Re: [webfinger] [apps-discuss] Mail client configuration via WebFinger

[Marten Gajda <marten@dmfs.org>]

Hi Paul,

we've brought up this topic during the last CalConnect conference and it
was decided to revitalize the TC where the draft you mentioned
originated from. We have some interest from software vendors and users
to get this solved.

As mentioned before, one of the major problems to solve is
authentication. The issue raised was that the pure existence of a link
to a configuration document in the webfinger response can reveal the
existence of the account. On the other hand, requiring authentication
for auto configuration results in other possible security issues and a
poor user experience. The latter ones could probably be solved by making
OpenID Connect a requirement for auto configuration, which, on the other
hand, adds another layer of complexity and probably makes it less
attractive to smaller vendors.

Does anyone see any possible solution to that?

I'd also like to suggest a few changes in the structure of the
configuration document and to drop support for services not protected by
TLS or any other transport security layer. I'll post an updated draft as
a basis for discussion.

I'm happy to join the upcoming IEFT meeting in Berlin and have a BOF or
something if there is enough interest in that.

cheers

Marten




Am 09.02.2016 um 02:03 schrieb Paul E. Jones:
> Marten,
>
> Thanks for the encouraging words; it sounds like you understand the
> problem that needs to be solved.
>
> I always felt the server side was the trivial part.  As you said, it's
> possible to set up a simple WebFinger server with a static file (or
> sets of files), an .htaccess file, etc.  I use a server that pulls
> data from a database, myself.  Importantly, though, the WebFinger
> protocol is very simple (and I have to thank a number of folks who
> forced that simplicity), so I see the server side as being far less of
> a barrier.  Hosting providers, for example, could very quickly and
> easily support this server-side.
>
> The clients are the challenge.  As others have noted, this requires
> code changes in the clients and deployment of the clients.  I'm
> encouraged that you're working on client code. :)
>
> Having an RFC is going to be an extremely important step to actually
> seeing this problem solved.  That said, I did not want to spend time
> on something that would be met with total rejection.  It sounds like
> there is at least enough interest to start a meaningful dialog, so
> I'll try to put together a draft soon and we can go from there.  If
> you're interested to collaborate on that, you're certainly welcome.
>
> Paul
>
> ------ Original Message ------
> From: "Marten Gajda" <marten@dmfs.org>
> To: webfinger@ietf.org
> Sent: 2/8/2016 5:54:58 PM
> Subject: Re: [webfinger] [apps-discuss] Mail client configuration via
> WebFinger
>
>> Hi Paul,
>>
>> as a client developer I'm very interested in this topic. We've
>> actually implemented draft-daboo-aggregated-service-discovery-03 and
>> there is at least one groupware server product which also supports it.
>>
>> While working on our implementation we've identified a few minor
>> issues with the latest draft and we've already discussed them with
>> Cyrus. I think most of these issues are solved easily.
>>
>> Though, the major issue has not been addressed yet. It's the issue
>> mentioned by Stephen. Under certain conditions a client might have to
>> ask the user upfront to authenticate, which may disclose the user's
>> credentials to the wrong service.
>>
>> We didn't release this feature in our generic CalDAV/CardDAV clients,
>> mostly due to that issue.
>>
>> Anyway, I think it really starts with the server developers.
>> Implementing the current spec is not that much work on the server
>> side. In many cases the server configuration document could just be a
>> static file and setting up a simple WebFinger end point is not that
>> hard either. Actually, for our corporate server we've just created a
>> few static files and some redirect magic in our .htaccess file to
>> provide the WebFinger stuff.
>>
>> On the client side it's more work, because it affects the account
>> setup flow a lot. But it surely is worth the efforts if more services
>> support it.
>>
>> However, before even the server developers can start, it requires an
>> RFC. So lets start to think about how to solve the authentication issue.
>>
>> cheers
>>
>> Marten
>>
>>
>> Am 08.02.2016 um 20:00 schrieb Paul E. Jones:
>>> Cyrus,
>>>
>>>> Right now it is not clear to me that an ASCOT-like solution would
>>>> be adopted given the use of device management. Before embarking on
>>>> this we need to take a careful look at whether any solution is
>>>> likely to be adopted (with the biggest burden likely being on
>>>> clients/OS vendors to support it). Given the device management
>>>> solutions already out there, I suspect there would be little value
>>>> to m,ost of those folks to actually support ASCOT.
>>>
>>> I completely agree that we should try to get a sense of the
>>> likelihood of success.
>>>
>>> Within the enterprise -- especially the larger ones -- you are
>>> entirely correct that device management systems provide a good
>>> solution for most of the employees.   However, I interact with a lot
>>> of smaller businesses that do not use such systems.  Many of them
>>> have a web hosting company host their domains and do not have IT
>>> staff to help them on a daily basis.  I'm skeptical that a device
>>> management system would help that class of users, so arming hosting
>>> providers with tools they can deploy to their customers would help,
>>> I think.
>>>
>>> There are also a number of individuals who have their own domains,
>>> many hosted on the many, many web hosting providers out there. Same
>>> issue for most of them.
>>>
>>> So, I think there is a market need.  I suspect if we were to create
>>> a solution, hosting providers were to deploy it, and client
>>> developers were to support it, people would use it.  However, that's
>>> a string of "ifs".  I think it starts with the client developers. 
>>> If there were people interested to solve the problem, I think the
>>> rest falls into place.
>>>
>>> All that said, if client developers are uninterested, there's little
>>> point working to solve this problem.
>>>
>>>> As an alternative, the IETF might want to take a more serious look
>>>> at the overall device management solutions, and see if there might
>>>> be scope for standards in that area. That would allow us to build
>>>> off something that is already deployed (in a number of proprietary
>>>> solutions) but is today solving the problem of account setup.
>>>
>>> I think your suggestion is worthwhile independent of whether we
>>> solve the problem for smaller businesses and individual users of
>>> hosted domains.  It would good if the same solution or would address
>>> those needs of smaller businesses and individuals, but if it didn't,
>>> it's still a step forward.
>>>
>>> Paul
>>>
>>> _______________________________________________
>>> webfinger mailing list
>>> webfinger@ietf.org
>>> https://www.ietf.org/mailman/listinfo/webfinger
>>
>> -- Marten Gajda
>> CEO
>>
>> dmfs GmbH
>> Schandauer Straße 34
>> 01309 Dresden
>> GERMANY
>>
>> phone: +49 177 4427167
>> email: marten@dmfs.org
>>
>> Managing Director: Marten Gajda
>> Registered address: Dresden
>> Registered No.: AG Dresden HRB 34881
>> VAT Reg. No.: DE303248743
>>
>> _______________________________________________
>> webfinger mailing list
>> webfinger@ietf.org
>> https://www.ietf.org/mailman/listinfo/webfinger
>

-- 
Marten Gajda
CEO

dmfs GmbH
Schandauer Straße 34
01309 Dresden
GERMANY

phone: +49 177 4427167
email: marten@dmfs.org

Managing Director: Marten Gajda
Registered address: Dresden
Registered No.: AG Dresden HRB 34881
VAT Reg. No.: DE303248743