Thanks for asking these questions Hannes. I'll first provide a brief feature comparison of Simple Web Discovery and WebFinger and then answer your questions.
FEATURE COMPARISON RESULT GRANULARITY AND PRIVACY CHARACTERISTICS: SWD returns the resource location(s) for a specific resource for a specific principal. WebFinger returns all resources for the principal. The example at http://tools.ietf.org/html/draft-jones-appsawg-webfinger-03#section-3.2 "Retrieving a Person's Contact Information" is telling. The WebFinger usage model seems to be "I'll get everything about you and then fish through it to decide what to do with it." The protocol assumption that all WebFinger information must be public is also built into the protocol where the CORS response header "Access-Control-Allow-Origin: *" is mandated, per http://tools.ietf.org/html/draft-jones-appsawg-webfinger-03#section-7. The privacy characteristics of these approaches are very different. (It's these very same privacy characteristics that led sysadmins to nearly ubiquitously disabling the fingerd service!) Particularly for the OAuth use cases, narrow, scoped, and potentially permissioned res ponses seem preferable. DOCUMENT VERSUS API MODEL, DEPLOYABILITY, AND SECURITY: WebFinger is built on a "document model", where a single document is returned that contains multiple resources for a principal. SWD is built on an "API model", where the location(s) of a particular resource for a principal are returned. The problem with the document model is that different parties or services may be authoritative for different resources for a given principal, and yet all need the rights to edit the resulting document. This hurts deployability, because document edits then need to be coordinated among parties that may have different rights and responsibilities, and may have negative security implications as well. (Just because I can change your avatar doesn't mean that I should be able to change your mail server.) REDIRECT FUNCTIONALITY AND DEPLOYABILTY: SWD includes the ability to redirect some or all SWD requests to another location (possibly depending upon the specific resource and principal parameters). Deployers hosting numerous sites for others told the SWD authors that this functionality is critical for deployability, as it means that the SWD server for a domain can live in a location outside the domain. WebFinger is lacking this functionality. Given that OAuth is likely to be used in hosted environments, this functionality seems pretty important. NUMBER OF ROUND TRIPS: WebFinger discoveries for user information normally require both a host-meta query to retrieve the template and then a second query to retrieve the user's information. This functionality is achieved in a single SWD query. XML AND JSON VERSUS JSON: WebFinger specifies both XML and JSON support, whereas SWD specifies only JSON. The SWD position is that it's simpler to specify only one way of doing the same thing, with JSON being chosen because it's simpler for developers to use than XML - the same decision as made for the OAuth specs. DEFINING SPECIFIC RESOURCES: Besides specifying a discovery protocol, WebFinger also defines specific resources and kinds of resources to be used with that protocol: the "acct" URI scheme, the "acct" Link Relation. These should be considered on their own merits, but logically should be decoupled from the discovery protocol into a different document or documents. It's not clear these features would be needed in OAuth contexts. QUESTIONS 1) Aren't these two mechanisms solving pretty much the same problem? They are solving an overlapping set of problems, but with very different privacy characteristics, different deployability characteristics, different security characteristics, and somewhat different mechanisms. 2) Do we need to have two standards for the same functionality? No - Simple Web Discovery is sufficient for the OAuth use cases (and likely for others as well). 3) Do you guys have a position or comments regarding either one of them? The functionality in Simple Web Discovery is minimal and sufficient for the OAuth use cases, whereas some of the functionality and assumptions made in WebFinger are harmful, both from a privacy and from a deployability perspective. SWD should proceed to standardization; WebFinger should not. -- Mike -----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, April 12, 2012 4:00 AM To: oauth@ietf.org WG Subject: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD) Hi all, those who had attended the last IETF meeting may have noticed the ongoing activity in the 'Applications Area Working Group' regarding Web Finger. We had our discussion regarding Simple Web Discovery (SWD) as part of the re-chartering process. Here are the two specifications: http://tools.ietf.org/html/draft-jones-appsawg-webfinger-03 http://tools.ietf.org/html/draft-jones-simple-web-discovery-02 Now, the questions that seems to be hanging around are 1) Aren't these two mechanisms solving pretty much the same problem? 2) Do we need to have two standards for the same functionality? 3) Do you guys have a position or comments regarding either one of them? Ciao Hannes PS: Please also let me know if your view is: "I don't really know what all this is about and the documents actually don't provide enough requirements to make a reasonable judgement about the solution space." _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
