IETF Logo Mail Archive

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Gonzalo Salgueiro <gsalguei@cisco.com> Fri, 20 April 2012 17:34 UTC

Return-Path: <gsalguei@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48D6D21F866D for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 10:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.561
X-Spam-Level:
X-Spam-Status: No, score=-10.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ohj1z-gzfRgO for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 10:34:42 -0700 (PDT)
Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by ietfa.amsl.com (Postfix) with ESMTP id 54A3E21F864D for <oauth@ietf.org>; Fri, 20 Apr 2012 10:34:42 -0700 (PDT)
X-TACSUNS: Virus Scanned
Received: from chook.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-rtp.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id q3KHYfqa021097 for <oauth@ietf.org>; Fri, 20 Apr 2012 13:34:41 -0400 (EDT)
Received: from dhcp-64-102-154-162.cisco.com (dhcp-64-102-154-162.cisco.com [64.102.154.162]) by chook.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id q3KHYfiv001935; Fri, 20 Apr 2012 13:34:41 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset="us-ascii"
From: Gonzalo Salgueiro <gsalguei@cisco.com>
In-Reply-To: <1BE3A02A-7287-4401-8B73-366390CB3676@ve7jtb.com>
Date: Fri, 20 Apr 2012 13:34:41 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <379ABFA6-E78C-4CD4-B7F7-6E0EC452DF74@cisco.com>
References: <423611CD-8496-4F89-8994-3F837582EB21@gmx.net> <4F8852D0.4020404@cs.tcd.ie> <9452079D1A51524AA5749AD23E0039280EFE8D@exch-mbx901.corp.cloudmark.com> <sjm1unn338j.fsf@mocana.ihtfp.org> <9452079D1A51524AA5749AD23E0039280FACC3@exch-mbx901.corp.cloudmark.com> <4E1F6AAD24975D4BA5B168042967394366490B2A@TK5EX14MBXC284.redmond.corp.microsoft.com> <091401cd1ea3$e159be70$a40d3b50$@packetizer.com> <CAHBU6it3ZmTdK-mTwydXSRvGvZAYuv0FFR2EWLwdfTxQh4XV5g@mail.gmail.com> <091901cd1eb0$167a8ce0$436fa6a0$@packetizer.com> <sjmbommzdv4.fsf@mocana.ihtfp.org> <7F48DDA5-EA3C-45B0-90E0-C39F06748B35@cisco.com> <1BE3A02A-7287-4401-8B73-366390CB3676@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1257)
Cc: Derek Atkins <derek@ihtfp.com>, oauth@ietf.org, Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2012 17:34:43 -0000

John - 

I understand your position, I truly do.  I'd even go so far as saying that a part of me agree with you given the ubiquitousness of JSON. Two concerns/questions come to mind:

- If it is a MUST in 6415, then isn't it simply good protocol design to maintain that same level of requirement in the discovery protocol based entirely on it? If the answer is "no", then we can figure something out but I'm sharing that this was our primary motivation for requiring it in WebFinger.

- Is it alarming to anyone how quickly we go through "flavor of the day" formats? 6415 was published 6 months ago and we are already ready to declare the mandatory format there a dinosaur that is now obsolete and unnecessary?

Cheers,

Gonzalo

On Apr 20, 2012, at 1:23 PM, John Bradley wrote:

> I would be OK with optional XML support in the server,  that way existing endpoints will continue to work, but new ones are not required to add something some people feel is cruft.
> 
> As one of the XRD authors, I do understand the advantages of it.
> 
> However I don't want to be sentimental, and force people to carry forward things that won't be used, and may hamper adoption.
> 
> And Yes I am one of the hard hatred basters that decided to redo  openID on OAuth rather than trying to graft OAuth functionality onto openID 2.   
> 
> Keeping what's working working is fine,  but not forcing people to carry it forward.
> 
> John B.
> 
> On 2012-04-20, at 7:09 PM, Gonzalo Salgueiro wrote:
> 
>> Derek - 
>> 
>> On Apr 20, 2012, at 10:17 AM, Derek Atkins wrote:
>> 
>>> Paul,
>>> 
>>> "Paul E. Jones" <paulej@packetizer.com> writes:
>>> 
>>>> Tim,
>>>> 
>>>> I do not agree that it's harmful. If I removed the WF discussion off the
>>>> table, I'm still having a hard time buying into everything you said in the
>>>> blog post.
>>>> 
>>>> I implement various web services, largely for my own use.  Usually, I
>>>> implement all of them in XML, JSON, plain text (attribute/value pairs), AND
>>>> JavaScript (for JSONP).  For simple services, it's not hard.  I do it
>>>> because I sometimes have different wants/desires on the client side.  (For
>>>> more complex ones, I use XML.)
>>> 
>>> As an individual (and not the chair of OAUTH) I believe that the server
>>> should be allowed, no encouraged, to support multiple formats for data
>>> retrieval.  I also believe that clients should be allowed to choose only
>>> one.  I am fine with JSON being Mandatory to Implement.  I am NOT okay
>>> with making it the only one, and I am even less okay with mandating it
>>> is the ONLY one.  I would say MUST JSON, MUST (or possibly SHOULD -- you
>>> can convince me either way) XML, and MAY for anything else that people
>>> feel stronly about (although I feel in 2012 XML and JSON are the two
>>> best).  I also feel it is okay to say that a client MUST implement one
>>> of JSON or XML, and MAY implement more.
>>> 
>>> <OAUTH Chair Hat>
>>> 
>>> Note that this is a replay of the historical "MUST Implement" versus
>>> "MUST Use" arguments.  Just because the server MUST IMPLEMENT JSON and
>>> XML does not mean that a Client must use both (or even that a client
>>> must implement both).  It is perfectly reasonable and generally
>>> acceptable to have a server that provides data in multiple formats
>>> whereas the client only supports a subset and specifies which format(s)
>>> are acceptable.
>>> 
>>> </OAUTH Char Hat>
>>> 
>> 
>> This is the most sensible path forward.  A MUST for JSON and XML (I'm going with a MUST for XML to maintain backwards compatibility with RFC 6415) on the server side and a client can choose whatever format it wants. This is the approach taken in the current WebFinger draft. If we reach consensus that we must mandate a client format (Note: I don't personally think we need to), then so be it.
>> 
>> Cheers,
>> 
>> Gonzalo
>> 
>>> -derek
>>> 
>>> -- 
>>>     Derek Atkins                 617-623-3745
>>>     derek@ihtfp.com             www.ihtfp.com
>>>     Computer and Internet Security Consultant
>>> _______________________________________________
>>> apps-discuss mailing list
>>> apps-discuss@ietf.org
>>> https://www.ietf.org/mailman/listinfo/apps-discuss
>>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email