idnits 2.17.1 draft-ietf-appsawg-webfinger-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 26, 2013) is 3890 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2616 (ref. '2') (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) ** Obsolete normative reference: RFC 5785 (ref. '3') (Obsoleted by RFC 8615) ** Obsolete normative reference: RFC 5988 (ref. '4') (Obsoleted by RFC 8288) ** Obsolete normative reference: RFC 4627 (ref. '5') (Obsoleted by RFC 7158, RFC 7159) -- Possible downref: Non-RFC (?) normative reference: ref. '7' -- Possible downref: Non-RFC (?) normative reference: ref. '8' -- Possible downref: Non-RFC (?) normative reference: ref. '9' ** Obsolete normative reference: RFC 2818 (ref. '12') (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 5226 (ref. '13') (Obsoleted by RFC 8126) == Outdated reference: A later version (-07) exists of draft-ietf-appsawg-acct-uri-06 Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Paul E. Jones 3 Internet Draft Gonzalo Salgueiro 4 Intended status: Standards Track Cisco Systems 5 Expires: February 26, 2014 Michael B. Jones 6 Microsoft 7 Joseph Smarr 8 Google 9 August 26, 2013 11 WebFinger 12 draft-ietf-appsawg-webfinger-18.txt 14 Abstract 16 This specification defines the WebFinger protocol, which can be used 17 to discover information about people or other entities on the 18 Internet using standard HTTP methods. WebFinger discovers 19 information for a URI that might not be usable as a locator 20 otherwise, such as account or email URIs. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on February 26, 2014. 39 Copyright Notice 41 Copyright (c) 2013 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction...................................................2 57 2. Terminology....................................................3 58 3. Example Uses of WebFinger......................................4 59 3.1. Identity Provider Discovery for OpenID Connect............4 60 3.2. Getting Author and Copyright Information for a Web Page...5 61 4. WebFinger Protocol.............................................6 62 4.1. Constructing the Query Component of the Request URI.......7 63 4.2. Performing a WebFinger Query..............................7 64 4.3. The "rel" Parameter.......................................8 65 4.4. The JSON Resource Descriptor (JRD).......................10 66 4.4.1. subject.............................................10 67 4.4.2. aliases.............................................10 68 4.4.3. properties..........................................10 69 4.4.4. links...............................................11 70 4.5. WebFinger and URIs.......................................13 71 5. Cross-Origin Resource Sharing (CORS)..........................13 72 6. Access Control................................................13 73 7. Hosted WebFinger Services.....................................14 74 8. Definition of WebFinger Applications..........................15 75 8.1. Specification of the URI Scheme and URI..................15 76 8.2. Host Resolution..........................................15 77 8.3. Specification of Properties..............................16 78 8.4. Specification of Links...................................16 79 8.5. One URI, Multiple Applications...........................16 80 8.6. Registration of Link Relation Types and Properties.......17 81 9. Security Considerations.......................................17 82 9.1. Transport-Related Issues.................................17 83 9.2. User Privacy Considerations..............................17 84 9.3. Abuse Potential..........................................18 85 9.4. Information Reliability..................................19 86 10. IANA Considerations..........................................20 87 10.1. Well-Known URI..........................................20 88 10.2. JSON Resource Descriptor (JRD) Media Type...............20 89 10.3. Registering Link Relation Types.........................21 90 10.4. Establishment of the WebFinger Properties Registry......22 91 10.4.1. The Registration Template..........................22 92 10.4.2. The Registration Procedures........................22 93 11. Acknowledgments..............................................23 94 12. References...................................................23 95 12.1. Normative References....................................23 96 12.2. Informative References..................................24 97 Author's Addresses...............................................25 99 1. Introduction 101 WebFinger is used to discover information about people or other 102 entities on the Internet that are identified by a URI [6] using 103 standard Hypertext Transfer Protocol (HTTP) [2] methods over a secure 104 transport [12]. A WebFinger resource returns a JavaScript Object 105 Notation (JSON) [5] object describing the entity that is queried. 106 The JSON object is referred to as the JSON Resource Descriptor (JRD). 108 For a person, the kinds of information that might be discoverable via 109 WebFinger include a personal profile address, identity service, 110 telephone number, or preferred avatar. For other entities on the 111 Internet, a WebFinger resource might return JRDs containing link 112 relations [8] that enable a client to discover, for example, the that 113 a printer can print in color on A4 paper, the physical location of a 114 server, or other static information. 116 Information returned via WebFinger might be for direct human 117 consumption (e.g., looking up someone's phone number), or it might be 118 used by systems to help carry out some operation (e.g., facilitate, 119 with additional security mechanisms, logging into a web site by 120 determining a user's identity service). The information is intended 121 to be static in nature and, as such, WebFinger is not intended to be 122 used to return dynamic information like the temperature of a CPU or 123 the current toner level in a laser printer. 125 The WebFinger protocol is designed to be used across many 126 applications. Applications that wish to utilize WebFinger will need 127 to specify properties, titles, and link relation types that are 128 appropriate for the application. Further, applications will need to 129 define the appropriate URI scheme to utilize for the query target. 131 Use of WebFinger is illustrated in the examples in Section 3 and 132 described more formally in Section 4. Section 8 describes how 133 applications of WebFinger may be defined. 135 2. Terminology 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 139 document are to be interpreted as described in RFC 2119 [1]. 