IETF Logo Mail Archive

Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)

John Bradley <ve7jtb@ve7jtb.com> Thu, 12 April 2012 18:31 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A11D021F8625 for <oauth@ietfa.amsl.com>; Thu, 12 Apr 2012 11:31:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDyzQiuZ8DEg for <oauth@ietfa.amsl.com>; Thu, 12 Apr 2012 11:31:28 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 783E321F860B for <oauth@ietf.org>; Thu, 12 Apr 2012 11:31:28 -0700 (PDT)
Received: by eeke51 with SMTP id e51so621186eek.31 for <oauth@ietf.org>; Thu, 12 Apr 2012 11:31:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=eum2+dM7V5NLLCj69VErw4gEfOzOPu+t6HrkUrAHBAw=; b=laaM/9FC7O/BGD/rCv8ESmSabF2P9l1Sx4Pn+4ImUKUNwsMt90N1clK9KnO+V8sLsM gtxxlkgsfBbCSVF+j8LeHgmLE5QzZJ55t3vvlqxxwEr8i/VgowNud6g5UyMAhaybEyCT N6GsiLTP/lUqMMN3la9k9DRQIR58d1AvJFI/gMS4tVAXRrBB2PPuDryNTb1Cph5Op2xh lXpuY1+CadW+r8QugzkGvbpzkblCdzkCqraOW6usfO2/VYVuJIjsu7EhlDRSbBpJe/da bx07nnHQ0xuW47CohRXTY3resCNeRMwheKZJXdKVZQBxwyHT1dQ05gF6unCyqhQSTGBA fgdg==
Received: by 10.14.99.6 with SMTP id w6mr536020eef.68.1334255487354; Thu, 12 Apr 2012 11:31:27 -0700 (PDT)
Received: from [10.0.10.185] ([212.144.56.68]) by mx.google.com with ESMTPS id n55sm31344058eef.6.2012.04.12.11.31.25 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 12 Apr 2012 11:31:26 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_C987BFFD-8854-46AD-8B4B-1DF1A3E326D9"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BE1853F9-BE4C-47C2-9D57-BDFA2037CEEC@hueniverse.com>
Date: Thu, 12 Apr 2012 20:31:23 +0200
Message-Id: <52663308-D1B3-47B1-8F8B-5BF1E8EE9EC7@ve7jtb.com>
References: <423611CD-8496-4F89-8994-3F837582EB21@gmx.net> <4F86C437.3000006@cs.tcd.ie> <4F871201.1000103@alcatel-lucent.com>, <C87D8EE8-BBBA-4ACF-891B-3B1A2285469E@ve7jtb.com> <BE1853F9-BE4C-47C2-9D57-BDFA2037CEEC@hueniverse.com>
To: Eran Hammer <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQm2ylQsWbNIFnVnLI6Ee4sl4fo7ZmOyU1t3C4M1MBWAQM7kjWsAPxdjAC50+D++IIZaEOrX
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 18:31:29 -0000

SWD takes more of a API approach where a query is made about a specific resource type about a specific subject (email format or URI ).

The current draft of the spec doesn't go into detail on how a requester is identified and given authorization to discover the resource.   One could imagine that being done with OAuth. 

You could do a similar thing with web finger, however given that the typical deployment is more of a document model, that is harder for some large sites to deploy. 

Is everything in SWD fully sorted out, well no otherwise it would not be bing brought to the IETF for standardization.

As we discussed in Paris many of the goals are similar but there are implementation differences. 

I could also say that the Web Finger approach is more user-centric for sites where users have direct control over editing there own pages.    

In most cases, that is not the reality however. 

John B.
On 2012-04-12, at 8:18 PM, Eran Hammer wrote:

> Where is this access control and user centric architecture described? I could not find it. 
> 
> EH
> 
> On Apr 12, 2012, at 14:01, "John Bradley" <ve7jtb@ve7jtb.com> wrote:
> 
>> There are important deployment and privacy issues that caused openID Connect to use SWD.
>> 
>> I was part of the OASIS XRI/XRD work that Web Finger has been based on.
>> 
>> The main differences are around allowing all of the users information to be publicly discoverable, vs providing for access control. 
>> 
>> They are similar, but have real design differences.
>> 
>> Web Finger without XML is not horrible by any means,  but nether is SWD.
>> 
>> SWD is more about users while host-meta is more about server resources.
>> 
>> John B.
>> 
>> 
>> On 2012-04-12, at 7:33 PM, Igor Faynberg wrote:
>> 
>>> To me this looks like more than the same problem being solved--it appears to be the same protocol... I wonder if, the representation issues were put aside (i.e., left to the API specification), the common part is what can be adopted.
>>> 
>>> Igor
>>> 
>>> On 4/12/2012 8:01 AM, Stephen Farrell wrote:
>>>> 
>>>> 
>>>> On 04/12/2012 12:00 PM, Hannes Tschofenig wrote:
>>>>> Hi all,
>>>>> 
>>>>> those who had attended the last IETF meeting may have noticed the ongoing activity in the 'Applications Area Working Group' regarding Web Finger.
>>>>> We had our discussion regarding Simple Web Discovery (SWD) as part of the re-chartering process.
>>>>> 
>>>>> Here are the two specifications:
>>>>> http://tools.ietf.org/html/draft-jones-appsawg-webfinger-03
>>>>> http://tools.ietf.org/html/draft-jones-simple-web-discovery-02
>>>>> 
>>>>> Now, the questions that seems to be hanging around are
>>>>> 
>>>>> 1) Aren't these two mechanisms solving pretty much the same problem?
>>>>> 2) Do we need to have two standards for the same functionality?
>>>>> 3) Do you guys have a position or comments regarding either one of them?
>>>>> 
>>>>> Ciao
>>>>> Hannes
>>>>> 
>>>>> PS: Please also let me know if your view is: "I don't really know what all this is about and the documents actually don't provide enough requirements to make a reasonable judgement about the solution space."
>>>>> 
>>>> 
>>>> So just as a data-point. We (the IETF, but including
>>>> me personally;-) mucked up badly on this some years
>>>> ago in the PKI space - we standardised both CMP (rfc
>>>> 2510) and CMC (rfc 2797) as two ways to do the same
>>>> thing, after a protracted battle between factions
>>>> supporting one or the other. We even made sure they
>>>> had as much common syntax as possible. (CRMF, rfc
>>>> 2511)
>>>> 
>>>> Result: neither fully adopted, lots of people still
>>>> do proprietary stuff, neither can be killed off
>>>> (despite attempts), both need to be maintained (CMP
>>>> is now RFC 4210, CMC, 5272, CRMF, 4211), and IMO
>>>> partly as a result of us screwing up for what seemed
>>>> like good reasons at the time, PKI administration
>>>> stuff has never gotten beyond horrible-to-do.
>>>> 
>>>> All-in-all, a really bad outcome which is still
>>>> a PITA a dozen years later.
>>>> 
>>>> As OAuth AD I will need *serious* convincing that
>>>> there is a need to provide two ways to do the same
>>>> thing. I doubt it'll be possible to convince me,
>>>> in fact, so if you wanna try, you'll need to start
>>>> by saying that they are not in fact two ways to do
>>>> the same thing:-)
>>>> 
>>>> S.
>>>> 
>>>> PS: This discussion needs to also involve the Apps
>>>> area, so I've cc'd that list.
>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email