Network Working Group Paul E. Jones Internet Draft Gonzalo Salgueiro Intended status: Standards Track Cisco Systems Expires: October 9, 2012 Joseph Smarr Google April 9, 2012 WebFinger draft-jones-appsawg-webfinger-03.txt Abstract This specification defines the WebFinger protocol. WebFinger may be used to discover information about people on the Internet, such as a person's personal profile address, identity service, telephone number, or preferred avatar. WebFinger may also be used to learn information about objects on the network, such as the amount of toner in a printer or the physical location of a server. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 9, 2012. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Jones, et al. Expires October 9, 2012 [Page 1] Internet-Draft WebFinger April 2012 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction...................................................2 2. Terminology....................................................3 3. Example Uses of WebFinger......................................3 3.1. Locating a User's Blog....................................3 3.2. Retrieving a Person's Contact Information.................5 3.3. Simplifying the Login Process.............................6 3.4. Retrieving Device Information.............................7 4. WebFinger Protocol.............................................8 4.1. Performing a WebFinger Query..............................8 4.2. The Web Host Metadata "resource" Parameter................9 4.3. The Web Host Metadata "rel" Parameter....................11 5. The "acct" URI................................................12 5.1. Using the "acct" URI.....................................12 5.2. Syntax of "acct" URI.....................................13 6. The "acct" Link Relation......................................13 6.1. Purpose for the "acct" Link Relation.....................13 6.2. Example Message Exchange Using the "acct" Link Relation..14 7. Cross-Origin Resource Sharing (CORS)..........................15 8. Security Considerations.......................................15 9. IANA Considerations...........................................16 9.1. Registration of the "acct" URI scheme name...............16 9.2. Registration of the "acct" Link Relation Type............16 10. Acknowledgments..............................................17 11. References...................................................17 11.1. Normative References....................................17 11.2. Informative References..................................18 Author's Addresses...............................................19 1. Introduction There is a utility found on UNIX systems called "finger" [14] that allows a person to access information about another person. The information being queried might be on a computer anywhere in the world. The information returned via "finger" is simply a plain text file that contains unstructured information provided by the queried user. WebFinger borrows the concept of the legacy finger protocol, but introduces a very different approach to sharing information. Rather than returning a simple unstructured text file, Webfinger uses structured documents that contain link relations. These link relations point to information a user or entity on the Internet wishes to expose. For a person, the kinds of information that might Jones, et al. Expires October 9, 2012 [Page 2] Internet-Draft WebFinger April 2012 be exposed include a personal profile address, identity service, telephone number, or preferred avatar. WebFinger may also be used to learn information about objects on the network, such as the amount of toner in a printer or the physical location of a server. Information returned via WebFinger might be for direct human consumption (e.g., another user's phone number) or it might be used by systems to help carry out some operation (e.g., facilitate logging into a web site by determining a user's identification service). 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. WebFinger makes heavy use of "Link Relations". Briefly, a Link Relation is an attribute and value pair used on the Internet wherein the attribute identifies the type of link to which the associated value refers. In Hypertext Transfer Protocol (HTTP) [2] and Web Linking [3], the attribute is a "rel" and the value is an "href". 