< draft-jones-appsawg-webfinger-00.txt   draft-jones-appsawg-webfinger-01.txt >
Network Working Group Paul E. Jones Network Working Group Paul E. Jones
Internet Draft Gonzalo Salgueiro Internet Draft Gonzalo Salgueiro
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: April 23, 2012 Joseph Smarr Expires: September 12, 2012 Joseph Smarr
Google Google
October 23, 2011 March 12, 2012
Webfinger Webfinger
draft-jones-appsawg-webfinger-00.txt draft-jones-appsawg-webfinger-01.txt
Abstract Abstract
This specification defines procedures for discovering information This specification defines the Webfinger protocol. Webfinger may be
about people. used to discover information about people on the Internet, such as a
person's personal profile address, identity service, telephone
number, or preferred avatar. Webfinger may also be used to learn
information about objects on the network, such as the amount of toner
in a printer or the physical location of a server.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 23, 2012. This Internet-Draft will expire on September 12, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
2. Terminology....................................................3 2. Terminology....................................................3
3. Example Uses of Webfinger......................................3 3. Example Uses of Webfinger......................................3
3.1. Locating a User's Blog....................................3 3.1. Locating a User's Blog....................................3
3.2. Populating an Electronic Address Book.....................3 3.2. Retrieving a Person's Contact Information.................5
3.3. Simplifying the Login Process.............................4 3.3. Simplifying the Login Process.............................6
4. The Webfinger Protocol.........................................4 3.4. Retrieving Device Information.............................7
4.1. The acct URI Scheme.......................................4 4. Webfinger Protocol.............................................8
4.2. Performing a Webfinger Query..............................5 4.1. Performing a Webfinger Query..............................8
5. Support for the JSON Resource Descriptor (JRD).................6 4.2. The Web Host Metadata "resource" Parameter................9
6. Support for Cross-Origin Resource Sharing......................7 5. The "acct" URI................................................11
7. Security Considerations........................................7 5.1. Using the "acct" URI.....................................11
8. IANA Considerations............................................7 5.2. Syntax of "acct" URI.....................................11
9. Acknowledgments................................................8 6. The "acct" Link Relation......................................12
10. References....................................................8 7. Cross-Origin Resource Sharing (CORS)..........................13
10.1. Normative References.....................................8 8. Security Considerations.......................................13
10.2. Informative References...................................9 9. IANA Considerations...........................................14
Author's Addresses................................................9 9.1. Registration of the "acct" URI scheme name...............14
9.2. Registration of the "acct" Link Relation Type............14
10. Acknowledgments..............................................15
11. References...................................................15
11.1. Normative References....................................15
11.2. Informative References..................................16
Author's Addresses...............................................17
1. Introduction 1. Introduction
There is a utility found on UNIX systems called "finger" [10] that There is a utility found on UNIX systems called "finger" [14] that
allows a person to access information about another person. The allows a person to access information about another person. The
information being queried might be on a computer anywhere in the information being queried might be on a computer anywhere in the
world. The information returned via "finger" is simply a plain text world. The information returned via "finger" is simply a plain text
file that contains unstructured information provided by the queried file that contains unstructured information provided by the queried
user. user.
The "finger" protocol failed to be adopted by most users on the Webfinger borrows the concept of the legacy finger protocol, but
Internet primarily for two reasons. First, few users have an account introduces a very different approach to sharing information. Rather
on a system that supports the "finger" protocol. Even if one's email than returning a simple unstructured text file, Webfinger uses
provider enabled the "finger" service, the information conveyed is structured documents that contain link relations. These link
substantially less rich and valuable than what might be conveyed on a relations point to information a user or entity on the Internet
personal homepage, blog, or social network site. Thus, there has wishes to expose. For a person, the kinds of information that might
been no motivation on the part of service providers to provide the be exposed include a personal profile address, identity service,
service. Second, the information conveyed is entirely unstructured telephone number, or preferred avatar. Webfinger may also be used to
and not useful for automated processes. As such, there is little learn information about objects on the network, such as the amount of
value to web programmers who might wish to use this information. toner in a printer or the physical location of a server.