141 WebFinger makes heavy use of "Link Relations". A Link Relation is an 142 attribute-and-value pair in which the attribute identifies the type 143 of relationship between the linked entity or resource and the 144 information specified in the value. In Web Linking [4], the link 145 relation is represented using an HTTP entity-header of "Link", where 146 the "rel" attribute specifies the type of relationship and the "href" 147 attribute specifies the information that is linked to the entity or 148 resource. In WebFinger, the same concept is represented using a JSON 149 array of "links" objects, where each member named "rel" specifies the 150 type of relationship and each member named "href" specifies the 151 information that is linked to the entity or resource. Note that 152 WebFinger narrows the scope of a link relation beyond what is defined 153 for Web Linking by stipulating that the value of the "rel" member 154 needs to be either a single IANA-registered link relation type [8] or 155 a URI [6]. 157 The use of URIs throughout this document refers to URIs following the 158 syntax specified in Section 3 of RFC 3986 [6]. Relative URIs, having 159 syntax following that of Section 4.2 or RFC 3986, are not used with 160 WebFinger. 162 3. Example Uses of WebFinger 164 This section shows a few sample uses of WebFinger. Any application 165 of WebFinger would be specified outside of this document, as 166 described in Section 8. The examples in this section should be 167 simple enough to understand without having seen the formal 168 specifications of the applications. 170 3.1. Identity Provider Discovery for OpenID Connect 172 Suppose Carol wishes to authenticate with a web site she visits using 173 OpenID Connect [15]. She would provide the web site with her OpenID 174 Connect identifier, say carol@example.com. The visited web site 175 would perform a WebFinger query looking for the OpenID Connect 176 Provider. Since the site is interested in only one particular link 177 relation, the WebFinger resource might utilize the "rel" parameter as 178 described in Section 4.3: 180 GET /.well-known/webfinger? 181 resource=acct%3Acarol%40example.com& 182 rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer 183 HTTP/1.1 184 Host: example.com 186 The server might respond like this: 188 HTTP/1.1 200 OK 189 Access-Control-Allow-Origin: * 190 Content-Type: application/jrd+json 192 { 193 "subject" : "acct:carol@example.com", 194 "links" : 195 [ 196 { 197 "rel" : "http://openid.net/specs/connect/1.0/issuer", 198 "href" : "https://openid.example.com" 199 } 200 ] 201 } 203 Since the "rel" parameter only serves to filter the link relations 204 returned by the resource, other name/value pairs in the response, 205 including any aliases or properties, would be returned. Also, since 206 support for the "rel" parameter is not guaranteed, the client must 207 not assume the "links" array will contain only the requested link 208 relation. 210 3.2. Getting Author and Copyright Information for a Web Page 212 Suppose an application is defined to retrieve metadata information 213 about a web page URL, such as author and copyright information. To 214 retrieve that information, the client can utilize WebFinger to issue 215 a query for the specific URL. Suppose the URL of interest is 216 http://blog.example.com/article/id/314. The client would issue a 217 query similar to the following: 219 GET /.well-known/webfinger? 220 resource=http%3A%2F%2Fblog.example.com%2Farticle%2Fid%2F314 221 HTTP/1.1 222 Host: blog.example.com 224 The server might then reply in this way: 226 HTTP/1.1 200 OK 227 Access-Control-Allow-Origin: * 228 Content-Type: application/jrd+json 230 { 231 "subject" : "http://blog.example.com/article/id/314", 232 "aliases" : 233 [ 234 "http://blog.example.com/cool_new_thing", 235 "http://blog.example.com/steve/article/7" 236 ], 237 "properties" : 238 { 239 "http://blgx.example.net/ns/version" : "1.3", 240 "http://blgx.example.net/ns/ext" : null 241 }, 242 "links" : 243 [ 244 { 245 "rel" : "copyright", 246 "href" : "http://www.example.com/copyright" 247 }, 248 { 249 "rel" : "author", 250 "href" : "http://blog.example.com/author/steve", 251 "titles" : 252 { 253 "en-us" : "The Magical World of Steve", 254 "fr" : "Le Monde Magique de Steve" 255 }, 256 "properties" : 257 { 258 "http://example.com/role" : "editor" 259 } 260 } 262 ] 263 } 265 In the above example, we see that the server returned a list of 266 aliases, properties, and links related to the subject URL. The links 267 contain references to information for each link relation type. For 268 the author link, the server provided a reference to the author's 269 blog, along with a title for the blog in two languages. The server 270 also returned a single property related to the author, indicating the 271 author's role as editor of the blog. 273 It is worth noting that, while the server returned just two links in 274 the links array in this example, a server might return any number of 275 links when queried. 277 4. WebFinger Protocol 279 The WebFinger protocol is used to request information about an entity 280 identified by a query target (a URI). The client can optionally 281 specify one or more link relation types for which it would like to 282 receive information. 284 A WebFinger request is an HTTPS request to a WebFinger resource. A 285 WebFinger resource is a well-known URI [3] using the HTTPS scheme, 286 constructed along with the required query target and optional link 287 relation types. WebFinger resources MUST NOT be served with any 288 other URI scheme (such as HTTP). 290 A WebFinger resource is always given a query target, which is another 291 URI that identifies the entity whose information is sought. GET 292 requests to a WebFinger resource convey the query target in the 293 "resource" parameter in the WebFinger URI's query string; see Section 294 4.1 for details. 296 The host to which a WebFinger query is issued is significant. If the 297 query target contains a "host" portion (Section 3.2.2 of RFC 3986), 298 then the host to which the WebFinger query is issued SHOULD be the 299 same as the "host" portion of the query target, unless the client 300 receives instructions through some out-of-band mechanism to send the 301 query to another host. If the query target does not contain a "host" 302 portion, then the client chooses a host to which it directs the query 303 using additional information it has. 305 The path component of a WebFinger URI MUST be the well-known path 306 "/.well-known/webfinger". A WebFinger URI MUST contain a query 307 component that encodes the query target and optional link relation 308 types as specified in Section 4.1. 310 The WebFinger resource returns a JSON Resource Descriptor (JRD) as 311 the resource representation to convey information about an entity on 312 the Internet. Also, the Cross-Origin Resource Sharing (CORS) [7] 313 specification is utilized to facilitate queries made via a web 314 browser. 316 4.1. Constructing the Query Component of the Request URI 318 A WebFinger URI MUST contain a query component (see Section 3.4 of 319 RFC 3986). The query component MUST contain a "resource" parameter 320 and MAY contain one or more "rel" parameters. The "resource" 321 parameter MUST contain the query target (URI) and the "rel" 322 parameters MUST contain encoded link relation types according to the 323 encoding described in this section. 