3. Example Uses of WebFinger In this section, we describe just a few sample uses for WebFinger and show what the protocol looks like. This is not an exhaustive list of possible uses and the entire section should be considered non- normative. The list of potential use cases is virtually unlimited since a user can share any kind of machine-consumable information via WebFinger. 3.1. Locating a User's Blog Assume you receive an email from Bob and he refers to something he posted on his blog, but you do not know where Bob's blog is located. It would be simple to discover the address of Bob's blog if he makes that information available via WebFinger. Let's assume your email client discovers that blog automatically for you. After receiving the message from Bob (bob@example.com), your email client performs the following steps behind the scenes. First, it tries to get the host metadata [9] information for the domain example.com. It does this by issuing the following HTTPS query to example.com: GET /.well-known/host-meta HTTP/1.1 Host: example.com Jones, et al. Expires October 9, 2012 [Page 3] Internet-Draft WebFinger April 2012 The server replies with an XRD [8] document: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/xrd+xml; charset=UTF-8 The client then processes the received XRD in accordance with the Web Host Metadata [9] procedures. The client will see the LRDD link relation and issue a query with the user's account URI [5]. (The Account URI is discussed in Section 4.2.) The query might look like this: GET /lrdd/?uri=acct%3Abob%40example.com HTTP/1.1 Host: example.com The server might then respond with a message like this: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/xrd+xml; charset=UTF-8 2012-03-13T20:56:11Z acct:bob@example.com The email client might take note of the "blog" link relation in the above XRD document that refers to Bob's blog. This URL would then be presented to you so that you could then visit his blog. The email client might also note that Bob has published an avatar link relation and use that picture to represent Bob inside the email client. Jones, et al. Expires October 9, 2012 [Page 4] Internet-Draft WebFinger April 2012 3.2. Retrieving a Person's Contact Information Assume you have Alice in your address book, but her phone number appears to be invalid. You could use WebFinger to find her current phone number and update your address book. Let's assume you have a web-based address book that you wish to update. When you instruct the address book to pull Alice's current contact information, the address book might issue a query like this to get host metadata information for example.com: GET /.well-known/host-meta.json HTTP/1.1 Host: example.com Note the address book is looking for a JSON [4] representation, whereas we used XML in the previous example. The server might reply with something like this: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/json; charset=UTF-8 { "links" : [ { "rel" : "lrdd", "type" : "application/json", "template" : "https://example.com/lrdd/?format=json&uri={uri}" } ] } The client processes the response as described in RFC 6415 [9]. It will process the LRDD link relation using Alice's account URI by issuing this query: GET /lrdd/?format=json&uri=acct%3Aalice%40example.com HTTP/1.1 Host: example.com The server might return a response like this: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/json; charset=UTF-8 { Jones, et al. Expires October 9, 2012 [Page 5] Internet-Draft WebFinger April 2012 "expires" : "2012-03-13T20:56:11Z", "subject" : "acct:alice@example.com", "links" : [ { "rel" : "http://webfinger.net/rel/avatar", "href" : "http://example.com/~alice/alice.jpg" }, { "rel" : "vcard", "href" : "http://example.com/~alice/alice.vcf" } ] } With this response, the address book might see the vcard [16] link relation and use that file to offer you updated contact information. 3.3. Simplifying the Login Process OpenID (http://www.openid.net) is great for allowing users to log into a web site, though one criticism is that it is challenging for users to remember the URI they are assigned. WebFinger can help address this issue by allowing users to use user@domain-style addresses. Using a user's account URI, a web site can perform a query to discover the associated OpenID identifier for a user. Let's assume Carol is trying to use OpenID to log into a blog. The blog server might issue the following query to get the host metadata information: GET /.well-known/host-meta.json HTTP/1.1 Host: example.com The response that comes back is similar to the previous example: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/json; charset=UTF-8 { "expires" : "2012-03-13T20:56:11Z", "links" : [ { "rel" : "lrdd", "type" : "application/json", "template" : "https://example.com/lrdd/?format=json&uri={uri}" } Jones, et al. Expires October 9, 2012 [Page 6] Internet-Draft WebFinger April 2012 ] } The blog server processes the response as described in RFC 6415. It will process the LRDD link relation using Carol's account URI by issuing this query: GET /lrdd/?format=json&uri=acct%3Acarol%40example.com HTTP/1.1 The server might return a response like this: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/json; charset=UTF-8 { "subject" : "acct:carol@example.com", "links" : [ { "rel" : "http://webfinger.net/rel/avatar", "href" : "http://example.com/~alice/alice.jpg" }, { "rel" : "http://specs.openid.net/auth/2.0/provider", "href" : "https://openid.example.com/carol" } ] } At this point, the blog server knows that Carol's OpenID identifier is https://openid.example.com/carol and could then proceed with the login process as usual. 3.4. Retrieving Device Information While the examples thus far have been focused on information about humans, WebFinger does not limit queries to only those that use the account URI scheme. Let's suppose there are devices on the network like printers and you would like to check the current toner level for a particular printer identified via the URI like device:p1.example.com. While the "device" URI scheme is not presently specified, we use it here for illustrative purposes. Following the procedures similar to those above, a query may be issued to get link relations specific to this URI like this: GET /lrdd/?format=json&uri=device%3Ap1.example.com HTTP/1.1 Host: example.com Jones, et al. Expires October 9, 2012 [Page 7] Internet-Draft WebFinger April 2012 The link relations that are returned may be quite different than those for human users. Perhaps we may see a response like this: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/json; charset=UTF-8 { "subject" : "device:p1.example.com", "links" : [ { "rel" : "tipsi", "href" : "http://192.168.1.5/npap/" } ] } While this example is entirely fictitious, you can imagine that perhaps the Transport Independent, Printer/System Interface [18] may be enhanced with a web interface that allows a device that understands the TIP/SI web interface specification to query the printer for toner levels. 4. WebFinger Protocol WebFinger does not actually introduce a new protocol, per se. Rather, it builds upon the existing Web Host Metadata [9] specification and leverages the Cross-Origin Resource Sharing (CORS) [7] specification. 4.1. Performing a WebFinger Query The first step a client must perform in executing a WebFinger query is to query for the host metadata using HTTPS or HTTP. The procedures are defined in the Web Host Metadata [9] specification. WebFinger clients MUST locate the LRDD link relation, if present, and perform a query for that link relation, if present. All other link templates found must be processed to form a complete resource descriptor. The processing rules in Section 4.2 of RFC 6415 MUST be followed. WebFinger servers MUST accept requests for both XRD [8] and JRD [9] documents. The default representation returned by the server MUST be an XRD document, but a JRD document MUST be returned if the client explicitly requests it by using /.well-known/host-meta.json or includes an Accept header in the HTTP request with a type of "application/json" [4]. Jones, et al. Expires October 9, 2012 [Page 8] Internet-Draft WebFinger April 2012 If the client requests a JRD document when querying for host metadata, the WebFinger server can assume that the client will want a JRD documents when querying the LRDD resource. As such, when the WebFinger server returns a JRD document containing host metadata it should include a URI for an LRDD resource that can return a JRD document and MAY include a URI for an LRDD resource that will return an XRD document. If the client queries the LRDD resource and provides a URI for which the server has no information, the server MUST return a 404 status code. Likewise, any query to a URI in the resource descriptor that is unknown to the server MUST result in the server returning a 404 status code. WebFinger servers MAY include cache validators in a response to enable conditional requests by clients and/or expiration times as per RFC 2616 section 13. 