Webfinger does not try to improve on the legacy "finger" by allowing Information returned via Webfinger might be for direct human
users to provide rich content, at least not directly. Rather, consumption (e.g., another user's phone number) or it might be used
Webfinger focuses on making information available to automated by systems to help carry out some operation (e.g., facilitate logging
systems. What a user provides via the Webfinger protocol are into a web site by determining a user's identification service).
references to the rich and valuable content. The references may be
processed by automated systems and the referenced information
utilized as appropriate for the content. This referenced content may
include, but is certainly not limited to, a user's name, homepage,
blog, social network pages, contact information, authentication
service, or demographic information.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
"SHOULD", "SHOULD NOT", "RECOMMENDED", and "NOT RECOMMENDED" are
appropriate when valid exceptions to a general requirement are known
to exist or appear to exist, and it is infeasible or impractical to
enumerate all of them. However, they should not be interpreted as
permitting implementors to fail to implement the general requirement
when such failure would result in interoperability failure.
Webfinger makes heavy use of "Link Relations". Briefly, a Link
Relation is an attribute and value pair used on the Internet wherein
the attribute identifies the type of link to which the associated
value refers. In Hypertext Transfer Protocol (HTTP) [2] and Web
Linking [3], the attribute is a "rel" and the value is an "href".
3. Example Uses of Webfinger 3. Example Uses of Webfinger
In this section, we describe just a few sample use cases for In this section, we describe just a few sample uses for Webfinger and
Webfinger. This is by no means an exhaustive list. The list of show what the protocol looks like. This is not an exhaustive list of
potential use cases is virtually limitless since through Webfinger, a possible uses and the entire section should be considered non-
user can share any kind of machine-consumable information. normative. The list of potential use cases is virtually unlimited
since a user can share any kind of machine-consumable information via
Webfinger.
3.1. Locating a User's Blog 3.1. Locating a User's Blog
Suppose you meet somebody at a party and they provide you with their Assume you receive an email from Bob and he refers to something he
email address. After the party, you decide to visit your new posted on his blog, but you do not know where Bob's blog is located.
friend's blog to learn more about them. How do you find it? You It would be simple to discover the address of Bob's blog if he makes
could search for your friend's name on the Internet or on various that information available via Webfinger.
social networking sites, but sometimes it is very hard to locate a
person or information about a person with merely an email address or
a name.
Having an account profile established that supports Webfinger, Let's assume your email client discovers that blog automatically for
though, your friend could provide a pointer to his or her blog. you. When receive the message from Bob (bob@example.com), your email
Thus, you could perform a search through a search engine, a social client performs the following steps behind the scenes.
networking site, or through any Webfinger client and discover your
friend's blog immediately.
3.2. Populating an Electronic Address Book First, it tries to get the host metadata [9] information for the
domain example.com. It does this by issuing the following HTTPS
query to example.com:
Most people have an address book of some sort. It might be stored in GET /.well-known/host-meta HTTP/1.1
a mobile phone, on the web, or as a part of an often used application Host: example.com
like an email client. Populating the address book is often
complicated, as one has to first collect the information and then
manually enter the data as required for the particular address book
software. This can be automated through the use of vCard [12], but
the challenge for most users is finding those vCards.
Again, Webfinger can help with this scenario. Within one's address The server replies with an XRD [8] document:
book software, one could enter the user's email address and the
software could automatically locate the target user's vCard file and
populate the right fields accordingly.
Since Webfinger is a web service and since contact information HTTP/1.1 200 OK
changes from time to time, an electronic address book might Access-Control-Allow-Origin: *
automatically refresh stored information for users as changes are Content-Type: application/xrd+xml; charset=UTF-8
detected so that address book entries never stale.
3.3. Simplifying the Login Process <?xml version="1.0" encoding="UTF-8"?>
<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
<Link rel="lrdd"
type="application/xrd+xml"
template="https://example.com/lrdd/?uri={uri}"/>
</XRD>
We have all been frustrated with maintaining dozens or hundreds of The client then processes the received XRD in accordance with the Web
passwords for the various web sites that we visit. To address that Host Metadata [9] procedures. The client will see the LRDD link
problem, technologies were developed to simplify the login process by relation and issue a query with the user's account URI [5]. (The
allowing users to utilize a single identity provider that can verify Account URI is discussed in Section 4.2.) The query might look like
user credentials and allow various web sites to trust that the user this:
trying to access certain resources is, indeed, who he or she claims
to be.