325 To construct the query component, the client performs the following 326 steps. First, each parameter value is percent-encoded, as per 327 Section 2.1 of RFC 3986. The encoding is done to conform to the 328 query production in Section 3.4 of that specification, with the 329 addition that any instances of the "=" and "&" characters within the 330 parameter values are also percent-encoded. Next, the client 331 constructs a string to be placed in the query component by 332 concatenating the name of the first parameter together with an equal 333 sign ("=") and the percent-encoded parameter value. For any 334 subsequent parameters, the client appends an ampersand ("&") to the 335 string, the name of the next parameter, an equal sign, and the 336 parameter value. The client MUST NOT insert any spaces while 337 constructing the string. The order in which the client places each 338 attribute-and-value pair within the query component does not matter 339 in the interpretation of the query component. 341 4.2. Performing a WebFinger Query 343 A WebFinger client issues a query using the GET method to the well- 344 known [3] resource identified by the URI whose path component is 345 "/.well-known/webfinger" and whose query component MUST include the 346 "resource" parameter exactly once and set to the value of the URI for 347 which information is being sought. 349 If the "resource" parameter is absent or malformed, the WebFinger 350 resource MUST indicate that the request is bad as per Section 10.4.1 351 of RFC 2616 [2]. 353 If the "resource" parameter is a value for which the server has no 354 information, the server MUST indicate that it was unable to match the 355 request as per Section 10.4.5 of RFC 2616. 357 A client MUST query the WebFinger resource using HTTPS only. If the 358 client determines that the resource has an invalid certificate, the 359 resource returns a 4xx or 5xx status code, or the HTTPS connection 360 cannot be established for any reason, then the client MUST accept 361 that the WebFinger query has failed and MUST NOT attempt to reissue 362 the WebFinger request using HTTP over a non-secure connection. 364 A WebFinger resource MUST return a JRD as the representation for the 365 resource if the client requests no other supported format explicitly 366 via the HTTP "Accept" header. The client MAY include the "Accept" 367 header to indicate a desired representation; representations other 368 than JRD might be defined in future specifications. The WebFinger 369 resource MUST silently ignore any requested representations that it 370 does not understand and support. The media type used for the JSON 371 Resource Descriptor (JRD) is "application/jrd+json" (see Section 372 9.2). 374 The properties, titles, and link relation types returned by the 375 server in a JRD might be varied and numerous. For example, the 376 server might return information about a person's blog, vCard [14], 377 avatar, OpenID Connect provider, RSS or ATOM feed, and so forth in a 378 reply. Likewise, if a server has no information to provide it might 379 return a JRD with an empty links array or no links array. 381 A WebFinger resource MAY redirect the client; if it does, the 382 redirection MUST only be to an "https" URI and the client MUST 383 perform certificate validation again when redirected. 385 A WebFinger resource can include cache validators in a response to 386 enable conditional requests by the client and/or expiration times as 387 per Section 13 of RFC 2616. 389 4.3. The "rel" Parameter 391 When issuing a request to a WebFinger resource, the client MAY 392 utilize the "rel" parameter to request only a subset of the 393 information that would otherwise be returned without the "rel" 394 parameter. When the "rel" parameter is used and accepted, only the 395 link relation types that match the link relation types provided via 396 the "rel" parameter are included in the array of links returned in 397 the JRD. If there are no matching link relation types defined for 398 the resource, the "links" array in the JRD will either be absent or 399 empty. All other information present in a resource descriptor 400 remains present, even when "rel" is employed. 402 The "rel" parameter MAY be included multiple times in order to 403 request multiple link relation types. 405 The purpose of the "rel" parameter is to return a subset of "link 406 relation objects" (see Section 4.4.4) that would otherwise be 407 returned in the resource descriptor. Use of the parameter might 408 reduce processing requirements on either the client or server, and it 409 might also reduce the bandwidth required to convey the partial 410 resource descriptor, especially if there are numerous link relation 411 values to convey for a given "resource" value. Note that if a client 412 requests a particular link relation type for which the server has no 413 information, the server MAY return a JRD with an empty links array or 414 no links array. 416 WebFinger resources SHOULD support the "rel" parameter. If the 417 resource does not support the "rel" parameter, it MUST ignore the 418 parameter and process the request as if no "rel" parameter values 419 were present. 421 The following example uses the "rel" parameter to request links for 422 two link relation types: 424 GET /.well-known/webfinger? 425 resource=acct%3Abob%40example.com& 426 rel=http%3A%2F%2Fwebfinger.example%2Frel%2Fprofile-page& 427 rel=http://webfinger.example/rel/businesscard HTTP/1.1 428 Host: example.com 430 In this example, the client requests the link relations of type 431 "http://webfinger.example/rel/profile-page" and 432 "http://webfinger.example/rel/businesscard". The server then 433 responds with a message like this: 435 HTTP/1.1 200 OK 436 Access-Control-Allow-Origin: * 437 Content-Type: application/jrd+json 439 { 440 "subject" : "acct:bob@example.com", 441 "aliases" : 442 [ 443 "https://www.example.com/~bob/" 444 ], 445 "properties" : 446 { 447 "http://example.com/ns/role" : "employee" 448 }, 449 "links" : 450 [ 451 { 452 "rel" : "http://webfinger.example/rel/profile-page", 453 "href" : "https://www.example.com/~bob/" 454 }, 455 { 456 "rel" : "http://webfinger.example/rel/businesscard", 457 "href" : "https://www.example.com/~bob/bob.vcf" 458 } 459 ] 460 } 462 As you can see in the response, the resource representation contains 463 only the links of the types requested by the client and for which the 464 server had information, but the other parts of the JRD are still 465 present. Note also in the above example that the links returned in 466 the links array all use HTTPS, which is important if the data 467 indirectly obtained via WebFinger needs to returned securely. 