Re: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger-10.txt (WebFinger) to Proposed Standard
I suggest adding the sentence without the word implicitly. The result would be: Further, WebFinger MUST NOT be used to provide any personal information to any party unless explicitly authorized by the person whose information is being shared. Publishing one's personal data within an access-controlled or otherwise limited environment on the Internet does not equate to providing authorization of further publication of that data via WebFinger. Thanks, Alissa On Mar 20, 2013, at 9:28 PM, Paul E. Jones pau...@packetizer.com wrote: Alissa, It was suggested that we remove the word implicit. I'm OK with removing it. If we did that, would you want to add this new sentence or a modified version of it? Paul -Original Message- From: apps-discuss-boun...@ietf.org [mailto:apps-discuss- boun...@ietf.org] On Behalf Of Alissa Cooper Sent: Monday, March 18, 2013 11:31 AM To: ietf@ietf.org Cc: apps-disc...@ietf.org Subject: Re: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger- 10.txt (WebFinger) to Proposed Standard Given how little control Internet users already have over which information about them appears in which context, I do not have a lot of confidence that the claimed discoverability benefits of WebFinger outweigh its potential to further degrade users' ability to keep particular information about themselves within specific silos. However, I'm coming quite late to this document, so perhaps that balancing has already been discussed, and it strikes me as unreasonable to try to stand in the way of publication at this point. Two suggestions in section 8: s/personal information/personal data/ (see http://tools.ietf.org/html/draft-iab-privacy-considerations- 06#section-2.2 -- personal data is a more widely accepted term and covers a larger range of information about people) The normative prohibition against using WebFinger to publish personal data without authorization is good, but the notion of implicit authorization leaves much uncertainty about what I imagine will be a use case of interest: taking information out of a controlled context and making it more widely available. To make it obvious that this has been considered, I would suggest adding one more sentence to the end of the fourth paragraph: Publishing one's personal data within an access-controlled or otherwise limited environment on the Internet does not equate to providing implicit authorization of further publication of that data via WebFinger. Alissa On Mar 4, 2013, at 3:24 PM, The IESG iesg-secret...@ietf.org wrote: The IESG has received a request from the Applications Area Working Group WG (appsawg) to consider the following document: - 'WebFinger' draft-ietf-appsawg-webfinger-10.txt as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-03-18. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines the WebFinger protocol, which can be used to discover information about people or other entities on the Internet using standard HTTP methods. WebFinger discovers information for a URI that might not be usable as a locator otherwise, such as account or email URIs. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ballot/ No IPR declarations have been submitted directly on this I-D. ___ apps-discuss mailing list apps-disc...@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss ___ apps-discuss mailing list apps-disc...@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss
RE: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger-10.txt (WebFinger) to Proposed Standard
Got it. Thanks! I'll make that change. Paul -Original Message- From: Alissa Cooper [mailto:acoo...@cdt.org] Sent: Thursday, March 21, 2013 9:45 AM To: Paul E. Jones Cc: ietf@ietf.org; apps-disc...@ietf.org; webfin...@ietf.org Subject: Re: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger- 10.txt (WebFinger) to Proposed Standard I suggest adding the sentence without the word implicitly. The result would be: Further, WebFinger MUST NOT be used to provide any personal information to any party unless explicitly authorized by the person whose information is being shared. Publishing one's personal data within an access-controlled or otherwise limited environment on the Internet does not equate to providing authorization of further publication of that data via WebFinger. Thanks, Alissa On Mar 20, 2013, at 9:28 PM, Paul E. Jones pau...@packetizer.com wrote: Alissa, It was suggested that we remove the word implicit. I'm OK with removing it. If we did that, would you want to add this new sentence or a modified version of it? Paul -Original Message- From: apps-discuss-boun...@ietf.org [mailto:apps-discuss- boun...@ietf.org] On Behalf Of Alissa Cooper Sent: Monday, March 18, 2013 11:31 AM To: ietf@ietf.org Cc: apps-disc...@ietf.org Subject: Re: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger- 10.txt (WebFinger) to Proposed Standard Given how little control Internet users already have over which information about them appears in which context, I do not have a lot of confidence that the claimed discoverability benefits of WebFinger outweigh its potential to further degrade users' ability to keep particular information about themselves within specific silos. However, I'm coming quite late to this document, so perhaps that balancing has already been discussed, and it strikes me as unreasonable to try to stand in the way of publication at this point. Two suggestions in section 8: s/personal information/personal data/ (see http://tools.ietf.org/html/draft-iab-privacy-considerations- 06#section-2.2 -- personal data is a more widely accepted term and covers a larger range of information about people) The normative prohibition against using WebFinger to publish personal data without authorization is good, but the notion of implicit authorization leaves much uncertainty about what I imagine will be a use case of interest: taking information out of a controlled context and making it more widely available. To make it obvious that this has been considered, I would suggest adding one more sentence to the end of the fourth paragraph: Publishing one's personal data within an access-controlled or otherwise limited environment on the Internet does not equate to providing implicit authorization of further publication of that data via WebFinger. Alissa On Mar 4, 2013, at 3:24 PM, The IESG iesg-secret...