A challenge that remains with some solutions, though, is locating the GET /lrdd/?uri=acct%3Abob%40example.com HTTP/1.1
user's identity provider. Webfinger can help by advertising the Host: example.com
location of the user's identity provider, thus allowing the service
to perform a Webfinger query to discover that location and to
significantly simplify and improve the overall login process.
4. The Webfinger Protocol The server might then respond with a message like this:
Webfinger does not actually introduce a new protocol, per se. HTTP/1.1 200 OK
Rather, it builds upon the existing Web Host Metadata [8] and the Access-Control-Allow-Origin: *
Cross-Origin Resource Sharing [6] specifications. Content-Type: application/xrd+xml; charset=UTF-8
4.1. The acct URI Scheme <?xml version="1.0" encoding="UTF-8"?>
<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
<Subject>acct:bob@example.com</Subject>
<Link rel="http://webfinger.net/rel/avatar"
href="http://www.example.com/~bob/bob.jpg"/>
<Link rel="http://webfinger.net/rel/profile-page"
href="http://www.example.com/~bob/"/>
<Link rel="blog"
href="http://blogs.example.com/bob/"/>
</XRD>
The Web Host Metadata specification [8] refers to resources that may The email client might take note of the "blog" link relation in the
be queried at a host. The protocol allows for any kind of resource above XRD document that refers to Bob's blog. This URL would then be
to be queried, but it is necessary to define a specific type of presented to you so that you could then visit his blog.
resource in order to query information about a human user. For this
purpose, we introduce the "acct" URI scheme.
The "acct" URI scheme takes a familiar form in looking like an email The email client might also note that Bob has published an avatar
address. However, it is not an email address. Rather, it is an link relation and use that picture to represent Bob inside the email
account identifier. Quite often, and perhaps almost always, these client.
two values will appear to be virtually identical and software may
assume that if a user provides an email address to the system, the
associated user account may be accessed using the "acct" URI scheme
along with that email address. Users should never be required to
provide a system with the "acct" URI scheme name prepended in input
forms, but systems MUST accept the entry of the full URI if provided
by the user.
To ensure compatibility with email addresses, we define the Augmented 3.2. Retrieving a Person's Contact Information
Backus-Naur Form (ABNF) [4] such that it borrows the non-terminal
definition of addr-spec from section 3.4.1 of RFC 5322 [5]. The
formal syntax is for the "acct" URI scheme is:
acctURI = "acct:" addr-spec Assume you have Alice in your address book, but her phone number
appears to be invalid. You could use Webfinger to find her current
phone number and update your address book.
QUESTION: Do we want to restrict the acct: URI to only be user@domain Let's assume you have a web-based address book that you wish to
and borrow the syntax from, say, the SIP spec? Or, do we want to update. When you instruct the address book to pull Alice's current
reference addr-spec as we have it now? contact information, the address book might issue a query like this
to get host metadata information for example.com:
4.2. Performing a Webfinger Query GET /.well-known/host-meta.json HTTP/1.1
Host: example.com
Given an identifier, a system may perform a Webfinger query to locate Note the address book is looking for a JSON [4] representation,
additional information related to the user that owns the identifier. whereas we used XML in the previous example.
If the "acct" URI scheme name is not prepended to the identifier, The server might reply with something like this:
"acct:" must be prepended before attempting a query. So, given the
identifier bob@example.com, the identifier must be converted to
acct:bob@example.com to successfully issue a Webfinger request.
With a proper URI in hand, a Webfinger client issues a request to the HTTP/1.1 200 OK
domain associated with the identifier. In our example, the domain is Access-Control-Allow-Origin: *
example.com. The initial query is made to /.well-known/host-meta as Content-Type: application/json; charset=UTF-8
per [8]. For example:
GET /.well-known/host-meta HTTP/1.1 {
"links" :
[
{
"rel" : "lrdd",
"type" : "application/json",
"template" :
"https://example.com/lrdd/?format=json&uri={uri}"
}
]
}
The client processes the response as described in RFC 6415 [9]. It
will process the LRDD link relation using Alice's account URI by
issuing this query:
GET /lrdd/?format=json&uri=acct%3Aalice%40example.com HTTP/1.1
Host: example.com Host: example.com
The response will contain any number of link relations. All of the The server might return a response like this:
link relations MUST be ignored, except for the one named 'lrdd'
(Link-based Resource Descriptor Documents). It is the LRDD link
relation that is where clients issue requests for user accounts.
