IETF Logo Mail Archive

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

John Bradley <ve7jtb@ve7jtb.com> Fri, 20 April 2012 15:12 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F214F21F87BD for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 08:12:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9KjE57z5cPZ for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 08:12:45 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 84DC021F8786 for <oauth@ietf.org>; Fri, 20 Apr 2012 08:12:35 -0700 (PDT)
Received: by wgbdr13 with SMTP id dr13so6616680wgb.13 for <oauth@ietf.org>; Fri, 20 Apr 2012 08:12:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=QfY2UKM7Xfy9xfvybU6+wIXoda53e/iQoIvFqUH+0OY=; b=HjaJCbhZIuZbXK9uumRwRHVrovSglp7znv0+PoqsrTQIv7wo6vn9CJfesS6VMsPGWA 5+HvtBeCIVHkL9bDMueDj6TvTasjkfc62nsKkg5AveFx+67nDRMnW96J9Tj3TAPSSijF yrbd/w0ZbuzgqFRBOOjQisyNtsGYkbzFxBzJrDHFP7ws4mWpYBJ1xZh2UltZ1JXxsmg8 vmAtlzr1P9KaEyPZiCx4peGFYtXiwTNYSQdknv6YepAQ4uZnOqJ25hl/FLmPCRIT7neH izrJir3YMwoiAONuVDMqPlmlbXNsguWx3pvNiMFI2k2JpcX70wdkDw29xsJEkL6pECp0 GhNg==
Received: by 10.216.137.30 with SMTP id x30mr3888264wei.34.1334934754555; Fri, 20 Apr 2012 08:12:34 -0700 (PDT)
Received: from [10.140.224.153] ([80.187.201.110]) by mx.google.com with ESMTPS id fl2sm9696842wib.2.2012.04.20.08.12.27 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 20 Apr 2012 08:12:30 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_9809CEA2-8BA2-410F-97F7-5AAC15EBD820"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <1334933123.53510.YahooMailNeo@web31803.mail.mud.yahoo.com>
Date: Fri, 20 Apr 2012 17:12:23 +0200
Message-Id: <EB373149-113E-419F-AB28-401A70AC42FD@ve7jtb.com>
References: <423611CD-8496-4F89-8994-3F837582EB21@gmx.net> <4F8852D0.4020404@cs.tcd.ie> <9452079D1A51524AA5749AD23E0039280EFE8D@exch-mbx901.corp.cloudmark.com> <sjm1unn338j.fsf@mocana.ihtfp.org> <9452079D1A51524AA5749AD23E0039280FACC3@exch-mbx901.corp.cloudmark.com> <4E1F6AAD24975D4BA5B168042967394366490B2A@TK5EX14MBXC284.redmond.corp.microsoft.com> <091401cd1ea3$e159be70$a40d3b50$@packetizer.com> <4E1F6AAD24975D4BA5B1680429673943664915EF@TK5EX14MBXC284.redmond.corp.microsoft.com> <091d01cd1eb7$da2c7ed0$8e857c70$@packetizer.com> <4E1F6AAD24975D4BA5B1680429673943664916A0@TK5EX14MBXC284.redmond.corp.microsoft.com> <1334933123.53510.YahooMailNeo@web31803.mail.mud.yahoo.com>
To: William Mills <wmills@yahoo-inc.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQkJJruE41Dj2sqYlJuCCpwuap5bVkifcCyOJHb2A/TAxr0xPi7cvbbefCWJ5nIk49OgXieX
Cc: "oauth@ietf.org" <oauth@ietf.org>, 'Apps Discuss' <apps-discuss@ietf.org>
Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2012 15:12:49 -0000

We are not arguing that XML be removed from the server.  Only that JSON be mandatory for the server to support.

Others on the list piled on the removing XML argument.   

I do think there is a legitimate argument that fewer options make for better interoperability.

However Mike and myself are not the ones making that argument.

Only that the server MUST support JSON.

The other MUST Mike had was getting the JRD with a single get and not needing to retrieve the host-meta file first to retrieve the template.

That is probably the largest design difference.

SWD uses a .well-known location as effectively a static template and only redirects if necessary.

Where as Web Finger assumes the overhead of one extra GET on the first request to add a configurable template.

one compromise and perhaps not the best is to leave the current host-meta mechanism.
Add a new SWD endpoint (fixed-template) in .well-known that provides the service, or is an alias for the host-mata file.

A client could try the SWD endpoint (fixed template first and get a response in one go, or get back a  host meta file and take the template from that and try again.

A redirect might be better as that could be cached. ( open to debate)

That would make the happy path discovery for web-finger be one GET and possibly some people happy.