469 4.4. The JSON Resource Descriptor (JRD) 471 The JSON Resource Descriptor (JRD), originally introduced in RFC 6415 472 [16] and based on the Extensible Resource Descriptor (XRD) format 473 [17], is a JSON object that comprises the following name/value pairs: 475 o subject 476 o aliases 477 o properties 478 o links 480 The member "subject" is a name/value pair whose value is a string, 481 "aliases" is an array of strings, "properties" is an object 482 comprising name/value pairs whose values are strings, and "links" is 483 an array of objects that contain link relation information. 485 When processing a JRD, the client MUST ignore any unknown member and 486 not treat the presence of an unknown member as an error. 488 Below, each of these members of the JRD is described in more detail. 490 4.4.1. subject 492 The value of the "subject" member is a URI that identifies the entity 493 that the JRD describes. 495 The "subject" value returned by a WebFinger resource MAY differ from 496 the value of the "resource" parameter used in the client's request. 497 This might happen, for example, when the subject's identity changes 498 (e.g., a user moves his or her account to another service) or when 499 the resource prefers to express URIs in canonical form. 501 The "subject" member SHOULD be present in the JRD. 503 4.4.2. aliases 505 The "aliases" array is an array of zero or more URI strings that 506 identify the same entity as the "subject" URI. 508 The "aliases" array is OPTIONAL in the JRD. 510 4.4.3. properties 512 The "properties" object comprises zero or more name/value pairs whose 513 names are URIs (referred to as "property identifiers") and whose 514 values are strings or null. Properties are used to convey additional 515 information about the subject of the JRD. As an example, consider 516 this use of "properties": 518 "properties" : { "http://webfinger.example/ns/name" : "Bob Smith" } 520 The "properties" member is OPTIONAL in the JRD. 522 4.4.4. links 524 The "links" array has any number of member objects, each of which 525 represents a link [4]. Each of these link objects can have the 526 following members: 528 o rel 529 o type 530 o href 531 o titles 532 o properties 534 The "rel" and "href" members are strings representing the link's 535 relation type and the target URI, respectively. The context of the 536 link is the "subject" (see Section 4.4.1). 538 The "type" member is a string indicating what the media type of the 539 result of dereferencing the link ought to be. 541 The order of elements in the "links" array MAY be interpreted as 542 indicating an order of preference. Thus, if there are two or more 543 link relations having the same "rel" value, the first link relation 544 would indicate the user's preferred link. 546 The "links" array is OPTIONAL in the JRD. 548 Below, each of the members of the objects found in the "links" array 549 is described in more detail. Each object in the "links" array, 550 referred to as a "link relation object", is completely independent 551 from any other object in the array; any requirement to include a 552 given member in the link relation object refers only to that 553 particular object. 555 4.4.4.1. rel 557 The value of the "rel" member is a string that is either a URI or a 558 registered relation type [8] (see RFC 5988 [4]). The value of the 559 "rel" member MUST contain exactly one URI or registered relation 560 type. The URI or registered relation type identifies the type of the 561 link relation. 563 The other members of the object have meaning only once the type of 564 link relation is understood. In some instances, the link relation 565 will have associated semantics enabling the client to query for other 566 resources on the Internet. In other instances, the link relation 567 will have associated semantics enabling the client to utilize the 568 other members of the link relation object without fetching additional 569 external resources. 571 URI link relation type values are compared using the "Simple String 572 Comparison" algorithm of Section 6.2.1 of RFC 3986. 574 The "rel" member MUST be present in the link relation object. 576 4.4.4.2. type 578 The value of the "type" member is a string that indicates the media 579 type [9] of the target resource (see RFC 6838 [10]). 581 The "type" member is OPTIONAL in the link relation object. 583 4.4.4.3. href 585 The value of the "href" member is a string that contains a URI 586 pointing to the target resource. 588 The "href" member is OPTIONAL in the link relation object. 590 4.4.4.4. titles 592 The "titles" object comprises zero or more name/value pairs whose 593 name is a language tag [11] or the string "und". The string is 594 human-readable and describes the link relation. More than one title 595 for the link relation MAY be provided for the benefit of users who 596 utilize the link relation and, if used, a language identifier SHOULD 597 be duly used as the name. If the language is unknown or unspecified, 598 then the name is "und". 600 A JRD SHOULD NOT include more than one title identified with the same 601 language tag (or "und") within the link relation object. Meaning is 602 undefined if a link relation object includes more than one title 603 named with the same language tag (or "und"), though this MUST NOT be 604 treated as an error. A client MAY select whichever title or titles 605 it wishes to utilize. 607 Here is an example of the titles object: 609 "titles" : 610 { 611 "en-us" : "The Magical World of Steve", 612 "fr" : "Le Monde Magique de Steve" 613 } 615 The "titles" member is OPTIONAL in the link relation object. 617 4.4.4.5. properties 619 The "properties" object within the link relation object comprises 620 zero or more name/value pairs whose names are URIs (referred to as 621 "property identifiers") and whose values are strings or null. 622 Properties are used to convey additional information about the link 623 relation. As an example, consider this use of "properties": 625 "properties" : { "http://webfinger.example/mail/port" : "993" } 627 The "properties" member is OPTIONAL in the link relation object. 629 4.5. WebFinger and URIs 631 WebFinger requests include a "resource" parameter (see Section 4.1) 632 specifying the query target (URI) for which the client requests 633 information. WebFinger is neutral regarding the scheme of such a 634 URI: it could be an "acct" URI [18], an "http" or "https" URI, a 635 "mailto" URI [19], or some other scheme. 637 5. Cross-Origin Resource Sharing (CORS) 639 WebFinger resources might not be accessible from a web browser due to 640 "Same-Origin" policies. The current best practice is to make 641 resources available to browsers through Cross-Origin Resource Sharing 642 (CORS) [7], and servers MUST include the Access-Control-Allow-Origin 643 HTTP header in responses. Servers SHOULD support the least 644 restrictive setting by allowing any domain access to the WebFinger 645 resource: 647 Access-Control-Allow-Origin: * 649 There are cases where defaulting to the least restrictive setting is 650 not appropriate, for example a server on an intranet that provides 651 sensitive company information SHOULD NOT allow CORS requests from any 652 domain, as that could allow leaking of that sensitive information. A 653 server that wishes to restrict access to information from external 654 entities SHOULD use a more restrictive Access-Control-Allow-Origin 655 header. 