Let us assume that the Extensible Resource Descriptor (XRD) [7] HTTP/1.1 200 OK
document returned from the server contained the following LRDD link Access-Control-Allow-Origin: *
relation: Content-Type: application/json; charset=UTF-8
<Link rel="lrdd" {
type="application/xrd+xml" "subject" : "acct:alice@example.com",
template="https://example.com/lrdd/?uri={uri}" /> "links" :
[
{
"rel" : "http://webfinger.net/rel/avatar",
"href" : "http://example.com/~alice/alice.jpg"
},
{
"rel" : "vcard",
"href" : "http://example.com/~alice/alice.vcf"
}
]
}
If a client prefers to utilize JavaScript Object Notation (JSON) and With this response, the address book might see the vcard [16] link
queries the /.well-known/host-meta.json resource, the following reply relation and use that file to offer you updated contact information.
snippet might be returned to the client, for example:
"link" : 3.3. Simplifying the Login Process
OpenID (http://www.openid.net) is great for allowing users to log
into a web site, though one criticism is that it is challenging for
users to remember the URI they are assigned. Webfinger can help
address this issue by allowing users to use user@domain-style
addresses. Using a user's account URI, a web site can perform a
query to discover the associated OpenID identifier for a user.
Let's assume Carol is trying to use OpenID to log into a blog. The
blog server might issue the following query to get the host metadata
information:
GET /.well-known/host-meta.json HTTP/1.1
Host: example.com
The response that comes back is similar to the previous example:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=UTF-8
{
"links" :
[ [
{ {
"rel" : "lrdd", "rel" : "lrdd",
"type" : "application/json", "type" : "application/json",
"template" : "https://example.com/lrdd/?format=json&uri={uri}" "template" :
"https://example.com/lrdd/?format=json&uri={uri}"
} }
] ]
}
Now knowing the URI template for the LRDD link relation, the The blog server processes the response as described in RFC 6415. It
Webfinger client issues a request to the resource specified in the will process the LRDD link relation using Carol's account URI by
template, replacing the template parameter with the target users issuing this query:
"acct" URI. With consideration given to the XRD example above, the
complete URI to use to query for the user's Webfinger information
would be:
https://example.com/lrdd/?uri=acct%3Abob%40example.com GET /lrdd/?format=json&uri=acct%3Acarol%40example.com HTTP/1.1
When performing this query, another XRD document will be returned. The server might return a response like this:
This document contains the link relations that are specific to the
target user.
Purely for illustrative purposes, consider the following document: HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?> {
<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"> "subject" : "acct:carol@example.com",
<Subject>acct:bob@example.com</Subject> "links" :
<Link rel="http://webfinger.net/rel/avatar" [
href="http://example.com/bob/images/avatar.jpg"/> {
<Link rel="blog" "rel" : "http://webfinger.net/rel/avatar",
href="http://example.net/bob/blog/"/> "href" : "http://example.com/~alice/alice.jpg"
<Link rel="vcard" },
href="http://example.com/bob/vcard.vcf"/> {
<Link rel="http://specs.openid.net/auth/2.0/provider" "rel" : " http://specs.openid.net/auth/2.0/provider ",
href="https://openid.example.com/bob"/> "href" : "https://openid.example.com/carol"
<Link rel="share" href="http://example.com/bob/public/"/> }
<Link rel="http://webfinger.net/rel/profile-page" ]
href="http://example.com/bob/profile/"/> }
</XRD>
This document provides links to locations that include an avatar, a At this point, the blog server knows that Carol's OpenID identifier
blog, a vCard, an identity provider, a public file share, and the is https://openid.example.com/carol and could then proceed with the
user's profile page. Each of these link relations needs to be fully login process as usual.
specified, but the definition of link relations is outside the scope
of this document.
What software does with this information is also outside the scope of 3.4. Retrieving Device Information
this document.
5. Support for the JSON Resource Descriptor (JRD) While the examples thus far have been focused on information about
humans, Webfinger does not limit queries to only those that use the
account URI scheme. Let's suppose there are devices on the network
like printers and you would like to check the current toner level for
a particular printer identified via the URI device:p1.example.com.
The JRD representation uses the JSON format, elements and processing Following the procedures similar to those above, a query may be
rules defined in RFC 4627 [3]. Servers that support Webfinger queries issued to get link relations specific to this URI like this:
MUST support the JRD representation as defined in Appendix A of [8].