The existing clients would get .well known and get the template as they do now.

The single GET could be considered an optimization.

If we pick off the issues one at a time I hope we can find solutions.

John B.
On 2012-04-20, at 4:45 PM, William Mills wrote:

> So you are guaranteeing that there are no clients using WF today?  
> 
> From: Mike Jones <Michael.Jones@microsoft.com>
> To: Paul E. Jones <paulej@packetizer.com>; 'Murray S. Kucherawy' <msk@cloudmark.com>; "oauth@ietf.org" <oauth@ietf.org>; 'Apps Discuss' <apps-discuss@ietf.org> 
> Sent: Thursday, April 19, 2012 10:48 PM
> Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)
> 
> To be clear, making this mandatory would break no clients.  It would require updating some servers, just as requiring JSON would.  This seems like a fair tradeoff when it makes an appreciable difference in user interface latency in some important scenarios.  If you and the other key WebFinger supporters can agree to making "resource" support mandatory and requiring JSON, I believe we may have a path forward.
> 
>                 Cheers,
>                 -- Mike
> 
> -----Original Message-----
> From: Paul E. Jones [mailto:paulej@packetizer.com] 
> Sent: Thursday, April 19, 2012 10:39 PM
> To: Mike Jones; 'Murray S. Kucherawy'; oauth@ietf.org; 'Apps Discuss'
> Subject: RE: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)
> 
> That's correct.  We could certainly make it mandatory, but the reason it isn't is to maintain backward compatibility with existing deployments.
> 
> I think we should always think carefully when we decide to make a change that breaks backward-compatibility.  This is one change that would do that.
> 
> Paul
> 
> > -----Original Message-----
> > From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> > Sent: Friday, April 20, 2012 1:10 AM
> > To: Paul E. Jones; 'Murray S. Kucherawy'; oauth@ietf.org; 'Apps Discuss'
> > Subject: RE: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web 
> > Discovery
> > (SWD)
> > 
> > Currently, support for the "resource" parameter is optional, as per 
> > the following (correct?):
> > 
> >    Note that support for the "resource" parameter is optional, but
> >    strongly RECOMMENDED for improved performance.  If a server does not
> >    implement the "resource" parameter, then the server's host metadata
> >    processing logic remains unchanged from RFC 6415.
> > 
> > To truly support 1, this would need to be changed to REQUIRED, correct?
> > 
> >                 -- Mike
> > 
> > -----Original Message-----
> > From: Paul E. Jones [mailto:paulej@packetizer.com]
> > Sent: Thursday, April 19, 2012 8:16 PM
> > To: Mike Jones; 'Murray S. Kucherawy'; oauth@ietf.org; 'Apps Discuss'
> > Subject: RE: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web 
> > Discovery
> > (SWD)
> > 
> > Mike,
> > 
> > > There are two criteria that I would consider to be essential 
> > > requirements for any resulting general-purpose discovery specification:
> > >
> > > 1.  Being able to always discover per-user information with a single 
> > > GET (minimizing user interface latency for mobile devices, etc.)
> > 
> > WF can do that.  See:
> > $ curl -v https://packetizer.com/.well-known/\
> >          host-meta.json?resource=acct:paulej@packetizer.com
> > 
> > > 2.  JSON should be required and it should be the only format 
> > > required (simplicity and ease of deployment/adoption)
> > 
> > See the above example.  However, I also support XML with my server.  
> > It took me less than 10 minutes to code up both XML and JSON representations.
> > Once the requested format is determined, the requested URI is 
> > determined, data is pulled from the database, spitting out the desired 
> > format is trivial.
> > 
> > Note, and very important note: supporting both XML and JSON would only 
> > be a server-side requirement.  The client is at liberty to use the 
> > format it prefers.  I would agree that forcing a client to support 
> > both would be unacceptable, but the server?  Nothing to it.
> > 
> > > SWD already meets those requirements.  If the resulting spec meets 
> > > those requirements, it doesn't matter a lot whether we call it 
> > > WebFinger or Simple Web Discovery, but I believe that the 
> > > requirements discussion is probably the most productive one to be 
> > > having at this point - not the starting point document.
> > 
> > I believe WebFinger meets those requirements.  We could debate whether 
> > XML should be supported, but I'll note (again) that it is there in RFC 6415.
> > That document isn't all that old and, frankly, it concerns me that we 
> > would have a strong preference for format A one week and then Format B 
> > the next.
> > We are where we are and I can see reason for asking for JSON, but no 
> > good reason to say we should not allow XML (on the server side).
> > 
> > Paul
> > 
> > 
> > 
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email