657 6. Access Control 659 As with all web resources, access to the WebFinger resource could 660 require authentication. Further, failure to provide required 661 credentials might result in the server forbidding access or providing 662 a different response than had the client authenticated with the 663 server. 665 Likewise, a WebFinger resource MAY provide different responses to 666 different clients based on other factors, such as whether the client 667 is inside or outside a corporate network. As a concrete example, a 668 query performed on the internal corporate network might return link 669 relations to employee pictures, whereas link relations for employee 670 pictures might not be provided to external entities. 672 Further, link relations provided in a WebFinger resource 673 representation might point to web resources that impose access 674 restrictions. For example, the aforementioned corporate server may 675 provide both internal and external entities with URIs to employee 676 pictures, but further authentication might be required in order for 677 the client to access the picture resources if the request comes from 678 outside the corporate network. 680 The decisions made with respect to what set of link relations a 681 WebFinger resource provides to one client versus another and what 682 resources require further authentication, as well as the specific 683 authentication mechanisms employed, are outside the scope of this 684 document. 686 7. Hosted WebFinger Services 688 As with most services provided on the Internet, it is possible for a 689 domain owner to utilize "hosted" WebFinger services. By way of 690 example, a domain owner might control most aspects of their domain, 691 but use a third-party hosting service for email. In the case of 692 email, MX records identify mail servers for a domain. An MX record 693 points to the mail server to which mail for the domain should be 694 delivered. It does not matter to the sending mail server whether 695 those MX records point to a server in the destination domain or a 696 different domain. 698 Likewise, a domain owner might utilize the services of a third party 699 to provide WebFinger services on behalf of its users. Just as a 700 domain owner was required to insert MX records into DNS to allow for 701 hosted email serves, the domain owner is required to redirect HTTP 702 queries to its domain to allow for hosted WebFinger services. 704 When a query is issued to the WebFinger resource, the web server MUST 705 return a response with a redirection status code that includes a 706 Location header pointing to the location of the hosted WebFinger 707 service URI. This WebFinger service URI does not need to point to 708 the well-known WebFinger location on the hosting service provider 709 server. 711 As an example, assume that example.com's WebFinger services are 712 hosted by wf.example.net. Suppose a client issues a query for 713 acct:alice@example.com like this: 715 GET /.well-known/webfinger? 716 resource=acct%3Aalice%40example.com HTTP/1.1 717 Host: example.com 719 The server might respond with this: 721 HTTP/1.1 307 Temporary Redirect 722 Access-Control-Allow-Origin: * 723 Location: https://wf.example.net/example.com/webfinger? 724 resource=acct%3Aalice%40example.com 726 The client can then follow the redirection, re-issuing the request to 727 the URI provided in the Location header. Note that the server will 728 include any required URI parameters in the Location header value, 729 which could be different than the URI parameters the client 730 originally used. 732 8. Definition of WebFinger Applications 734 This specification details the protocol syntax used to query a domain 735 for information about a URI, the syntax of the JSON Resource 736 Descriptor (JRD) that is returned in response to that query, security 737 requirements and considerations, hosted WebFinger services, various 738 expected HTTP status codes, and so forth. However, this 739 specification does not enumerate the various possible properties or 740 link relation types that might be used in conjunction with WebFinger 741 for a particular application, nor does it define what properties or 742 link relation types one might expect to see in response to querying 743 for a particular URI or URI scheme. Nonetheless, all of these 744 unspecified elements are important in order to implement an 745 interoperable application that utilizes the WebFinger protocol and 746 MUST be specified in the relevant document(s) defining the particular 747 application making use of the WebFinger protocol according to the 748 procedures described in this section. 750 8.1. Specification of the URI Scheme and URI 752 Any application that uses WebFinger MUST specify the URI scheme(s) 753 and, to the extent appropriate, what forms the URI(s) might take. 754 For example, when querying for information about a user's account at 755 some domain, it might make sense to specify the use of the acct URI 756 scheme [18]. When trying to obtain the copyright information for a 757 web page, it makes sense to specify the use of the web page URI 758 (either http or https). 760 The examples in Sections 3.1 and 3.2 illustrate the use of different 761 URI schemes with WebFinger applications. In the example in Section 762 3.1, WebFinger is used to retrieve information pertinent to OpenID 763 Connect. In the example in Section 3.2, WebFinger is used to 764 discover metadata information about a web page, including author and 765 copyright information. Each of these applications of WebFinger needs 766 to be fully specified to ensure interoperability. 768 8.2. Host Resolution 770 As explained in Section 4, the host to which a WebFinger query is 771 issued is significant. In general, WebFinger applications would 772 adhere to the procedures described in Section 4 in order to properly 773 direct a WebFinger query. 775 However, some URI schemes do not have host portions and there might 776 be some applications of WebFinger for which the host portion of a URI 777 cannot or should not be utilized. In such instances, the application 778 specification MUST clearly define the host resolution procedures, 779 which might include provisioning a "default" host within the client 780 to which queries are directed. 782 8.3. Specification of Properties 784 WebFinger defines both subject-specific properties (i.e., properties 785 described in Section 4.4.3 that relate to the URI for which 786 information is queried) and link-specific properties (see Section 787 4.4.4.5). This section refers to subject-specific properties. 789 Applications that utilize subject-specific properties MUST define the 790 URIs used in identifying those properties, along with valid property 791 values. 793 Consider this portion of the JRD found in the example in Section 3.2. 