Re: [webfinger] secure links with https rels
James M Snell <jasnell@gmail.com> Thu, 13 December 2012 19:22 UTC
Return-Path: <jasnell@gmail.com>
X-Original-To: webfinger@ietfa.amsl.com
Delivered-To: webfinger@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5951F21F897E for <webfinger@ietfa.amsl.com>; Thu, 13 Dec 2012 11:22:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.825
X-Spam-Level:
X-Spam-Status: No, score=-3.825 tagged_above=-999 required=5 tests=[AWL=-0.227, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EbaxvEFObNlM for <webfinger@ietfa.amsl.com>; Thu, 13 Dec 2012 11:22:19 -0800 (PST)
Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by ietfa.amsl.com (Postfix) with ESMTP id 36CAA21F897D for <webfinger@ietf.org>; Thu, 13 Dec 2012 11:22:19 -0800 (PST)
Received: by mail-ie0-f182.google.com with SMTP id s9so4659845iec.13 for <webfinger@ietf.org>; Thu, 13 Dec 2012 11:22:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=6W/Lhgxo7BbNz+98BuA8a+9XrttrkVaS70cz4iVJAOk=; b=t7GYLBFhZytECe8vWw9Ee1sOaVSAdNCsVh0tBM1nYHBk0qLxhllNT7mAf0YID0IOSZ rPraj77SQ6sYiXLs7/CGcldbDnm52z6yIlJ6mQ+8Aa+QsfqOFdUlTJMUjw6CG8jb9iyP YbLbbzP7SpP32tUExFYC5xmTyQM/t1rlgWaGm86U/9XTZfkMwx/1mgJ7tbb8At5q2ide G8vYOLboL/5Z3XhEAY90Hs9z+ARh5MLz1tkcW4FLoGoDqePwgpaqS2FLvm1FoVWynfIp iOh7tt+QYVSOAlRHo2puZr4Aje9K73fpRmKAx9U0uI2K0OMhVzbZvUQAZ2nPXp1w52kl I+Gw==
Received: by 10.50.178.106 with SMTP id cx10mr18171917igc.24.1355426535898; Thu, 13 Dec 2012 11:22:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.7.19 with HTTP; Thu, 13 Dec 2012 11:21:55 -0800 (PST)
In-Reply-To: <CAAkTpCrvt01pVrbODSoBRZ3qsN_njjOZ=MgsA9QsnY4E9Wn8CA@mail.gmail.com>
References: <CAAkTpCrmhpM=LgVo2k7oRnba2H0+YgSNAgrvX_Sq+cv3ON=2XQ@mail.gmail.com> <04a501cdd902$b6cd1cf0$246756d0$@packetizer.com> <CAAkTpCr93g6dV+eLqS5cTEDj9z716Xqa0gNFS3phdb=CMNVbOQ@mail.gmail.com> <053301cdd94a$be9fe690$3bdfb3b0$@packetizer.com> <CAAkTpCpvaXUkxgVHk9MAfu3GHEVbRO_eY59ANzYxo6B-6kEScQ@mail.gmail.com> <CAAkTpCq9rN6Ct_-RBgQ_8HR7NHVtegQCmUsrXdS8_xRSMUCNbw@mail.gmail.com> <05ab01cdd951$54a17c20$fde47460$@packetizer.com> <CAAkTpCoGdEURoojdefq7dVdEqECUN=LFewc-d2NJwKN0YT4qgg@mail.gmail.com> <CAJu8rwWf7UAvpN=c3Tu4yqxEz7LvPx_KKz1tCfUL_-AUe_jFxw@mail.gmail.com> <A09A9E0A4B9C654E8672D1DC003633AE53A5BA8725@GRFMBX704BA020.griffon.local> <CAAkTpCrBwpc1tvaeYLCnsOimEcE1og7fPsz9Tdgtrv9x0oXP9A@mail.gmail.com> <CABP7RbfiRhjxyY_kw_uxT+StFA3sfNciDezws9qHrUtFyb3kjQ@mail.gmail.com> <31369E33-89A8-491F-A2D5-D59ED63813FE@telecomitalia.it> <CABP7RbcFt=rcn_HhSerRFgiYP62v=daK_hiknnVr_b+7FFGqBA@mail.gmail.com> <CAAkTpCrvt01pVrbODSoBRZ3qsN_njjOZ=MgsA9QsnY4E9Wn8CA@mail.gmail.com>
From: James M Snell <jasnell@gmail.com>
Date: Thu, 13 Dec 2012 11:21:55 -0800
Message-ID: <CABP7Rbe450HO13rTRL_BZvzxB8kTMBqdd77jzgqokf0MAXn_OQ@mail.gmail.com>
To: Brad Fitzpatrick <bradfitz@google.com>
Content-Type: multipart/alternative; boundary="e89a8f5036c830fda404d0c0d523"
Cc: "webfinger@ietf.org" <webfinger@ietf.org>, "webfinger@googlegroups.com" <webfinger@googlegroups.com>, Goix Laurent Walter <laurentwalter.goix@telecomitalia.it>, "Paul E. Jones" <paulej@packetizer.com>
Subject: Re: [webfinger] secure links with https rels
X-BeenThere: webfinger@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of the Webfinger protocol proposal in the Applications Area <webfinger.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webfinger>, <mailto:webfinger-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/webfinger>
List-Post: <mailto:webfinger@ietf.org>
List-Help: <mailto:webfinger-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webfinger>, <mailto:webfinger-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2012 19:22:20 -0000
On Thu, Dec 13, 2012 at 11:05 AM, Brad Fitzpatrick <bradfitz@google.com>wrote: > On Thu, Dec 13, 2012 at 10:54 AM, James M Snell <jasnell@gmail.com> wrote: > >> What I'm saying is that there should be an option of adding a signature >> to the JRD document as a whole, generated using a key trusted by both the >> client and server. This can be provided either within the JRD document >> itself (perhaps leveraging JSON Web Signatures [1]) or using an external >> mechanism such as the proposed Integrity header [2]. Providing this >> information would be entirely optional on the part of the server. If it is >> provided, however, the client SHOULD