IETF Logo Mail Archive

Re: [OAUTH-WG] [apps-discuss] R: draft-jones-appsawg-webfinger-04

"Paul E. Jones" <paulej@packetizer.com> Tue, 08 May 2012 08:25 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0D921F84E2; Tue, 8 May 2012 01:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.533
X-Spam-Level:
X-Spam-Status: No, score=-2.533 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBjz-i8Aq4OP; Tue, 8 May 2012 01:25:33 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id 1A5A321F84DD; Tue, 8 May 2012 01:25:33 -0700 (PDT)
Received: from [156.106.244.190] ([156.106.244.190]) (authenticated bits=0) by dublin.packetizer.com (8.14.5/8.14.5) with ESMTP id q488PRRx004538 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 8 May 2012 04:25:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1336465530; bh=RKm+3EoBhCv52J09nQLCmv9TUdlljICY+1q0GfMtyvo=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type; b=SMzgwwf9JdsOu6VrHbF+O2dWvDTblZBGrx0SoV1QC5wOuqlVwYzt1uGUg/WrKSmOR MRN+IblJd6hGkj/Xz2igj3x+sZlPcSIKs+PPPGMzqfXQce2JyIDIa7TqMganHFMwNV 5TW+W0m9v9NZFCTpfx3PlzrzD7bzGXcD/fI6vtrw=
Message-ID: <4FA8D877.1040806@packetizer.com>
Date: Tue, 08 May 2012 04:25:27 -0400
From: "Paul E. Jones" <paulej@packetizer.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Blaine Cook <romeda@gmail.com>
References: <9452079D1A51524AA5749AD23E00392810E4CA@exch-mbx901.corp.cloudmark.com> <5876011F-2C2C-4889-9452-E8BDC1438713@cisco.com> <A09A9E0A4B9C654E8672D1DC003633AE52EE435611@GRFMBX704BA020.griffon.local> <4FA7CB3A.4020000@packetizer.com> <CAAz=sck0hhyTWMz4LSDcZoO6btBKe4ajac_sKgeL520wrNc7_w@mail.gmail.com>
In-Reply-To: <CAAz=sck0hhyTWMz4LSDcZoO6btBKe4ajac_sKgeL520wrNc7_w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090607020801010701060004"
Cc: Goix Laurent Walter <laurentwalter.goix@telecomitalia.it>, Gonzalo Salgueiro <gsalguei@cisco.com>, apps-discuss@ietf.org, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [apps-discuss] R: draft-jones-appsawg-webfinger-04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 08:25:34 -0000

  Blaine,

Your issues were not ignored, but I do not think there was consensus one 
way or the other on them.  Your points were:
1) Recommendation to use JSON only
2) A question about what the JSON format would look like
3) Direct vs. indirect queries (i.e., whether to use resource parameter)

I replied to each of these and others commented on parts, too.  My opinions:

1) Given that RFC 6415 already specifies use of XML and is only months 
old, I hesitate to demand that only XML be used.  Further, it's trivial 
for the server to do both.  The client will be able to use whatever it 
prefers.  I can be convinced to drop XML, but I think we should make 
this decision carefully and with everyone in agreement.
2) I suggested we use JRD since it is defined.  Was there any 
disagreement on that?
3) This issue is a point where there was clear division.  The OpenID 
Connect team wants to be able to issue a single query and get a reply.  
You had an interest to use a static server.  I investigated how we could 
do both.  If one used Apache, for example, one could build a static site 
and still support the resource URI.  Here's a couple of ways to do it: 
http://www.packetizer.com/webfinger/server.html (using either .htaccess 
or the global config file).  What cannot be accomodated is the "rel" 
parameter, but I'd guess static sites will not produce voluminous 
results, anyway.

So, it's not accurate to say your issues were ignored.  We simply did 
not have strong consensus one way or the other.  There were strong 
opinions on (3), so I tried to find a solution that might be 
acceptable.  We may need more discussion on all of these points, of course.

Paul

On 5/8/2012 2:40 AM, Blaine Cook wrote:
>
> I disagree that the current spec is a good starting point - the issues 
> I've raised have been ignored, and the spec is now much more 
> complicated from both sides of the implementation fence.
>
> On May 7, 2012 3:17 PM, "Paul E. Jones" <paulej@packetizer.com 
> <mailto:paulej@packetizer.com>> wrote:
>
>     Walter,
>
>     I'm not sure what the full set of issues will be, but I only have
>     a couple of small edits queued for -05 at present (one being
>     "template" should be "href" in the example at the end of 4.2 that
>     you pointed out to me privately).  We've already worked through a
>     number of issues to get to this point, so there may not be a lot
>     of changes needed.  I'll not dismiss the possibility that there
>     are editorial issues, but I hope we've resolved most of the
>     technical details.
>
>     We probably still need to have the discussion of keeping CORS and
>     what additions are needed to the security section.  We've made a
>     few changes there already, but I'm not sure if it still fully
>     addresses some of the privacy concerns.
>
>     Paul
>
>     On 5/7/2012 5:37 AM, Goix Laurent Walter wrote:
>>
>>     I also support this draft as a way forward for the discussion
>>     that I think captures the essence of both philosophies.
>>
>>     If such basis is agreed what are the major pending issues?
>>
>>     Regards
>>
>>     Laurent-walter
>>
>>     *Da:*apps-discuss-bounces@ietf.org
>>     <mailto:apps-discuss-bounces@ietf.org>
>>     [mailto:apps-discuss-bounces@ietf.org] *Per conto di *Gonzalo
>>     Salgueiro (gsalguei)
>>     *Inviato:* venerdì 4 maggio 2012 21.50
>>     *A:* Murray S. Kucherawy
>>     *Cc:* oauth@ietf.org <mailto:oauth@ietf.org>;
>>     apps-discuss@ietf.org <mailto:apps-discuss@ietf.org>
>>     *Oggetto:* Re: [apps-discuss] draft-jones-appsawg-webfinger-04
>>
>>     I support this doc being adopted as starting point for WG discussion.
>>
>>     Regards,
>>
>>     Gonzalo
>>
>>
>>     On May 4, 2012, at 3:03 PM, "Murray S. Kucherawy"
>>     <msk@cloudmark.com <mailto:msk@cloudmark.com>> wrote:
>>
>>         The above-named draft has been offered as the recommended
>>         path forward in terms of converging on a single document to
>>         advance through appsawg.  The conversation I saw this week in
>>         that regard has seemed mostly positive.
>>
>>         Please review it, or at least the diff, and indicate your
>>         support or objection on apps-discuss@ietf.org
>>         <mailto:apps-discuss@ietf.org> to adopting this one as the
>>         common path forward. We would like to make a decision about
>>         which one to begin advancing in the next week or two.
>>
>>         Have a good weekend!
>>
>>         -MSK, APPSAWG co-chair
>>
>>         _______________________________________________
>>         apps-discuss mailing list
>>         apps-discuss@ietf.org <mailto:apps-discuss@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/apps-discuss
>>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email