795 "properties" : 796 { 797 "http://blgx.example.net/ns/version" : "1.3", 798 "http://blgx.example.net/ns/ext" : null 799 } 801 Here, two properties are returned in the WebFinger response. Each of 802 these would be defined in a WebFinger application specification. 803 These two properties might be defined in the same WebFinger 804 application specification or separately in different specifications. 805 Since the latter is possible, it is important that WebFinger clients 806 not assume that one property has any specific relationship with 807 another property unless some relationship is explicitly defined in 808 the particular WebFinger application specification. 810 8.4. Specification of Links 812 The links returned in a WebFinger response each comprise several 813 pieces of information, some of which are optional (refer to Section 814 4.4.4). The WebFinger application specification MUST define each 815 link and any values associated with a link, including the link 816 relation type ("rel"), the expected media type ("type"), properties, 817 and titles. 819 The target URI to which the link refers (i.e., the "href"), if 820 present, would not normally be specified in an application 821 specification. However, the URI scheme or any special 822 characteristics of the URI would usually be specified. If a 823 particular link does not require an external reference, then all of 824 the semantics related to the use of that link MUST be defined within 825 the application specification. Such links might rely only on 826 properties or titles in the link to convey meaning. 828 8.5. One URI, Multiple Applications 830 It is important to be mindful of the fact that different WebFinger 831 applications might specify the use of the same URI scheme and, in 832 effect, the same URI for different purposes. That should not be a 833 problem, since each of property identifier (see Sections 4.4.3 and 834 4.4.4.5) and link relation type would be uniquely defined for a 835 specific application. 837 It should be noted that when a client requests information about a 838 particular URI and receives a response with a number of different 839 property identifiers or link relation types that the response is 840 providing information about the URI without any particular semantics. 841 How the client interprets the information SHOULD be in accordance 842 with the particular application specification or set of 843 specifications the client implements. 845 Any syntactically valid properties or links the client receives and 846 that are not fully understood SHOULD be ignored and SHOULD NOT cause 847 the client to report an error. 849 8.6. Registration of Link Relation Types and Properties 851 Application specifications MAY define a simple token as a link 852 relation type for a link. In that case, the link relation type MUST 853 be registered with IANA as specified in Sections 10.3. 855 Further, any defined properties MUST be registered with IANA as 856 described in Section 10.4. 858 9. Security Considerations 860 9.1. Transport-Related Issues 862 Since this specification utilizes Cross-Origin Resource Sharing 863 (CORS) [7], all of the security considerations applicable to CORS are 864 also applicable to this specification. 866 The use of HTTPS is REQUIRED to ensure that information is not 867 modified during transit. It should be appreciated that in 868 environments where a web server is normally available, there exists 869 the possibility that a compromised network might have its WebFinger 870 resource operating on HTTPS replaced with one operating only over 871 HTTP. As such, clients MUST NOT issue queries over a non-secure 872 connection. 874 Clients MUST verify that the certificate used on an HTTPS connection 875 is valid (as defined in [12]) and accept a response only if the 876 certificate is valid. 878 9.2. User Privacy Considerations 880 Service providers and users should be aware that placing information 881 on the Internet means that any user can access that information and 882 WebFinger can be used to make it even easier to discover that 883 information. While WebFinger can be an extremely useful tool for 884 discovering one's avatar, blog, or other personal data, users should 885 understand the risks, too. 887 Systems or services that expose personal data via WebFinger MUST 888 provide an interface by which users can select which data elements 889 are exposed through the WebFinger interface. For example, social 890 networking sites might allow users to mark certain data as "public" 891 and then utilize that marking as a means of determining what 892 information to expose via WebFinger. The information published via 893 WebFinger would thus comprise only the information marked as public 894 by the user. Further, the user has the ability to remove information 895 from publication via WebFinger by removing this marking. 897 WebFinger MUST NOT be used to provide any personal data unless 898 publishing that data via WebFinger by the relevant service was 899 explicitly authorized by the person whose information is being 900 shared. Publishing one's personal data within an access-controlled 901 or otherwise limited environment on the Internet does not equate to 902 providing implicit authorization of further publication of that data 903 via WebFinger. 905 The privacy and security concerns with publishing personal data via 906 WebFinger are worth emphasizing again with respect to personal data 907 that might reveal a user's current context (e.g., the user's 908 location). The power of WebFinger comes from providing a single 909 place where others can find pointers to information about a person, 910 but service providers and users should be mindful of the nature of 911 that information shared and the fact that it might be available for 912 the entire world to see. Sharing location information, for example, 913 would potentially put a person in danger from any individual who 914 might seek to inflict harm on that person. 916 Users should be aware of how easily personal data one might publish 917 can be used in unintended ways. In one study relevant to WebFinger- 918 like services, Balduzzi et al. [20] took a large set of leaked email 919 addresses and demonstrated a number of potential privacy concerns, 920 including the ability to cross-correlate the same user's accounts 921 over multiple social networks. The authors also describe potential 922 mitigation strategies. 924 The easy access to user information via WebFinger was a design goal 925 of the protocol, not a limitation. If one wishes to limit access to 926 information available via WebFinger, such as WebFinger resources for 927 use inside a corporate network, the network administrator needs to 928 take necessary measures to limit access from outside the network. 929 Using standard methods for securing web resources, network 930 administrators do have the ability to control access to resources 931 that might return sensitive information. Further, a server can be 932 employed in such a way as to require authentication and prevent 933 disclosure of information to unauthorized entities. 