IETF Logo Mail Archive

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Daniel Renfer <duck@kronkltd.net> Fri, 20 April 2012 15:08 UTC

Return-Path: <duck@kronkltd.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC8A321F8790 for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 08:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8xmTmcWzmtY for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 08:08:58 -0700 (PDT)
Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1BF8321F8778 for <oauth@ietf.org>; Fri, 20 Apr 2012 08:08:57 -0700 (PDT)
Received: by lagj5 with SMTP id j5so8127013lag.31 for <oauth@ietf.org>; Fri, 20 Apr 2012 08:08:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kronkltd.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=ESOI79YE9OcmZleClSG7tO/QB7+Eko5Q06rZuqjLiZM=; b=JBGu2HEDxkeH3XJvz/2Q3FitMobgo7x6opbGhyJbnyq22j440wZN8loT7du3YVi0C9 VGpuB8Tlyn6w4Cd3VyfZ1Y6lLNgiptJhGClSTmwW6XCQqfa8hDPuOa/iCoSg3n7Elp4E qkaqfqca+w038/tjhmXVga1bdPQGDefWTL/BQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=ESOI79YE9OcmZleClSG7tO/QB7+Eko5Q06rZuqjLiZM=; b=bFQvZOc/ApyuZ0xpYZqqaoj95PhXKx4dnzmXvIA9yCNJkS5lmo5p3P+whjhHeIUXXQ r4L6lcRKsbrqvqU2QYD0Wh/El6rVI0PUfm26uU8eOL0U9MLy/3Ir00KXpB0LLS5Axc7f ASkfhlKQG69gxSVQqmyo4WnqdBBeQqEbfZJdjLks+RIZ1a60++fmTOqSDJ5yXVGZYVQn GEPj8powlvAdArsn9SsA6G+OodhZko9uc5jehmVYpKYb3MW00+YnWzDE381QIr+XVb3A V83Xkxl0tG88KotCmFij5zLvA2maV1Ao5hvU71pY287+cbUJCor50J4knjvEEi6bVsxm /WVQ==
Received: by 10.152.145.135 with SMTP id su7mr3903416lab.5.1334934536710; Fri, 20 Apr 2012 08:08:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.128.41 with HTTP; Fri, 20 Apr 2012 08:08:34 -0700 (PDT)
In-Reply-To: <1334933123.53510.YahooMailNeo@web31803.mail.mud.yahoo.com>
References: <423611CD-8496-4F89-8994-3F837582EB21@gmx.net> <4F8852D0.4020404@cs.tcd.ie> <9452079D1A51524AA5749AD23E0039280EFE8D@exch-mbx901.corp.cloudmark.com> <sjm1unn338j.fsf@mocana.ihtfp.org> <9452079D1A51524AA5749AD23E0039280FACC3@exch-mbx901.corp.cloudmark.com> <4E1F6AAD24975D4BA5B168042967394366490B2A@TK5EX14MBXC284.redmond.corp.microsoft.com> <091401cd1ea3$e159be70$a40d3b50$@packetizer.com> <4E1F6AAD24975D4BA5B1680429673943664915EF@TK5EX14MBXC284.redmond.corp.microsoft.com> <091d01cd1eb7$da2c7ed0$8e857c70$@packetizer.com> <4E1F6AAD24975D4BA5B1680429673943664916A0@TK5EX14MBXC284.redmond.corp.microsoft.com> <1334933123.53510.YahooMailNeo@web31803.mail.mud.yahoo.com>
From: Daniel Renfer <duck@kronkltd.net>
Date: Fri, 20 Apr 2012 11:08:34 -0400
Message-ID: <CADKQ4-ojVy2MRzjCtCW-a+oPJ+-J-BnOANYtOhcJiKRgorfJSw@mail.gmail.com>
To: William Mills <wmills@yahoo-inc.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmzwXXxpERDl8lz09VyO0Qtn59lXmVqu6sol5M+xOzedgIVO7HBcq74rVzunScxE1eQqvBV
X-Mailman-Approved-At: Mon, 23 Apr 2012 08:24:21 -0700
Cc: "oauth@ietf.org" <oauth@ietf.org>, Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2012 15:09:00 -0000

The point is that existing WF clients have been written to not use the
resource parameter because in the past, that parameter hasn't been
available or hasn't been reliable.

If the resource parameter is required, this older method of fetching
the host meta and constructing the url to fetch the user meta would
still continue to work just as before.

Even if the resource parameter were made mandatory today, real world
WF clients would still have to account for the possibility of resource
queries resulting in an error or incorrect information. Given the
number of currently deployed WF-enabled services and the difficulty in
upgrading all of them, this is going to be the case for some time.

resource parameters should be strongly encouraged, but not required.

On Fri, Apr 20, 2012 at 10:45 AM, William Mills <wmills@yahoo-inc.com> wrote:
> So you are guaranteeing that there are no clients using WF today?
>
> ________________________________
> From: Mike Jones <Michael.Jones@microsoft.com>
> To: Paul E. Jones <paulej@packetizer.com>; 'Murray S. Kucherawy'
> <msk@cloudmark.com>; "oauth@ietf.org" <oauth@ietf.org>; 'Apps Discuss'
> <apps-discuss@ietf.org>
> Sent: Thursday, April 19, 2012 10:48 PM
> Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery
> (SWD)
>
> To be clear, making this mandatory would break no clients.  It would require
> updating some servers, just as requiring JSON would.  This seems like a fair
> tradeoff when it makes an appreciable difference in user interface latency
> in some important scenarios.  If you and the other key WebFinger supporters
> can agree to making "resource" support mandatory and requiring JSON, I
> believe we may have a path forward.
>
>                 Cheers,
>                 -- Mike
>
> -----Original Message-----
> From: Paul E. Jones [mailto:paulej@packetizer.com]
> Sent: Thursday, April 19, 2012 10:39 PM
> To: Mike Jones; 'Murray S. Kucherawy'; oauth@ietf.org; 'Apps Discuss'
> Subject: RE: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web Discovery
> (SWD)
>
> That's correct.  We could certainly make it mandatory, but the reason it
> isn't is to maintain backward compatibility with existing deployments.
>
> I think we should always think carefully when we decide to make a change
> that breaks backward-compatibility.  This is one change that would do that.
>
> Paul
>
>> -----Original Message-----
>> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
>> Sent: Friday, April 20, 2012 1:10 AM
>> To: Paul E. Jones; 'Murray S. Kucherawy'; oauth@ietf.org; 'Apps Discuss'
>> Subject: RE: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web
>> Discovery
>> (SWD)
>>
>> Currently, support for the "resource" parameter is optional, as per
>> the following (correct?):
>>
>>    Note that support for the "resource" parameter is optional, but
>>    strongly RECOMMENDED for improved performance.  If a server does not
>>    implement the "resource" parameter, then the server's host metadata
>>    processing logic remains unchanged from RFC 6415.
>>
>> To truly support 1, this would need to be changed to REQUIRED, correct?
>>
>>                 -- Mike
>>
>> -----Original Message-----
>> From: Paul E. Jones [mailto:paulej@packetizer.com]
>> Sent: Thursday, April 19, 2012 8:16 PM
>> To: Mike Jones; 'Murray S. Kucherawy'; oauth@ietf.org; 'Apps Discuss'
>> Subject: RE: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web
>> Discovery
>> (SWD)
>>
>> Mike,
>>
>> > There are two criteria that I would consider to be essential
>> > requirements for any resulting general-purpose discovery specification:
>> >
>> > 1.  Being able to always discover per-user information with a single
>> > GET (minimizing user interface latency for mobile devices, etc.)
>>
>> WF can do that.  See:
>> $ curl -v https://packetizer.com/.well-known/\
>>          host-meta.json?resource=acct:paulej@packetizer.com
>>
>> > 2.  JSON should be required and it should be the only format
>> > required (simplicity and ease of deployment/adoption)
>>
>> See the above example.  However, I also support XML with my server.
>> It took me less than 10 minutes to code up both XML and JSON
>> representations.
>> Once the requested format is determined, the requested URI is
>> determined, data is pulled from the database, spitting out the desired
>> format is trivial.
>>
>> Note, and very important note: supporting both XML and JSON would only
>> be a server-side requirement.  The client is at liberty to use the
>> format it prefers.  I would agree that forcing a client to support
>> both would be unacceptable, but the server?  Nothing to it.
>>
>> > SWD already meets those requirements.  If the resulting spec meets
>> > those requirements, it doesn't matter a lot whether we call it
>> > WebFinger or Simple Web Discovery, but I believe that the
>> > requirements discussion is probably the most productive one to be
>> > having at this point - not the starting point document.
>>
>> I believe WebFinger meets those requirements.  We could debate whether
>> XML should be supported, but I'll note (again) that it is there in RFC
>> 6415.
>> That document isn't all that old and, frankly, it concerns me that we
>> would have a strong preference for format A one week and then Format B
>> the next.
>> We are where we are and I can see reason for asking for JSON, but no
>> good reason to say we should not allow XML (on the server side).
>>
>> Paul
>>
>>
>>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>

v2.23.0 | Report a Bug | By Email