4.2. The Web Host Metadata "resource" Parameter In addition to the normal processing logic for processing host metadata information, WebFinger defines the "resource" parameter for querying for host metadata and returning all of the link relations from LRDD and other resource-specific link templates in a single query. This resource essentially pushes the work to the server to form a complete resource descriptor for the specified resource. Note that support for the "resource" parameter is optional, but strongly RECOMMENDED for improved performance. If a server does not implement the "resource" parameter, then the server's host metadata processing logic remains unchanged from RFC 6415. To utilize the host-meta "resource" parameter, a WebFinger client issues a request to /.well-known/host-meta or /.well-known/host- meta.json as usual, but then appends a "resource" parameter as shown in this example: GET /.well-known/host-meta.json?resource=\ acct%3Abob%40example.com HTTP/1.1 Host: example.com Note that the "\" character shown above is to indicate that the line breaks at this point and continues on the next line. This was shown only to avoid line wrapping in this document and is not a part of the HTTP protocol. When processing this request, the WebFinger server MUST Jones, et al. Expires October 9, 2012 [Page 9] Internet-Draft WebFinger April 2012 * Return a 404 status code if the URI provided in the resource parameter is unknown to the server; and * Set the "Subject" returned in the response to the value of the "resource" parameter if the URI provided in the resource parameter is known to the server The WebFinger client can verify support for the "resource" parameter by checking the value of the Subject returned in the response. If the Subject matches the value of the "resource" parameter, then the "resource" parameter is supported by the server. For illustrative purposes, the following is an example usage of the "resource" parameter that aligns with the example in Section 1.1.1 of RFC 6415. The WebFinger client would issue this request: GET /.well-known/host-meta.json?resource=\ http%3A%2F%2Fexample.com%2Fxy HTTP/1.1 Host: example.com The WebFinger server would reply with this response: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/json; charset=UTF-8 { "subject" : "http://example.com/xy", "properties" : { "http://spec.example.net/color" : "red" }, "links" : [ { "rel" : "hub", "href" : "http://example.com/hub" }, { "rel" : "hub", "href" : "http://example.com/another/hub" }, { "rel" : "author", "href" : "http://example.com/john" }, { "rel" : "author", "template" : "http://example.com/author?\ Jones, et al. Expires October 9, 2012 [Page 10] Internet-Draft WebFinger April 2012 q=http%3A%2F%2Fexample.com%2Fxy" } ] } 4.3. The Web Host Metadata "rel" Parameter WebFinger also defines the "rel" parameter for use when querying for host metadata. It is used to return a subset of the information that would otherwise be returned without the "rel" parameter. When the "rel" parameter is used, only the link relations that match the space-separated list of link relations provided via "rel" are included in the list of links returned in resource descriptor. All other information normally present in a resource descriptor is present in the resource descriptor, even when "rel" is employed. The purpose of the "rel" parameter is to return a subset of resource's link relations. It is not intended to reduce the work required of a server to produce a response. That said, use of the parameter might reduce processing requirements on either the client or server, and it might also reduce the bandwidth required to convey the partial resource descriptor, especially if there are numerous link relation values to convey for a given resource. Support for the "rel" parameter is OPTIONAL, but support is RECOMMENDED for both the host-meta resource and the LRDD resource. For illustrative purposes, the following is an example usage of the "rel" parameter that aligns with the example in Section 1.1.1 of RFC 6415. The WebFinger client would issue this request to receive links that are of the type "hub" and "copyright": GET /.well-known/host-meta.json?resource=\ http%3A%2F%2Fexample.com%2Fxy&rel=hub%20copyright HTTP/1.1 Host: example.com The WebFinger server would reply with this response: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/json; charset=UTF-8 { "subject" : "http://example.com/xy", "properties" : { "http://spec.example.net/color" : "red" }, "links" : Jones, et al. Expires October 9, 2012 [Page 11] Internet-Draft WebFinger April 2012 [ { "rel" : "hub", "href" : "http://example.com/hub" }, { "rel" : "hub", "href" : "http://example.com/another/hub" } ] } Note that in this example, the "author" links are removed, though all other content is present. Since there were no "copyright" links, none are returned. In the event that a client requests links for link relations that are not defined for the specified resource, a resource descriptor MUST be returned, void of any links. When a JRD is returned, the "links" array MAY be either absent or empty. The server MUST NOT return a 404 status code when a particular link relation specified via "rel" is not defined for the resource, as a 404 status code is reserved for indicating that the resource itself (e.g., as indicated via the "resource" parameter) does not exist. 