IETF Logo Mail Archive

Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)

John Bradley <ve7jtb@ve7jtb.com> Thu, 12 April 2012 19:57 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 005A421F85F8 for <oauth@ietfa.amsl.com>; Thu, 12 Apr 2012 12:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-L9v8ydRL0c for <oauth@ietfa.amsl.com>; Thu, 12 Apr 2012 12:57:10 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id D4E6921F85F4 for <oauth@ietf.org>; Thu, 12 Apr 2012 12:57:09 -0700 (PDT)
Received: by werb10 with SMTP id b10so1815883wer.31 for <oauth@ietf.org>; Thu, 12 Apr 2012 12:57:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=Y/fgxJ01R+xzj/O/kqtlxjXgeYZYtpGjX93MApaAC2w=; b=YW4XEAeYu85DKPDvz6MDOP5LU377mtVF/s3KLtjP8TFEoluql1ZkPZHmUW35IYYKf5 0R4Ykd1aYu/eol+ZBjZaoUwsRG4aqba082Olb6kWsR7Sni4mx+nscoFJQi4XWAG/W5V8 4iYglDe/RHJ7JfFyQRCY5Pi9f2DkFogqkT07k3z1+VERVl2wuobAgOGQLJfo5T/r88GX HEuQxNJEdfgc6YigaJCjXnsslEkBHYl0p925xqJFlIi5NjIZqNo6owBIT7USZVZVWrdc gvOV3qnXgbAIpaAUPOxwqnFEhDjzVzR1dxVZF/z9yoT3+Sn3rB/kQuyVqJBnxvdFMPpo BpDA==
Received: by 10.180.101.136 with SMTP id fg8mr7381707wib.4.1334260628789; Thu, 12 Apr 2012 12:57:08 -0700 (PDT)
Received: from [10.0.10.185] ([212.144.56.68]) by mx.google.com with ESMTPS id k6sm54525404wie.9.2012.04.12.12.57.05 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 12 Apr 2012 12:57:06 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_6BB0FDBD-2285-4846-8073-FCC4486F72E4"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4F871EFB.6000807@alcatel-lucent.com>
Date: Thu, 12 Apr 2012 21:56:59 +0200
Message-Id: <291BA738-06A8-4993-A251-DD148B89F1A3@ve7jtb.com>
References: <423611CD-8496-4F89-8994-3F837582EB21@gmx.net> <4F86C437.3000006@cs.tcd.ie> <4F871201.1000103@alcatel-lucent.com> <C87D8EE8-BBBA-4ACF-891B-3B1A2285469E@ve7jtb.com> <4F871EFB.6000807@alcatel-lucent.com>
To: igor.faynberg@alcatel-lucent.com
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQk4X7aP0FSPcdDGIfO7yfFGdb/KaTQq7sXhZxpoBif8YSr33bnj6EiW8x5OMB8K4p99jZS3
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 19:57:11 -0000

There is no reason that SWD would not be a host service that host-meta could list like any other.

That should be supported now by the host-meta spec.  

The question is client complexity.   

A client could look in host-meta and do SWD if it finds that service and no mapping template, or the other way around.  

The question is do we want to add the complexity to clients where they have to support multiple discovery specs.

I seem to recall people calling me the devil for XRI resolution in openID 2.0.
Not to offend but Web Finger is XRI resolution without the central registry.

John B.


On 2012-04-12, at 8:29 PM, Igor Faynberg wrote:

> John,
> 
> I agree with you on everything you said about the differences.  My question: Are these not about API rather than the protocol?
> 
> (I was just trying to see if I can find a common fixed point to start with.)
> 
> Igor
> 
> On 4/12/2012 2:00 PM, John Bradley wrote:
>> There are important deployment and privacy issues that caused openID Connect to use SWD.
>> 
>> I was part of the OASIS XRI/XRD work that Web Finger has been based on.
>> 
>> The main differences are around allowing all of the users information to be publicly discoverable, vs providing for access control.
>> 
>> They are similar, but have real design differences.
>> 
>> Web Finger without XML is not horrible by any means,  but nether is SWD.
>> 
>> SWD is more about users while host-meta is more about server resources.
>> 
>> John B.
>> 
>> 
>> On 2012-04-12, at 7:33 PM, Igor Faynberg wrote:
>> 
>>> To me this looks like more than the same problem being solved--it appears to be the same protocol... I wonder if, the representation issues were put aside (i.e., left to the API specification), the common part is what can be adopted.
>>> 
>>> Igor
>>> 
>>> On 4/12/2012 8:01 AM, Stephen Farrell wrote:
>>>> 
>>>> On 04/12/2012 12:00 PM, Hannes Tschofenig wrote:
>>>>> Hi all,
>>>>> 
>>>>> those who had attended the last IETF meeting may have noticed the ongoing activity in the 'Applications Area Working Group' regarding Web Finger.
>>>>> We had our discussion regarding Simple Web Discovery (SWD) as part of the re-chartering process.
>>>>> 
>>>>> Here are the two specifications:
>>>>> http://tools.ietf.org/html/draft-jones-appsawg-webfinger-03
>>>>> http://tools.ietf.org/html/draft-jones-simple-web-discovery-02
>>>>> 
>>>>> Now, the questions that seems to be hanging around are
>>>>> 
>>>>>   1) Aren't these two mechanisms solving pretty much the same problem?
>>>>>   2) Do we need to have two standards for the same functionality?
>>>>>   3) Do you guys have a position or comments regarding either one of them?
>>>>> 
>>>>> Ciao
>>>>> Hannes
>>>>> 
>>>>> PS: Please also let me know if your view is: "I don't really know what all this is about and the documents actually don't provide enough requirements to make a reasonable judgement about the solution space."
>>>>> 
>>>> So just as a data-point. We (the IETF, but including
>>>> me personally;-) mucked up badly on this some years
>>>> ago in the PKI space - we standardised both CMP (rfc
>>>> 2510) and CMC (rfc 2797) as two ways to do the same
>>>> thing, after a protracted battle between factions
>>>> supporting one or the other. We even made sure they
>>>> had as much common syntax as possible. (CRMF, rfc
>>>> 2511)
>>>> 
>>>> Result: neither fully adopted, lots of people still
>>>> do proprietary stuff, neither can be killed off
>>>> (despite attempts), both need to be maintained (CMP
>>>> is now RFC 4210, CMC, 5272, CRMF, 4211), and IMO
>>>> partly as a result of us screwing up for what seemed
>>>> like good reasons at the time, PKI administration
>>>> stuff has never gotten beyond horrible-to-do.
>>>> 
>>>> All-in-all, a really bad outcome which is still
>>>> a PITA a dozen years later.
>>>> 
>>>> As OAuth AD I will need *serious* convincing that
>>>> there is a need to provide two ways to do the same
>>>> thing. I doubt it'll be possible to convince me,
>>>> in fact, so if you wanna try, you'll need to start
>>>> by saying that they are not in fact two ways to do
>>>> the same thing:-)
>>>> 
>>>> S.
>>>> 
>>>> PS: This discussion needs to also involve the Apps
>>>> area, so I've cc'd that list.
>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email