[apps-discuss] AppsDir Review of draft-ietf-appsawg-webfinger-11
Dave Cridland <dave@cridland.net> Mon, 11 March 2013 15:23 UTC
Return-Path: <dave@cridland.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37F8D11E8108 for <apps-discuss@ietfa.amsl.com>; Mon, 11 Mar 2013 08:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5VMBNhU0xjQ for <apps-discuss@ietfa.amsl.com>; Mon, 11 Mar 2013 08:23:21 -0700 (PDT)
Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by ietfa.amsl.com (Postfix) with ESMTP id E059821F8A89 for <apps-discuss@ietf.org>; Mon, 11 Mar 2013 08:23:20 -0700 (PDT)
Received: by mail-oa0-f41.google.com with SMTP id i10so4678273oag.0 for <apps-discuss@ietf.org>; Mon, 11 Mar 2013 08:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=V89eZ/V8MC2kquAhi/AUvifxKgJyL6Z5aSehH07F26s=; b=MiKIxTecbIVxymYFv9Ozww+pWK9I0dGLQGEvlH2R0bG3fkpGWnhaISeLYsBVuZJrUf auC6ajvir+QBzIwR/crIBaT7eyqWBliOM6lv/7mQMeX5Wv5ugo6RKVcTpK6zXuVcRwrC fDDhfB3W5jAb9togDxA1pjLVu9KkyH2gCcIfo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=V89eZ/V8MC2kquAhi/AUvifxKgJyL6Z5aSehH07F26s=; b=Bs7eJxB492rnNyDVozPRk4s0mE9kI2G4CYhiUILi42QvC0dtFpUeUeElpl+bM22kFw m/7I1/W5XXw9Ei1sr9FIRjZcJDEuciEb7g2HsIWNDBlsD8KxMjGGdg4EkTKCF7ELrog+ /Cq3whMZFKE22NNNaKQZ47IDoehMjoNbbLWO/aFp5JN98jbvhBuywPR6LXu7jwYR67E6 NxW4qMs9gMbPJ8BXuhrvQVRaA/wgxyqzoSmfr6c8nMXV8TMh0LLLd9GlxHw5wj9mLFfH 938Pt+WBwpryv306ZcgQQP7rDBFlH22/8mlDAMdcs002zQgHTTGM/hgww3pCGthzI+ag YrVg==
MIME-Version: 1.0
X-Received: by 10.182.156.103 with SMTP id wd7mr8912046obb.33.1363015400451; Mon, 11 Mar 2013 08:23:20 -0700 (PDT)
Received: by 10.60.19.40 with HTTP; Mon, 11 Mar 2013 08:23:20 -0700 (PDT)
Date: Mon, 11 Mar 2013 15:23:20 +0000
Message-ID: <CAKHUCzxc8_Ye6M__t9y-+fYAKRVWi8q5hcMGopzE3nKhMywiyQ@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, draft-ietf-appsawg-webfinger.all@tools.ietf.org, iesg@ietf.org
Content-Type: multipart/alternative; boundary="f46d0444e835c4a47f04d7a7c054"
X-Gm-Message-State: ALoCoQnqgbQzWBRb4uOSgUqAuuRJp6N0EXpz455+k6VhyUrouh84nbC7cpaLsIzomnwY1H00Yz/V
Subject: [apps-discuss] AppsDir Review of draft-ietf-appsawg-webfinger-11
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2013 15:23:22 -0000
I have been selected as the Applications Area Directorate reviewer for this draft (for background on appsdir, please see http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate ). Please resolve these comments along with any other Last Call comments you may receive. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-ietf-appsawg-webfinger-11 Title: Webfinger Reviewer: Dave Cridland Review Date: 2013/03/11 IESG Telechat Date: 2013/03/28 Summary: Close to ready for publication as standards track; some comments which suggest a new version may be required and/or technical discussion needed. Minor Comments: 1) There's some suggestions that webfinger could be used for email autoconfig; I suspect this is at best going to cause confusion especially when there's a BOF tomorrow on the subject. This feels like text that doesn't need to be present. Also, it's a cursed subject anyway; see ACAP. :-) Major Comments: 1) I note that §4.4.4.1 describes a 'rel' such that it redefines and repeats RFC 5988's §4; I think this should be deferred explicitly to RFC 5988 in entirety, rather than specifically only for registered link relation types. The good news is that this should simplify the text rather a lot: """ The value of the "rel" member is a string containing a link relation type (see RFC 5988 [4]). Both registered and extended relation types are permitted. """ 2) The use of webfinger with arbitrary URIs is something I had not previously realised. This raises some concerns for me, as it's not clear whether this is either genuinely desirable or whether it introduces considerations (security and otherwise) beyond those discussed within the document. I would in general rather the mechanism were restricted to acct, http, https, and perhaps mailto. 3) There is no use of SRV here; I would prefer an SRV resolution step for at least acct and mailto scheme URIs, and possibly http/https as well. My concern is that a corporate webserver is typically unlikely to be capable of providing webfinger services (being often externally hosted), and while this could be solved by handling redirects, or by reverse proxying, SRV feels like a more stable solution here. I'd be curious as to whether this has been discussed. 4) It would make §8 more readable if it were split into subsections. I think the first three paragraphs form a discussion about the transport security, the middle paragraphs discuss privacy, and the final paragraph discusses information reliability. I suspect there is one more case to be concerned about, which is that it may be possible for an attacker to use webfinger resources to test the existence of a hypothetical user; that is, one might use webfinger as a harvesting mechanism. Dave.
- [apps-discuss] AppsDir Review of draft-ietf-appsa… Dave Cridland
- Re: [apps-discuss] AppsDir Review of draft-ietf-a… Paul E. Jones
- Re: [apps-discuss] AppsDir Review of draft-ietf-a… Dave Cridland
- Re: [apps-discuss] AppsDir Review of draft-ietf-a… Paul E. Jones
- Re: [apps-discuss] AppsDir Review of draft-ietf-a… Dave Cridland
- Re: [apps-discuss] AppsDir Review of draft-ietf-a… Paul E. Jones
- Re: [apps-discuss] AppsDir Review of draft-ietf-a… Dave Cridland
- Re: [apps-discuss] AppsDir Review of draft-ietf-a… Paul E. Jones