@ietf.org wrote: The IESG has received a request from the Applications Area Working Group WG (appsawg) to consider the following document: - 'WebFinger' draft-ietf-appsawg-webfinger-10.txt as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-03-18. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines the WebFinger protocol, which can be used to discover information about people or other entities on the Internet using standard HTTP methods. WebFinger discovers information for a URI that might not be usable as a locator otherwise, such as account or email URIs. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ballot/ No IPR declarations have been submitted directly on this I-D. ___ apps-discuss mailing list apps-disc...@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss ___ apps-discuss mailing list apps-disc...@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss
RE: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger-10.txt (WebFinger) to Proposed Standard
Alissa, It was suggested that we remove the word implicit. I'm OK with removing it. If we did that, would you want to add this new sentence or a modified version of it? Paul -Original Message- From: apps-discuss-boun...@ietf.org [mailto:apps-discuss- boun...@ietf.org] On Behalf Of Alissa Cooper Sent: Monday, March 18, 2013 11:31 AM To: ietf@ietf.org Cc: apps-disc...@ietf.org Subject: Re: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger- 10.txt (WebFinger) to Proposed Standard Given how little control Internet users already have over which information about them appears in which context, I do not have a lot of confidence that the claimed discoverability benefits of WebFinger outweigh its potential to further degrade users' ability to keep particular information about themselves within specific silos. However, I'm coming quite late to this document, so perhaps that balancing has already been discussed, and it strikes me as unreasonable to try to stand in the way of publication at this point. Two suggestions in section 8: s/personal information/personal data/ (see http://tools.ietf.org/html/draft-iab-privacy-considerations- 06#section-2.2 -- personal data is a more widely accepted term and covers a larger range of information about people) The normative prohibition against using WebFinger to publish personal data without authorization is good, but the notion of implicit authorization leaves much uncertainty about what I imagine will be a use case of interest: taking information out of a controlled context and making it more widely available. To make it obvious that this has been considered, I would suggest adding one more sentence to the end of the fourth paragraph: Publishing one's personal data within an access-controlled or otherwise limited environment on the Internet does not equate to providing implicit authorization of further publication of that data via WebFinger. Alissa On Mar 4, 2013, at 3:24 PM, The IESG iesg-secret...@ietf.org wrote: The IESG has received a request from the Applications Area Working Group WG (appsawg) to consider the following document: - 'WebFinger' draft-ietf-appsawg-webfinger-10.txt as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-03-18. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines the WebFinger protocol, which can be used to discover information about people or other entities on the Internet using standard HTTP methods. WebFinger discovers information for a URI that might not be usable as a locator otherwise, such as account or email URIs. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ballot/ No IPR declarations have been submitted directly on this I-D. ___ apps-discuss mailing list apps-disc...@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss ___ apps-discuss mailing list apps-disc...@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss
RE: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger-10.txt (WebFinger) to Proposed Standard
Hannes, I was hoping that some of the remarks that I provided last year (e.g., http://www.ietf.org/mail-archive/web/oauth/current/msg08965.html) would help to clarify the content of the document. That didn't quite happen... Yeah, I wasn't copied. In earlier versions of the document I had the impression that the acct: URI scheme always had to be used as input to the lookup process but as Section 4.5 explains this is not necessary. The resource parameter may contain other URIs as well. Section 4.5 does not give a lot of description of when certain URIs are utilized. Correct, any URI might be used. That does not mean that the server will respond for every URI, but some wanted acct and email and tel URIs, for example. Also, using an HTTP URI could be used to return additional information about a URI. For example, in Section 3.1 the example talks about a user receiving an email from b...