6. Support for Cross-Origin Resource Sharing GET /lrdd/?format=json&uri=device%3Ap1.example.com HTTP/1.1
Host: example.com
The link relations that are returned may be quite different than
those for human users. Perhaps we may see a response like this:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=UTF-8
{
"subject" : "device:p1.example.com",
"links" :
[
{
"rel" : "tipsi",
"href" : "http://192.168.1.5/npap/"
}
]
}
While this example is entirely fictitious, you can imagine that
perhaps the Transport Independent, Printer/System Interface [18] may
be enhanced with a web interface that allows a device that
understands the TIP/SI web interface specification to query the
printer for toner levels.
4. Webfinger Protocol
Webfinger does not actually introduce a new protocol, per se.
Rather, it builds upon the existing Web Host Metadata [9]
specification and leverages the Cross-Origin Resource Sharing (CORS)
[7] specification.
4.1. Performing a Webfinger Query
The first step a client must perform in executing a Webfinger query
is to query for the host metadata using HTTPS or HTTP. The
procedures are defined in the Web Host Metadata [9] specification.
Webfinger clients MUST locate the LRDD link relation, if present, and
perform a query for that link relation, if present. All other link
templates found must be processed to form a complete resource
descriptor. The processing rules in Section 4.2 of RFC 6415 MUST be
followed.
Webfinger servers MUST accept requests for both XRD [8] and JRD [9]
documents. The default representation returned by the server MUST be
an XRD document, but a JRD document MUST be returned if the client
explicitly requests it by using /.well-known/host-meta.json or
includes an Accept header in the HTTP request with a type of
"application/json" [4].
If the client requests a JRD document when querying for host
metadata, the Webfinger server can assume that the client will want a
JRD documents when querying the LRDD resource. As such, when the
Webfinger server returns a JRD document containing host metadata it
should include a URI for an LRDD resource that can return a JRD
document and MAY include a URI for an LRDD resource that will return
an XRD document.
If the client queries the LRDD resource and provides a URI for which
the server has no information, the server MUST return a 404 status
code. Likewise, any query to a URI in the resource descriptor that
is unknown to the server should result in the server returning a 404
status code.
4.2. The Web Host Metadata "resource" Parameter
In addition to the normal processing logic for processing host
metadata information, Webfinger defines the "resource" parameter for
querying for host metadata and returning all of the link relations
from LRDD and other resource-specific link templates in a single
query. This resource essentially pushes the work to the server to
form a complete resource descriptor for the specified resource.
Note that support for the "resource" parameter is optional, but
strongly recommended for improved performance. If a server does not
implement the "resource" parameter, then the server's host metadata
processing logic remains unchanged from RFC 6415.
To utilize the host-meta "resource" parameter, a Webfinger client
issues a request to /.well-known/host-meta or /.well-known/host-
meta.json as usual, but then appends a "resource" parameter as shown
in this example:
GET /.well-known/host-meta.json?resource=\
acct%3Abob%40example.com HTTP/1.1
Host: example.com
Note that the "\" character shown above is to indicate that the line
breaks at this point and continues on the next line. This was shown
only to avoid line wrapping in this document and is not a part of the
HTTP protocol.
When processing this request, the Webfinger server MUST
* Return a 404 status code if the URI provided in the resource
parameter is unknown to the server; and
* Set the "Subject" returned in the response to the value of the
"resource" parameter if the URI provided in the resource
parameter is known to the server
The Webfinger client can verify support for the "resource" parameter
by checking the value of the Subject returned in the response. If
the Subject matches the value of the "resource" parameter, then the
"resource" parameter is supported by the server.
For illustrative purposes, the following is an example usage of the
"resource" parameter that aligns with the example in Section 1.1.1 of
RFC 6415. The Webfinger client would issue this request:
GET /.well-known/host-meta.json?resource=\
http%3A%2F%2Fexample.com%2Fxy HTTP/1.1
Host: example.com
The Webfinger server would reply with this response:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=UTF-8
{
"subject" : "http://example.com/xy",
"properties" :
{
"http://spec.example.net/color" : "red"
},
"links" :
[
{
"rel" : "hub",
"href" : "http://example.com/hub"
},
{
"rel" : "hub",
"href" : "http://example.com/another/hub"
},
{
"rel" : "author",
"href" : "http://example.com/john"
},
{
"rel" : "author",
"template" : "http://example.com/author?\
q=http%3A%2F%2Fexample.com%2Fxy"
}
]
}
5. The "acct" URI
The Web Host Metadata specification [9] allows for any kind of
resource to be queried, but Webfinger defines a specific type of
resource in order to query information about a human user.
