Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Kevin Marks <kevinmarks@gmail.com> Mon, 16 April 2012 19:47 UTC

Return-Path: <kevinmarks@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAFB321F861F; Mon, 16 Apr 2012 12:47:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3ImB1JM5IEM; Mon, 16 Apr 2012 12:47:49 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id CC19421F8627; Mon, 16 Apr 2012 12:47:48 -0700 (PDT)
Received: by qcsq13 with SMTP id q13so4096639qcs.31 for <multiple recipients>; Mon, 16 Apr 2012 12:47:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rN4iHozaL+sQF+E4gUhYVhiVdjQMcRDgA+jL5dYO65w=; b=R5O2eEV/zIXkybjzT+4rrcbne15WUDXuOATeR0MCsvBz4W0ouFXWs61ZUCBh0B1hXw g30nolXyjp/Y0Po0JUKHmt2wkAnfoY9BZ5VZGZ6tEghC2S9jTwUN0lyPDyZMnvUHO0nB nhTjtHntbpnyzga0Jj6NyrvUaKLEL20yuUBexNBwkRO5z6PBDLKRoIguEKk3X76hoCEm KKxekxtx0arPgEKZPAxrR+Sk85LEJ4/ZNarZ4sD+Cb3eGWpbHoFtERVyXMPDeZJrQFti VzK9OJmXNWIdFQRl4qaOErjM2/ArSAQEukvquAy0R+qQ+W+lgbbzr5fzeIfTA1LT7gYD 29XQ==
MIME-Version: 1.0
Received: by 10.229.136.131 with SMTP id r3mr5203372qct.129.1334605668374; Mon, 16 Apr 2012 12:47:48 -0700 (PDT)
Received: by 10.229.38.70 with HTTP; Mon, 16 Apr 2012 12:47:48 -0700 (PDT)
In-Reply-To: <sjm1unn338j.fsf@mocana.ihtfp.org>
References: <423611CD-8496-4F89-8994-3F837582EB21@gmx.net> <4F8852D0.4020404@cs.tcd.ie> <9452079D1A51524AA5749AD23E0039280EFE8D@exch-mbx901.corp.cloudmark.com> <sjm1unn338j.fsf@mocana.ihtfp.org>
Date: Mon, 16 Apr 2012 12:47:48 -0700
Message-ID: <CAD6ztsqCQC2OpWWRz-dbPZicXq19nbVJ65Wu3zLqzM=XmN==YA@mail.gmail.com>
From: Kevin Marks <kevinmarks@gmail.com>
To: Derek Atkins <derek@ihtfp.com>
Content-Type: multipart/alternative; boundary="00248c768f9ec75a1104bdd118ce"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>, Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2012 19:47:50 -0000

On Mon, Apr 16, 2012 at 12:07 PM, Derek Atkins <derek@ihtfp.com> wrote:
>
> I think there are two main differerences between webfinger and swd:
>
> a) whole-document vs. individual attributes
> b) a perceived authorization model to control access to said attributes
>
> In particular I feel there are some specific security requirements that
> must be bet by the protocol, but I think it's easily accomplished by
> a small amount of text that effectively says:
>
> 1) requestors of the service should authenticate (or be treated as an
>   anonymous user)
> 2) content returned must be dynamic and dependent on the authorization
>   of the authenticated user.
>

I think requesters MAY authenticate, not SHOULD.


>
> This leaves only the perceived issue of "whole document" vs "individual
> attribute".  If a client ever wants more than one attribute then a whole
> document approach reduces the number of round trips.  However if
> documents get large that could also affect performance.  We might, then,
> need a way to specify which attributes are requested, but allow for a
> wildcard to return "everything I am authorized to see".
>

Something like the PoCo query model?