Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

[Melvin Carvalho <melvincarvalho@gmail.com>]

On 19 April 2012 20:26, Eran Hammer <eran@hueniverse.com> wrote:

> #1 as John Panzer identified, allowing the server to control its
> deployment and supporting HTTP redirects is critical.
>

+1


> #2 JSON is better, which one is required is less of on issue but more of a
> best practices item.
>

Happy with this comment, and a +1 for JSON only


>
> I'll add:
>
> * Highly cachable
>

+1 tho I think most CSN dont cache a 303 redirect


> * Optimize for large providers, reducing the need to make repeated
> requests when the information is mostly following a template on the server
> side
>

+1


> * Ability to provide discovery on resources, not users or any other subset
> (emails, etc.)
>

There's a subtlety here and that's the difference in HTML between "rel" and
"rev".

A forward or reverse lookup.  Forward is a natural way to look things up,
eg you give a URL and you get a document.  But something like google search
is actually a reverse index, you give it words and you get back URLs for
documents.  Initially hard to get your head round, but in practice can be
incredibly practical and useful.

Given a triple such as (subject verb object)

<acct:user@host>  email  <mailto:user@host>

Is your lookup based on the subject (WF) or the object (SWF)?

If subject then you need something there.  However, it need not be an acct:
URI

It could be a URN eg

urn:acct:user@host  (no new uri scheme needed)

it could be a relative URI such as

<#>  (which facebook do)

This indicates a pointer to the top of the document

It can even be blank

<>

The so-called 'blank node' in the linked data world, but then you're more
reliant on a query language, such as SPARQL.

I'm sure I havent covered every possibility.

OR you can key off the Object

<anything>  email <mailto:user@host>

then return all key values assoicated with <anything> which would be in the
@subject position in the case of XRD/JRD or the @id position in the case of
something like JSON LD

It's quite confusing but essentially you are asking two very different
things:

1) Give me all information where the subject is acct:user@host

Which also means having to create a mapping, and educating every system
what the subject of their email (or xmpp/sip/tel/twitter account) should
be.  A potentially big task.  Im not saying it's wrong, but IMHO this is
potentially big enough to fill a whole other standards document in itself.

or

2) Give me all information for the user with email mailto:user@host

Non disruptive

I'm sorry If i have not explained this very well, but the difference
between rev and rel confuses a lot of confusion in HTML, and that's
essentially the subtlety here (forward vs reverse lookup)


> * Security agnostic - leave it to HTTP, TLS, OAuth, etc.
>

+1


> * HTTP compliant - doesn't invent it's own rediretion menthods or custom
> headers, etc.
>

+1


>
> EH
>
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Mike Jones
> > Sent: Thursday, April 19, 2012 9:49 AM
> > To: Murray S. Kucherawy; oauth@ietf.org WG; Apps Discuss
> > Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web
> > Discovery (SWD)
> >
> > There are two criteria that I would consider to be essential
> requirements for
> > any resulting general-purpose discovery specification:
> >
> > 1.  Being able to always discover per-user information with a single GET
> > (minimizing user interface latency for mobile devices, etc.)
> >
> > 2.  JSON should be required and it should be the only format required
> > (simplicity and ease of deployment/adoption)
> >
> > SWD already meets those requirements.  If the resulting spec meets those
> > requirements, it doesn't matter a lot whether we call it WebFinger or
> Simple
> > Web Discovery, but I believe that the requirements discussion is probably
> > the most productive one to be having at this point - not the starting
> point
> > document.
> >
> >                               -- Mike
> >
> > -----Original Message-----
> > From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-
> > bounces@ietf.org] On Behalf Of Murray S. Kucherawy
> > Sent: Thursday, April 19, 2012 9:32 AM
> > To: oauth@ietf.org WG; Apps Discuss
> > Subject: Re: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web
> > Discovery (SWD)
> >
> > By all means people should correct me if they think I'm wrong about
> this, but
> > so far from monitoring the discussion there seems to be general support
> for
> > focusing on WebFinger and developing it to meet the needs of those who
> > have deployed SWD, versus the opposite.
> >
> > Does anyone want to argue the opposite?
> >
> > -MSK, appsawg co-chair
> >
> > _______________________________________________
> > apps-discuss mailing list
> > apps-discuss@ietf.org
> > https://www.ietf.org/mailman/listinfo/apps-discuss
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>