Specifically, Webfinger uses the "acct" URI to refer to a human
user's account on the Internet.
5.1. Using the "acct" URI
The "acct" URI takes a familiar form in looking like an email
address. However, the account URI is not an email address and should
not be mistaken for one. Quite often, the account URI minus the
"acct:" scheme prefix may be exactly the same as the user's email
address.
A user MUST NOT be required to enter the "acct" URI scheme name along
with his account identifier into any Webfinger client. Rather, the
Webfinger client MUST accept identifiers that are void of the "acct:"
portion of the identifier. Composing a properly formatted "acct" URI
is the responsibility of the Webfinger client.
A user MAY provide a fully-specified "acct" URI.
5.2. Syntax of "acct" URI
The "acct" URI syntax is defined here in Augmented Backus-Naur Form
(ABNF) [6] and borrows syntax elements from RFC 3986 [5]:
acctURI = "acct:" userpart "@" domainpart
userpart = 1*( unreserved / pct-encoded )
domainpart = domainlabel 1*( "." domainlabel)
domainlabel = alphanum / alphanum *( alphanum / "-" ) alphanum
alphanum = ALPHA / DIGIT
The "acct" URI scheme allows any character from the Unicode [11]
character set encoded as a UTF-8 [19] string that is then percent-
encoded as necessary into valid ASCII [20]. Characters in the
domainpart must be encoded to support internationalized domain names
(IDNs) [12].
Characters in the userpart or domainpart that are not unreserved must
be percent-encoded when used in a protocol or document that only
supports or requires ASCII. When carried in a document (e.g., XRD or
JRD) or protocol that supports the Unicode character set (e.g., UTF-8
or UTF-16 [21]), the URI strings may appear in the protocol or
document's native encoding without percent-encoding. Such usage of a
URI is commonly referred to as an Internationalized Resource
Identifier (IRI). Conversion between an IRI and URI is described in
Section 3 of RFC 3987 [13].
6. The "acct" Link Relation
Users of some services might have an acct URI that looks
significantly different from their email address, perhaps using
entirely different domain names. It may be useful to allow the
mapping of an assumed account identifier to the correct account
identifier.
Some users may also hold multiple different accounts and would like
to allow users to find information distributed across multiple
accounts.
To accomplish either of these two objectives, one uses the "acct"
link relation. Consider the following example.
Suppose Alice receives an email from bob@example.net. While Bob's
email identifier might be in the example.net domain, he holds his
account with an acct URI in the example.com domain. His email
provider may provide Webfinger services to enable redirecting Alice
when she queries for acct:bob@example.net.
Suppose Alice issues the following request:
GET /.well-known/host-meta.json?resource=\
acct%3Abob%40example.net HTTP/1.1
Host: example.net
The response that Alice receives back might be:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=UTF-8
{
"subject" : "acct:bob@example.net",
"links" :
[
{
"rel" : "acct",
"href" : "acct:bob@example.com"
}
]
}
Alice's Webfinger client could then perform another query against the
URI acct:bob@example.com in order to get the information she is
seeking.
Webfinger clients need to take steps to avoid getting into loops
where two accounts, directly or indirectly, refer the client to each
other.
There are no limits on the number of acct link relations that might
be returned in a Webfinger query.
7. Cross-Origin Resource Sharing (CORS)
Webfinger is most useful when it is accessible without restrictions Webfinger is most useful when it is accessible without restrictions
on the Internet, and that includes web browsers. Therefore, servers on the Internet, and that includes web browsers. Therefore,
that support the Webfinger protocol MUST support Cross-Origin Webfinger servers MUST support Cross-Origin Resource Sharing (CORS)
Resource Sharing (CORS) [6]. Specifically, all queries to /.well- [7]. Specifically, all queries to /.well-known/host-meta, /.well-
known/host-meta and to the LRDD URI must include the following header known/host-meta.json, and to the LRDD URI must include the following
in the Hypertext Transfer Protocol (HTTP) [2] response: HTTP header in the response:
Access-Control-Allow-Origin: * Access-Control-Allow-Origin: *
QUESTION: Do we want to require CORS? Do we want to make it a QUESTION: Do we want to require CORS? Do we want to make it a
SHOULD? Or, do we want to say nothing about CORS? SHOULD? Or, do we want to say nothing about CORS?