935 9.3. Abuse Potential 937 Service providers should be mindful of the potential for abuse using 938 WebFinger. 940 As one example, one might query a WebFinger server only to discover 941 whether a given URI is valid or not. With such a query, the person 942 may deduce that an email identifier is valid, for example. Such an 943 approach could help spammers maintain a current list of known email 944 addresses and to discover new ones. 946 WebFinger could be used to associate a name or other personal data 947 with an email address, allowing spammers to craft more convincing 948 email messages. This might be of particular value in phishing 949 attempts. 951 It is RECOMMENDED that implementers of WebFinger server software take 952 steps to mitigate abuse, including malicious over-use of the server 953 and harvesting of user information. Although there is no mechanism 954 that can guarantee that publicly-accessible WebFinger databases won't 955 be harvested, rate-limiting by IP address will prevent or at least 956 dramatically slow harvest by private individuals without access to 957 botnets or other distributed systems. The reason these mitigation 958 strategies are not mandatory is that the correct choice of mitigation 959 strategy (if any) depends greatly on the context. Implementers 960 should not construe this as meaning that they do not need to consider 961 whether to use a mitigation strategy, and, if so, what strategy to 962 use. 964 WebFinger client developers should also be aware of potential abuse 965 by spammers or those phishing for information about users. As an 966 example, suppose a mail client was configured to automatically 967 perform a WebFinger query on the sender of each received mail 968 message. If a spammer sent an email using a unique identifier in the 969 'From' header, then when the WF query was performed the spammer would 970 be able to associate the request with a particular user's email 971 address. This would provide information to the spammer, including 972 the user's IP address, the fact the user just checked email, what 973 kind of WebFinger client the user utilized, and so on. For this 974 reason, it is strongly advised that clients not perform WebFinger 975 queries unless authorized by the user to do so. 977 9.4. Information Reliability 979 A WebFinger resource has no means of ensuring that information 980 provided by a user is accurate. Likewise, neither the resource nor 981 the client can be absolutely guaranteed that information has not been 982 manipulated either at the server or along the communication path 983 between the client and server. Use of HTTPS helps to address some 984 concerns with manipulation of information along the communication 985 path, but it clearly cannot address issues where the resource 986 provided incorrect information, either due to being provided false 987 information or due to malicious behavior on the part of the server 988 administrator. As with any information service available on the 989 Internet, users should be wary of information received from untrusted 990 sources. 992 10. IANA Considerations 994 10.1. Well-Known URI 996 This specification registers the "webfinger" well-known URI in the 997 Well-Known URI Registry as defined by [3]. 999 URI suffix: webfinger 1001 Change controller: IETF 1003 Specification document(s): RFC XXXX 1005 Related information: The query to the WebFinger resource will 1006 include one or more parameters in the query string; see Section 4.1 1007 of RFCXXXX. Resources at this location are able to return a JSON 1008 Resource Descriptor (JRD) as described in Section 4.4 of RFCXXXX. 1010 [RFC EDITOR: Please replace "XXXX" references in this section and the 1011 following section with the number for this RFC.] 1013 10.2. JSON Resource Descriptor (JRD) Media Type 1015 This specification registers the media type application/jrd+json for 1016 use with WebFinger in accordance with media type registration 1017 procedures defined in [10]. 1019 Type name: application 1021 Subtype name: jrd+json 1023 Required parameters: N/A 1025 Optional parameters: N/A 1027 In particular, because RFC 4627 already defines the character 1028 encoding for JSON, no "charset" parameter is used. 1030 Encoding considerations: See RFC 6839, Section 3.1. 1032 Security considerations: 1034 The JSON Resource Descriptor (JRD) is a JavaScript Object Notation 1035 (JSON) object. It is a text format that must be parsed by entities 1036 that wish to utilize the format. Depending on the language and 1037 mechanism used to parse a JSON object, it is possible for an 1038 attacker to inject behavior into a running program. Therefore, 1039 care must be taken to properly parse a received JRD to ensure that 1040 only a valid JSON object is present and that no JavaScript or other 1041 code is injected or executed unexpectedly. 1043 Interoperability considerations: 1045 This media type is a JavaScript Object Notation (JSON) object and 1046 can be consumed by any software application that can consume JSON 1047 objects. 1049 Published specification: RFC XXXX 1051 Applications that use this media type: 1053 The JSON Resource Descriptor (JRD) is used by the WebFinger 1054 protocol (RFC XXXX) to enable the exchange of information between a 1055 client and a WebFinger resource over HTTPS. 1057 Fragment identifier considerations: 1059 The syntax and semantics of fragment identifiers SHOULD be as 1060 specified for "application/json". (At publication of this 1061 document, there is no fragment identification syntax defined for 1062 "application/json".) 1064 Additional information: 1066 Deprecated alias names for this type: N/A 1068 Magic number(s): N/A 1070 File extension(s): jrd 1072 Macintosh file type code(s): N/A 1074 Person & email address to contact for further information: 1076 Paul E. Jones 1078 Intended usage: COMMON 1080 Restrictions on usage: N/A 1082 Author: Paul E. Jones 1084 Change controller: 1086 IESG has change control over this registration. 1088 Provisional registration? (standards tree only): N/A 1090 10.3. Registering Link Relation Types 1092 RFC 5988 established a Link Relation Type Registry that is re-used by 1093 WebFinger applications. 1095 Link relation types used by WebFinger applications are registered in 1096 the Link Relations Type Registry as per the procedures of Section 1097 6.2.1 of RFC 5988. The "Notes" entry for the registration SHOULD 1098 indicate if property values associated with the link relation type 1099 are registered in the WebFinger Properties registry with a link to 1100 the registry. 1102 10.4. Establishment of the WebFinger Properties Registry 1104 WebFinger utilizes URIs to identify properties of a subject or link 1105 and the associated values (see Section 8.3 and Section 8.6). This 1106 specification establishes a new "WebFinger Properties" registry to 1107 record property identifiers. 