5. The "acct" URI The Web Host Metadata specification [9] allows for any kind of resource to be queried, as does WebFinger. However, a specific type of resource is needed in order to query information about a human user. WebFinger uses the "acct" URI to refer to a human user's account on the Internet. While other URI scheme MAY be used to query for information related to a human user, other schemes are not explicitly defined for that purpose. 5.1. Using the "acct" URI The "acct" URI takes a familiar form in looking like an email address. However, the account URI is not an email address and should not be mistaken for one. Quite often, the account URI minus the "acct:" scheme prefix may be exactly the same as the user's email address. A user MUST NOT be required to enter the "acct" URI scheme name along with his account identifier into any WebFinger client. Rather, the WebFinger client MUST accept identifiers that are void of the "acct:" Jones, et al. Expires October 9, 2012 [Page 12] Internet-Draft WebFinger April 2012 portion of the identifier. Composing a properly formatted "acct" URI is the responsibility of the WebFinger client. A user MAY provide a fully-specified "acct" URI. 5.2. Syntax of "acct" URI The "acct" URI syntax is defined here in Augmented Backus-Naur Form (ABNF) [6] and borrows syntax elements from RFC 3986 [5]: acctURI = "acct:" userpart "@" domainpart userpart = 1*( unreserved / pct-encoded ) domainpart = domainlabel 1*( "." domainlabel) domainlabel = alphanum / alphanum *( alphanum / "-" ) alphanum alphanum = ALPHA / DIGIT The "acct" URI scheme allows any character from the Unicode [11] character set encoded as a UTF-8 [19] string that is then percent- encoded as necessary into valid ASCII [20]. Characters in the domainpart must be encoded to support internationalized domain names (IDNs) [12]. Characters in the userpart or domainpart that are not unreserved must be percent-encoded when used in a protocol or document that only supports or requires ASCII. When carried in a document (e.g., XRD or JRD) or protocol that supports the Unicode character set (e.g., UTF-8 or UTF-16 [21]), the URI strings may appear in the protocol or document's native encoding without percent-encoding. Such usage of a URI is commonly referred to as an Internationalized Resource Identifier (IRI). Conversion between an IRI and URI is described in Section 3 of RFC 3987 [13]. 6. The "acct" Link Relation 6.1. Purpose for the "acct" Link Relation Users of some services might have an "acct" URI that looks significantly different from his or her email address, perhaps using an entirely different domain name. It is also possible for a user have multiple accounts that a user wants to advertise and that a WebFinger client may want to query. To address both of these needs, this specification defines the "acct" link relation. Since an account may make a reference to one or more different accounts, WebFinger clients MUST take steps to avoid loops wherein two accounts, directly or indirectly, refer the client to each other. There are no limits on the number of "acct" link relations that might be returned in a WebFinger query. Jones, et al. Expires October 9, 2012 [Page 13] Internet-Draft WebFinger April 2012 An "acct" link relation used within the context of a WebFinger query for a user's account MUST NOT return "acct" link relations for another individual. The "acct" link relation also makes it possible to use the link relation in HTML documents or in HTTP headers as described in the Web Linking specification [3]. This would allow, by way of example, for a user to advertise his or her account identifier in a blog, article, or other content located on a server that is unrelated to his user account. Since there may be multiple contributors to an article, there may be more than one "acct" link relation in an HTML document or in HTTP headers. It is RECOMMENDED that no more than one "acct" link relation is advertised per author of a given web page, as a client may otherwise not understand that the multiple link relations are for the same person; references to other accounts should be done from within a user's account, as described in the preceding paragraphs. 