verify it prior to consuming the data. >> A client could choose not to process any JRD unless the integrity check it >> provided. >> >> [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-07 >> [2] http://tools.ietf.org/html/draft-hallambaker-httpintegrity-02 >> >> How the client and server determine which key to use to generate the >> signature is out of scope but >> > > Which means nobody will use this. You can't just say "Here's a big > optional mechanism, but key details are missing... figure it out, maybe." > > Also, what about this webfinger-specific? If you want to work on signing > HTTP responses (a noble goal), that's great, but there's no reason it needs > to be lumped into WebFinger. > > HTTPS, on the other hand, is well-understood and widely implemented. > > WebFinger isn't supposed to be about designing a new PKI or crypto system. > It's supposed to be a simple mechanism to read some key/value pairs. > > Last post on the topic because I've said basically everything I think needs to be said on it: I never said this is WebFinger specific. I'm not suggesting that anything be "lumped into WebFinger". Nor am I suggesting that WF be "about designing a new PKI or crypto system". If, however, WebFinger is going to be used in cases where verifying the integrity of the provided information is critical, then the specification needs to properly address how the integrity of the information can be verified. HTTPS does not provide for that. Neither does any notion of a "secure link relation".
- [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Blaine Cook
- Re: [webfinger] secure links with https rels Nick Jennings
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Breno
- Re: [webfinger] secure links with https rels John Panzer
- Re: [webfinger] secure links with https rels Nick Jennings
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Nick Jennings
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Nick Jennings
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Evan Prodromou
- Re: [webfinger] secure links with https rels Nick Jennings
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels John Panzer
- [webfinger] R: secure links with https rels Goix Laurent Walter
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels John Bradley
- Re: [webfinger] secure links with https rels ☮ elf Pavlik ☮
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Goix Laurent Walter
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels ☮ elf Pavlik ☮
- Re: [webfinger] secure links with https rels Goix Laurent Walter
- Re: [webfinger] secure links with https rels ☮ elf Pavlik ☮
- Re: [webfinger] secure links with https rels Goix Laurent Walter
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Evan Prodromou
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Tim Bray
- Re: [webfinger] secure links with https rels John Bradley
- Re: [webfinger] secure links with https rels John Bradley
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Nick Jennings
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Goix Laurent Walter
- Re: [webfinger] secure links with https rels Nick Jennings
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Tim Bray
- Re: [webfinger] secure links with https rels James M Snell
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Tim Bray
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Breno
- Re: [webfinger] secure links with https rels Breno
- Re: [webfinger] secure links with https rels Breno
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Brad Fitzpatrick
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Zellyn Hunter
- Re: [webfinger] secure links with https rels Breno
- Re: [webfinger] secure links with https rels Breno
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels John Panzer
- Re: [webfinger] secure links with https rels Paul E. Jones
- Re: [webfinger] secure links with https rels Zellyn Hunter
- Re: [webfinger] secure links with https rels Zellyn Hunter
- Re: [webfinger] secure links with https rels Will Norris
- Re: [webfinger] secure links with https rels Zellyn Hunter
- Re: [webfinger] secure links with https rels John Panzer
- Re: [webfinger] secure links with https rels Breno
- Re: [webfinger] secure links with https rels John Bradley
- Re: [webfinger] secure links with https rels Breno