1109 10.4.1. The Registration Template 1111 The registration template for WebFinger properties is: 1113 o Property Identifier: 1115 o Link Type: 1117 o Description: 1119 o Reference: 1121 o Notes: [optional] 1123 The "Property Identifier" must be a URI that identifies the property 1124 being registered. 1126 The "Link Type" contains the name of a Link Relation Type with which 1127 this property identifier is used. If the property is a subject- 1128 specific property, then this field is specified as "N/A". 1130 The "Description" is intended to explaining the purpose of the 1131 property. 1133 The "Reference" field points to the specification that defines the 1134 registered property. 1136 The optional "Notes" field is for conveying any useful information 1137 about the property that might be of value to implementers. 1139 10.4.2. The Registration Procedures 1141 The IETF has created a mailing list, webfinger@ietf.org, which can be 1142 used for public discussion of the WebFinger protocol and any 1143 applications that use it. Prior to registration of a WebFinger 1144 property, discussion on the mailing list is strongly encouraged. The 1145 IESG has appointed Designated Experts who will monitor the 1146 webfinger@ietf.org mailing list and review registrations. 1148 A WebFinger property is registered with a Specification Required (see 1149 RFC 5226 [13]) after a review by the Designated Expert(s). The 1150 review is normally expected to take on the order of two to four 1151 weeks. However, the Designated Expert(s) may approve a registration 1152 prior to publication of a specification once the Designated Expert(s) 1153 are satisfied that such a specification will be published. In 1154 evaluating registration requests, the Designated Expert(s) should 1155 make an effort to avoid registering two different properties that 1156 have the same meaning. Where a proposed property is similar to an 1157 already-defined property, Designated Expert(s) should insist that 1158 enough text be included in the description or notes section of the 1159 template to sufficiently differentiate the new property from an 1160 existing one. 1162 The registration procedure begins when a completed registration 1163 template (as defined above) sent to webfinger@ietf.org and 1164 iana@iana.org. IANA will track the review process and communicate 1165 the results to the registrant. The WebFinger mailing list provides 1166 an opportunity for community discussion and input, and the Designated 1167 Expert(s) may use that input to inform their review. Denials should 1168 include an explanation and, if applicable, suggestions as to how to 1169 make the request successful if re-submitted. 1171 The specification registering the WebFinger property MUST include the 1172 completed registration template shown above. Once the registration 1173 procedure concludes successfully, IANA creates or modifies the 1174 corresponding record in the "WebFinger Properties" registry. 1176 11. Acknowledgments 1178 This document has benefited from extensive discussion and review of 1179 many of the members of the APPSAWG working group. The authors would 1180 like to especially acknowledge the invaluable input of Eran Hammer- 1181 Lahav, Blaine Cook, Brad Fitzpatrick, Laurent-Walter Goix, Joe 1182 Clarke, Peter Saint-Andre, Dick Hardt, Tim Bray, James Snell, Melvin 1183 Carvalho, Evan Prodromou, Mark Nottingham, Elf Pavlik, Bjoern 1184 Hoehrmann, Subramanian Moonesamy, Joe Gregorio, John Bradley, and 1185 others that we have undoubtedly, but inadvertently, missed. 1187 The authors would also like to express their gratitude to the chairs 1188 of APPSAWG, especially Salvatore Loreto for his assistance in 1189 shepherding this document. We also want to thank Barry Leiba and 1190 Pete Resnick, the Applications Area Directors, for their support and 1191 exhaustive reviews. 1193 12. References 1195 12.1. Normative References 1197 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1198 Levels", BCP 14, RFC 2119, March 1997. 1200 [2] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., 1201 Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- 1202 HTTP/1.1", RFC 2616, June 1999. 1204 [3] Nottingham, M., Hammer-Lahav, E., "Defining Well-Known Uniform 1205 Resource Identifiers (URIs)", RFC 5785, April 2010. 1207 [4] Nottingham, M., "Web Linking", RFC 5988, October 2010. 1209 [5] Crockford, D., "The application/json Media Type for JavaScript 1210 Object Notation (JSON)", RFC 4627, July 2006. 1212 [6] Berners-Lee, T., Fielding, R., and Masinter, L., "Uniform 1213 Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, 1214 January 2005. 1216 [7] Van Kesteren, A., "Cross-Origin Resource Sharing", W3C CORS 1217 http://www.w3.org/TR/cors/, July 2010. 1219 [8] IANA, "Link Relations", http://www.iana.org/assignments/link- 1220 relations/. 1222 [9] IANA, "MIME Media Types", 1223 http://www.iana.org/assignments/media-types/index.html. 1225 [10] Freed, N., Klensin, J., Hansen, T., "Media Type Specifications 1226 and Registration Procedures", RFC 6838, January 2013. 1228 [11] Phillips, A., Davis, M., "Tags for Identifying Languages", RFC 1229 5646, January 2009. 1231 [12] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 1233 [13] Narten, T. and H. Alvestrand, "Guidelines for Writing an, IANA 1234 Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. 1236 12.2. Informative References 1238 [14] Perreault, S., "vCard Format Specification", RFC 6350, August 1239 2011. 1241 [15] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., 1242 Mortimore, C., and E. Jay, "OpenID Connect Messages 1.0", July 1243 2013, http://openid.net/specs/openid-connect-messages-1_0.html. 1245 [16] Hammer-Lahav, E. and Cook, B., "Web Host Metadata", RFC 6415, 1246 October 2011. 1248 [17] Hammer-Lahav, E. and W. Norris, "Extensible Resource Descriptor 1249 (XRD) Version 1.0", http://docs.oasis- 1250 open.org/xri/xrd/v1.0/xrd-1.0.html. 1252 [18] Saint-Andre, P., "The 'acct' URI Scheme", draft-ietf-appsawg- 1253 acct-uri-06, July 2013. 1255 [19] Duerst, M., Masinter, L., and J. Zawinski, "The 'mailto' URI 1256 Scheme", RFC 6068, October 2010. 1258 [20] Balduzzi, Marco, et al., "Abusing social networks for automated 1259 user profiling", Recent Advances in Intrusion Detection, 1260 Springer Berlin Heidelberg, 2010, 1261 https://www.eurecom.fr/en/publication/3042/download/rs-publi- 1262 3042_1.pdf. 1264 Author's Addresses 1266 Paul E. Jones 1267 Cisco Systems, Inc. 1268 7025 Kit Creek Rd. 1269 Research Triangle Park, NC 27709 1270 USA 1272 Phone: +1 919 476 2048 1273 Email: paulej@packetizer.com 1274 IM: xmpp:paulej@packetizer.com 1276 Gonzalo Salgueiro 1277 Cisco Systems, Inc. 1278 7025 Kit Creek Rd. 1279 Research Triangle Park, NC 27709 1280 USA 1282 Phone: +1 919 392 3266 1283 Email: gsalguei@cisco.com 1284 IM: xmpp:gsalguei@cisco.com 1286 Michael B. Jones 1287 Microsoft 1289 Email: mbj@microsoft.com 1290 URI: http://self-issued.info/ 1292 Joseph Smarr 1293 Google 1295 Email: jsmarr@google.com