6.2. Example Message Exchange Using the "acct" Link Relation Consider the following non-normative example. Suppose Alice receives an email from bob@example.net. While Bob's email identifier might be in the example.net domain, he holds his account with an "acct" URI in the example.com domain. His email provider may provide WebFinger services to enable redirecting Alice when she queries for acct:bob@example.net. Suppose Alice's client issues the following request: GET /.well-known/host-meta.json?resource=\ acct%3Abob%40example.net HTTP/1.1 Host: example.net The response that Alice's client receives back might be: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/json; charset=UTF-8 { "subject" : "acct:bob@example.net", "links" : [ { "rel" : "acct", "href" : "acct:bob@example.com" }, { Jones, et al. Expires October 9, 2012 [Page 14] Internet-Draft WebFinger April 2012 "rel" : "acct", "href" : "acct:bob@example.org" } ] } Alice's WebFinger client could then perform queries against the URIs acct:bob@example.com and acct:bob@example.org in order to get the information Alice is seeking. 7. Cross-Origin Resource Sharing (CORS) WebFinger is most useful when it is accessible without restrictions on the Internet, and that includes web browsers. Therefore, WebFinger servers MUST support Cross-Origin Resource Sharing (CORS) [7]. Specifically, all queries to /.well-known/host-meta, /.well- known/host-meta.json, and to the LRDD URI must include the following HTTP header in the response: Access-Control-Allow-Origin: * 8. Security Considerations All of the security considerations applicable to Web Host Metadata [9] and Cross-Origin Resource Sharing [7] are also applicable to this specification. Of particular importance is the recommended use of HTTPS to ensure that information is not modified during transit. Clients should verify that the certificate used on an HTTPS connection is valid. When using HTTP to request an XRD document, WebFinger clients SHOULD verify the XRD document's signature, if present, to ensure that the XRD document has not been modified. WebFinger servers SHOULD include a signature for XRD documents. Service providers and users should be aware that placing information on the Internet accessible through WebFinger means that any user can access that information. While WebFinger can be an extremely useful tool for allowing quick and easy access to one's avatar, blog, or other personal information, users should understand the risks, too. If one does not wish to share certain information with the world, do not allow that information to be accessible through WebFinger. The aforementioned word of caution is perhaps worth emphasizing again with respect to dynamic information one might wish to share, such as the current location of a user. WebFinger can be a powerful tool used to assemble information about a person all in one place, but service providers and users should be mindful of the nature of that information shared and the fact that it might be available for the Jones, et al. Expires October 9, 2012 [Page 15] Internet-Draft WebFinger April 2012 entire world to see. Sharing location information, for example, would potentially put a person in danger from any individual who might seek to inflict harm on that person. The easy access to user information via WebFinger was a design goal of the protocol, not a limitation. If one wishes to limit access to information available via WebFinger, such as a WebFinger server for use inside a corporate network, the network administrator must take measures necessary to limit access from outside the network. 9. IANA Considerations RFC Editor: Please replace QQQQ in the following two sub-sections with a reference to this RFC. 9.1. Registration of the "acct" URI scheme name This specification requests IANA to register the "acct" URI scheme in the "Permanent URI Schemes" sub-registry in the "Uniform Resource Identifier (URI) Schemes" IANA registry [17]. This registration follows the URI Scheme Registration Template detailed in Section 5.4 of RFC 4395 [15]. URI scheme name: acct Status: Permanent URI scheme syntax: see Section 4.1 of RFC QQQQ URI scheme semantics: see Section 4.1 of RFC QQQQ Encoding considerations: The "acct" URI scheme allows any character from the Unicode character set encoded as a UTF-8 string