@examle.com and this email address is then used by WebFinger but the request example shows an acct: URI scheme (rather than a mailto URI). It seems that there is the unstated assumption (at least in that example) that the mailto URI is the same as the acct: URI, which of course isn't necessarily the case. I believe it would be good to state these assumptions to avoid confusing the reader. Fair point. How about immediately following the example, we add: 'Note the assumption made in above example that there is an acct URI for the given mailto URI. This is not always the case.' Think about it: If you receive a SIP URI (which also has an email alike structure with a username @ domain part) that does not mean either that you can use this as an email address either. In some rare cases you might. That's definitely true. However, this is one reason for encouraging the use of the acct URI scheme, though. In general (though not always), there is account associated with the user. The SIP URI, mailto URI, etc., each have a user part. I believe it is a reasonable assumption that there *may be* an 'acct' URI for the user. If not, WF will return nothing. We intended WF to be useful to humans, too, which means that if a user sees pau...@packetizer.com, the user will assume that might be a means of reaching paulej at packetizer.com using any number of tools (email, XMPP, H.323, etc.). They would be correct for most. Thus, there is encouragement for WF servers to use the acct URI. If you believe that everyone would get the difference anyway (because the URI scheme determines the semantic of the identifier) then have a look at the Google WebFinger page (see http://code.google.com/p/webfinger/). At least these guys don't understand the difference either. There was even a proposal that we use no URI scheme at all and merely have the user@domain identifier. However, there is value in using a proper URI with WF, since querying h323:pau...@packetizer.com might return the address of my Gatekeeper, for example, versus the information that would be returned for my account. In general, I am wondering whether there are additional assumptions implied about the URI scheme associated with the identifier in the lookup mechanism. For example, the text in Section 3.3 talks about email client configuration and it seems that the requestor is interested in receiving information about the email configuration based on the resource=mailto... URI scheme usage. If I use a different URI scheme (like a aaa: URI scheme) would my response look different? Yeah, it might look different. What a WF server wishes to return for a given URI is really up to the administrator. It might be that the same information is returned for any given URI scheme having the same user@domain part, but the server could return different responses. Then, there is a question about the lack of privacy considerations in the document. We do have quite a bit of text in the security considerations section. This will be called out more clearly with sub-sections, but there are at least three full paragraphs on privacy, even going to the point of providing the example that sharing location information might put a person in danger from someone who wishes to inflict harm on them. Personally, I thought that went a bit overboard, but that text was requested, so it's there. The usage of the WebFinger mechanism requires the requestor to have access to the full username@domain identifier. While this may be OK in some cases when the response relates very much to the specific user account it may be a problem in other cases. For example, in the OAuth case there is the idea that the user identifier may be hidden from the relying party but you have just required that identifier to be provided to the relying party to start the entire OAuth exchange (in the discovery). WF is not for use with every protocol, so I cannot address OAuth generically. However, WF *is* used as a part of OpenID Connect. So, yes, the
Re: [apps-discuss] Last Call: draft-ietf-appsawg-webfinger-10.txt (WebFinger) to Proposed Standard
Given how little control Internet users already have over which information about them appears in which context, I do not have a lot of confidence that the claimed discoverability benefits of WebFinger outweigh its potential to further degrade users' ability to keep particular information about themselves within specific silos. However, I'm coming quite late to this document, so perhaps that balancing has already been discussed, and it strikes me as unreasonable to try to stand in the way of publication at this point. Two suggestions in section 8: s/personal information/personal data/ (see http://tools.ietf.org/html/draft-iab-privacy-considerations-06#section-2.2 -- personal data is a more widely accepted term and covers a larger range of information about people) The normative prohibition against using WebFinger to publish personal data without authorization is good, but the notion of implicit authorization leaves much uncertainty about what I imagine will be a use case of interest: taking information out of a controlled context and making it more widely available. To make it obvious that this has been considered, I would suggest adding one more sentence to the end of the fourth paragraph: Publishing one's personal data within an access-controlled or otherwise limited environment on the Internet does not equate to providing implicit authorization of further publication of that data via WebFinger. Alissa On Mar 4, 2013, at 3:24 PM, The IESG iesg-secret...@ietf.org wrote: The IESG has received a request from the Applications Area Working Group WG (appsawg) to consider the following document: - 'WebFinger' draft-ietf-appsawg-webfinger-10.txt as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-03-18. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines the WebFinger protocol, which can be used to discover information about people or other entities on the Internet using standard HTTP methods. WebFinger discovers information for a URI that might not be usable as a locator otherwise, such as account or email URIs. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ballot/ No IPR declarations have been submitted directly on this I-D. ___ apps-discuss mailing list apps-disc...@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss