B1r276mTaTuw5ctJlzv0xFtYmuhJP/Xq2kY TNvLTmxXqpwWM7ZZH0w18sY8WH08rL5rKmjWLLGiPJ9+4l4+dSvieBZRtnTmKbq9AM HF7xGcrezsg0+086yPzJF6njmcg//m2q6OZ7JmmY=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1332886916; i=@resistor.net; bh=0ISVKaMbM/7AEMwIEoav7Wltv6RTyVGD1zjfiLKuCj0=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=tPiI/DMrEvZRAVHxvWG+aK2QO1iKRHDRo7FJIr1XTEAiJb7bhsU+uS/53RadpxWI+ zmLNZhMZ8wWlcXiBcXiB3WMf6gUeGIGhHzSSgnF365GygHzyEIW2MYAHjbXfHeCVGT SRAQuOyDIKq9kbHiGso1YZpnPdEngrVzAsBhcsh8=
Message-Id: <6.2.5.6.2.20120327150610.0c73eec8@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Tue, 27 Mar 2012 15:13:52 -0700
To: apps-discuss@ietf.org
From: SM <sm@resistor.net>
In-Reply-To: <20120327193247.GA12201@mail.yitter.info>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com> <20120326150556.GC3557@mail.yitter.info> <CAA1s49V0M7N1pLua+ORxGWmsrd_yAA_KQ0Piqjg8VuWJ5=G+Lg@mail.gmail.com> <20120327084709.GB11491@mail.yitter.info> <00ac01cd0c34$cfc96f10$6f5c4d30$@packetizer.com> <20120327193247.GA12201@mail.yitter.info>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 22:22:04 -0000

At 12:32 27-03-2012, 'Andrew Sullivan' wrote:
>I wish I had something more intelligent to say than, "Is anyone [else]
>worried about the aggregation of this information amd what it does to
>the security profile of the aggregated things?"  Note this isn't

I'll label it as a concern.

>If I understood correctly, it seems to me that disclosing something
>about the relationship of these three accounts is in effect a new
>disclosure, and that it offers potential for analysis (and therefore
>attacks) that might not have been available given the individual
>accounts alone.  But beyond that hand-wavy unease, I haven't the tools

Yes.

>to say anything really sensible.  Maybe there's some sort of secdir
>guidance for this sort of thing?  (Note that I'm not a security guy,

That might be summed up as:

  "If one does not wish to share certain information with the world, do
   not allow that information to be accessible through Webfinger."

I suggest that the authors take a look at draft-iab-privacy-considerations-02.

Regards,
-sm

v2.23.0 | Report a Bug | By Email