that is then percent-encoded as necessary to result in an internal representation in US-ASCII [10] Applications/protocols that use this URI scheme name: WebFinger Security considerations: see Section 7 of RFC QQQQ Contact: Gonzalo Salgueiro Author/Change controller: IETF References: See Section 10 of RFC QQQQ 9.2. Registration of the "acct" Link Relation Type Relation Name: acct Jones, et al. Expires October 9, 2012 [Page 16] Internet-Draft WebFinger April 2012 Description: A link relation that refers to a user's WebFinger account identifier. Reference: RFC QQQQ Notes: Application Data: 10. Acknowledgments The authors would like to acknowledge Eran Hammer-Lahav, Blaine Cook, Brad Fitzpatrick, Laurent-Walter Goix, and Joe Clarke for their invaluable input. 11. References 11.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [3] Nottingham, M., "Web Linking", RFC 5988, October 2010. [4] Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, July 2006. [5] Berners-Lee, T., Fielding, R., and Masinter, L., "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [6] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [7] Van Kesteren, A., "Cross-Origin Resource Sharing", W3C CORS http://www.w3.org/TR/cors/, July 2010. [8] Hammer-Lahav, E. and W. Norris, "Extensible Resource Descriptor (XRD) Version 1.0", http://docs.oasis- open.org/xri/xrd/v1.0/xrd-1.0.html. [9] Hammer-Lahav, E. and Cook, B., "Web Host Metadata", RFC 6415, October 2011. Jones, et al. Expires October 9, 2012 [Page 17] Internet-Draft WebFinger April 2012 [10] American National Standards Institute, "Coded Character Set - 7-bit American Standard Code for Information Interchange", ANSI X3.4, 1986. [11] The Unicode Consortium. The Unicode Standard, Version 6.1.0, (Mountain View, CA: The Unicode Consortium, 2012. ISBN 978-1- 936213-02-3) http://www.unicode.org/versions/Unicode6.1.0/. [12] Klensin, J., "Internationalized Domain Names in Applications (IDNA): Protocol", RFC 5891, August 2010. [13] Duerst, M., "Internationalized Resource Identifiers (IRIs)", RFC 3987, January 2005. 11.2. Informative References [14] Zimmerman, D., "The Finger User Information Protocol", RFC 1288, December 1991. [15] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and Registration Procedures for New URI Schemes", BCP 35, RFC 4395, February 2006. [16] Perreault, S., "vCard Format Specification", RFC 6350, August 2011. [17] Internet Assigned Numbers Authority (IANA) Registry, "Uniform Resource Identifier (URI) Schemes", . [18] "Transport Independent, Printer/System Interface", IEEE Std 1284.1-1997, 1997. [19] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 3629, November 2003. [20] Information Systems -- Coded Character Sets 7-Bit American National Standard Code for Information Interchange (7-Bit ASCII), ANSI X3.4-1986, December 30, 1986. [21] Hoffman, P., Yergeau, F., "UTF-16, an encoding of ISO 10646", RFC 2781, February 2000. Jones, et al. Expires October 9, 2012 [Page 18] Internet-Draft WebFinger April 2012 Author's Addresses Paul E. Jones Cisco Systems, Inc. 7025 Kit Creek Rd. Research Triangle Park, NC 27709 USA Phone: +1 919 476 2048 Email: paulej@packetizer.com IM: xmpp:paulej@packetizer.com Gonzalo Salgueiro Cisco Systems, Inc. 7025 Kit Creek Rd. Research Triangle Park, NC 27709 USA Phone: +1 919 392 3266 Email: gsalguei@cisco.com IM: xmpp:gsalguei@cisco.com Joseph Smarr Google Email: jsmarr@google.com Jones, et al. Expires October 9, 2012 [Page 19] Internet-Draft WebFinger April 2012 Change Log (To Be Deleted Before Publication) ============================================= -03 Draft * Changed the name from Webfinger to WebFinger (common usage) * Added a new paragraph to Section 4.1 to remind readers that WebFinger benefits from all of the existing HTTP caching functionality * Added the "rel" parameter to allow filtering the results of a WebFinger query to include Links of the specified type(s) * Corrected a reference to an obsoleted RFC * Removed extraneous text from the terminology section -02 Draft * Minor editorial changes * Added to the XML example to highlight that this element exists, since some may not be aware * Changed some of the link relation values, particularly for those that are not yet standardized * Added a note about "device:" not being standard * Overhauled the "acct" link relation text, breaking the normative and non-normative pieces apart * Added additional text to the security considerations section related to dynamic information (e.g., geographic information) Jones, et al. Expires October 9, 2012 [Page 20]