Hi Murray, it is great to see that you are pushing things forward here but I believe you are going a bit too fast.
>From the comments I have seen so far I got the impression that many got >confused by UR schemes: mailto: and the acct: are different. The discussions around XML vs. JSON are unfortunately also hiding the real important discussion, namely privacy. We are actually building, without further thinking about it, a mechanism that offers worse privacy properties compared to what we have in other protocols today. See this in terms of the interaction between a relying party and an identity provider then other IETF protocols today (e.g., AAA) does not require the relying party to see the username part of the identifier. In fact AAA offers various mechanisms to hide the username component to the relying party since it is really only needed by the identity provider. So, I would encourage the group to think about how to accomplish equivalent functionality without unnecessarily revealing identifiers to parties that are not supposed to get them. I also think it is useful to think about the bigger picture,namely the integration with other protocols (such as OAuth). This will in most cases be needed when you actually fetch the data that is behind the discovered URIs. Assuming that all information is public anyway is not realistic and protocol design has to work with the difficult assumptions (not with the simplest). Furthermore, the usage of CORS is completely confused in the document. Hence, I heavily object to use this document as a starting point. I may also be the case that WebFinger is not the right tool for something like OAuth (and for discovery of protected resources altogether) since we do not want to design a solution that on one hand allows us not to reveal any user identifiers to the relying party (the client in OAuth) based on the current design and then completely destroy these properties when we add the discovery mechanisms in front of it. Ciao Hannes PS: I met some W3C folks last week and they mentioned that we should also take a look at Web Intents. I have not done that yet and do not know how suitable the W3C developed mechanisms therefore is. On May 4, 2012, at 8:31 PM, Murray S. Kucherawy wrote: > The above-named draft has been offered as the recommended path forward in > terms of converging on a single document to advance through appsawg. The > conversation I saw this week in that regard has seemed mostly positive. > > Please review it, or at least the diff, and indicate your support or > objection on apps-disc...@ietf.org to adopting this one as the common path > forward. We would like to make a decision about which one to begin advancing > in the next week or two. > > Have a good weekend! > > -MSK, APPSAWG co-chair > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
