Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)

Mike Jones <> Thu, 12 April 2012 21:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 877AF21F8710 for <>; Thu, 12 Apr 2012 14:51:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.922
X-Spam-Status: No, score=-3.922 tagged_above=-999 required=5 tests=[AWL=-0.323, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hUzRb-flcc61 for <>; Thu, 12 Apr 2012 14:51:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D1A7E21F8723 for <>; Thu, 12 Apr 2012 14:51:31 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server id; Thu, 12 Apr 2012 21:51:31 +0000
Received: from mail18-db3 (localhost []) by (Postfix) with ESMTP id BE99742093E; Thu, 12 Apr 2012 21:51:30 +0000 (UTC)
X-SpamScore: -34
X-BigFish: VS-34(zz9371I14ffI168aJ542M148cMzz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25h)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI;; RD:none; EFVD:NLI
Received-SPF: pass (mail18-db3: domain of designates as permitted sender) client-ip=;; ; ;
Received: from mail18-db3 (localhost.localdomain []) by mail18-db3 (MessageSwitch) id 1334267489164004_16208; Thu, 12 Apr 2012 21:51:29 +0000 (UTC)
Received: from (unknown []) by (Postfix) with ESMTP id 17D464C00EC; Thu, 12 Apr 2012 21:51:29 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 12 Apr 2012 21:51:27 +0000
Received: from ([]) by ([]) with mapi id 14.02.0283.004; Thu, 12 Apr 2012 21:51:22 +0000
From: Mike Jones <>
To: Hannes Tschofenig <>, " WG" <>
Thread-Topic: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)
Thread-Index: AQHNGJt50G7JnMt5ukqcfN3YYKxyCZaXuy7g
Date: Thu, 12 Apr 2012 21:51:22 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Apr 2012 21:51:33 -0000

Thanks for asking these questions Hannes.  I'll first provide a brief feature comparison of Simple Web Discovery and WebFinger and then answer your questions.


RESULT GRANULARITY AND PRIVACY CHARACTERISTICS:  SWD returns the resource location(s) for a specific resource for a specific principal.  WebFinger returns all resources for the principal.  The example at "Retrieving a Person's Contact Information" is telling.  The WebFinger usage model seems to be "I'll get everything about you and then fish through it to decide what to do with it."  The protocol assumption that all WebFinger information must be public is also built into the protocol where the CORS response header "Access-Control-Allow-Origin: *" is mandated, per  The privacy characteristics of these approaches are very different.  (It's these very same privacy characteristics that led sysadmins to nearly ubiquitously disabling the fingerd service!)  Particularly for the OAuth use cases, narrow, scoped, and potentially permissioned responses seem preferable.

DOCUMENT VERSUS API MODEL, DEPLOYABILITY, AND SECURITY:  WebFinger is built on a "document model", where a single document is returned that contains multiple resources for a principal.  SWD is built on an "API model", where the location(s) of a particular resource for a principal are returned.  The problem with the document model is that different parties or services may be authoritative for different resources for a given principal, and yet all need the rights to edit the resulting document.  This hurts deployability, because document edits then need to be coordinated among parties that may have different rights and responsibilities, and may have negative security implications as well.  (Just because I can change your avatar doesn't mean that I should be able to change your mail server.)

REDIRECT FUNCTIONALITY AND DEPLOYABILTY:  SWD includes the ability to redirect some or all SWD requests to another location (possibly depending upon the specific resource and principal parameters).  Deployers hosting numerous sites for others told the SWD authors that this functionality is critical for deployability, as it means that the SWD server for a domain can live in a location outside the domain.  WebFinger is lacking this functionality.  Given that OAuth is likely to be used in hosted environments, this functionality seems pretty important.

NUMBER OF ROUND TRIPS:  WebFinger discoveries for user information normally require both a host-meta query to retrieve the template and then a second query to retrieve the user's information.  This functionality is achieved in a single SWD query.

XML AND JSON VERSUS JSON:  WebFinger specifies both XML and JSON support, whereas SWD specifies only JSON.  The SWD position is that it's simpler to specify only one way of doing the same thing, with JSON being chosen because it's simpler for developers to use than XML - the same decision as made for the OAuth specs.

DEFINING SPECIFIC RESOURCES:  Besides specifying a discovery protocol, WebFinger also defines specific resources and kinds of resources to be used with that protocol:  the "acct" URI scheme, the "acct" Link Relation.  These should be considered on their own merits, but logically should be decoupled from the discovery protocol into a different document or documents.  It's not clear these features would be needed in OAuth contexts.


1) Aren't these two mechanisms solving pretty much the same problem?

               They are solving an overlapping set of problems, but with very different privacy characteristics, different deployability characteristics, different security characteristics, and somewhat different mechanisms.

2) Do we need to have two standards for the same functionality?

               No - Simple Web Discovery is sufficient for the OAuth use cases (and likely for others as well).

3) Do you guys have a position or comments regarding either one of them?

               The functionality in Simple Web Discovery is minimal and sufficient for the OAuth use cases, whereas some of the functionality and assumptions made in WebFinger are harmful, both from a privacy and from a deployability perspective.  SWD should proceed to standardization; WebFinger should not.

                                                            -- Mike

-----Original Message-----
From: [] On Behalf Of Hannes Tschofenig
Sent: Thursday, April 12, 2012 4:00 AM
To: WG
Subject: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)

Hi all, 

those who had attended the last IETF meeting may have noticed the ongoing activity in the 'Applications Area Working Group' regarding Web Finger. 
We had our discussion regarding Simple Web Discovery (SWD) as part of the re-chartering process. 

Here are the two specifications:

Now, the questions that seems to be hanging around are

 1) Aren't these two mechanisms solving pretty much the same problem?
 2) Do we need to have two standards for the same functionality?
 3) Do you guys have a position or comments regarding either one of them? 


PS: Please also let me know if your view is: "I don't really know what all this is about and the documents actually don't provide enough requirements to make a reasonable judgement about the solution space."

OAuth mailing list