7. Security Considerations 8. Security Considerations
All of the security considerations applicable to Web Host Metadata All of the security considerations applicable to Web Host Metadata
[8] and Cross-Origin Resource Sharing [6] are also applicable to this [9] and Cross-Origin Resource Sharing [7] are also applicable to this
specification. specification. Of particular importance is the recommended use of
HTTPS to ensure that information is not modified during transit.
Clients should verify that the certificate used on an HTTPS
connection is valid.
Further, service providers and users should also be aware that When using HTTP to request an XRD document, Webfinger clients SHOULD
placing information on the Internet accessible through Webfinger verify the XRD document's signature, if present, to ensure that the
means that any user can access that information. While Webfinger can XRD document has not been modified. Webfinger servers SHOULD include
be an extremely useful tool for allowing quick and easy access to a signature for XRD documents.
one's avatar, blog, or other personal information, users should
understand the risks, too. If one does not wish to share certain
information with the world, do not allow that information to be
accessible through Webfinger.
8. IANA Considerations Service providers and users should be aware that placing information
on the Internet accessible through Webfinger means that any user can
access that information. While Webfinger can be an extremely useful
tool for allowing quick and easy access to one's avatar, blog, or
other personal information, users should understand the risks, too.
If one does not wish to share certain information with the world, do
not allow that information to be accessible through Webfinger.
The easy access to user information via Webfinger was a design goal
of the protocol, not a limitation. If one wishes to limit access to
information available via Webfinger, such as a Webfinger server for
use inside a corporate network, the network administrator must take
measures necessary to limit access from outside the network.
9. IANA Considerations
RFC Editor: Please replace QQQQ in the following two sub-sections
with a reference to this RFC.
9.1. Registration of the "acct" URI scheme name
This specification requests IANA to register the "acct" URI scheme in This specification requests IANA to register the "acct" URI scheme in
the "Permanent URI Schemes" sub-registry in the "Uniform Resource the "Permanent URI Schemes" sub-registry in the "Uniform Resource
Identifier (URI) Schemes" IANA registry [13]. This registration Identifier (URI) Schemes" IANA registry [17]. This registration
follows the URI Scheme Registration Template detailed in Section 5.4 follows the URI Scheme Registration Template detailed in Section 5.4
of RFC 4395 [11]. of RFC 4395 [15].
URI scheme name: acct URI scheme name: acct
Status: Permanent Status: Permanent
URI scheme syntax: see Section 4.1 of RFC XXXX [This document] URI scheme syntax: see Section 4.1 of RFC QQQQ
URI scheme semantics: see Section 4.1 of RFC XXXX [This document] URI scheme semantics: see Section 4.1 of RFC QQQQ
Encoding considerations: The "acct" URI scheme allows any character
from the Unicode character set encoded as a UTF-8 string that is
then percent-encoded as necessary to result in an internal
representation in US-ASCII [10]
Encoding considerations: The "acct" URI scheme is encoded in US-
ASCII [9], with section 3.4.1 of RFC 5322 detailing the encoding of
addr-spec
Applications/protocols that use this URI scheme name: Webfinger Applications/protocols that use this URI scheme name: Webfinger
Security considerations: see Section 7 of RFC XXXX [This document] Security considerations: see Section 7 of RFC QQQQ
Contact: Gonzalo Salgueiro <gsalguei@cisco.com> Contact: Gonzalo Salgueiro <gsalguei@cisco.com>
Author/Change controller: IETF <ietf@ietf.org> Author/Change controller: IETF <ietf@ietf.org>
References: See Section 10 of RFC XXXX [This document] References: See Section 10 of RFC QQQQ
9. Acknowledgments 9.2. Registration of the "acct" Link Relation Type
The authors would like to acknowledge Eran Hammer-Lahav and Blaine Relation Name: acct
Cook for their invaluable input.
10. References Description: A link relation that refers to a user's Webfinger
account identifier.
10.1. Normative References Reference: RFC QQQQ
Notes:
Application Data:
10. Acknowledgments
The authors would like to acknowledge Eran Hammer-Lahav, Blaine Cook,
Brad Fitzpatrick, and Laurent-Walter Goix for their invaluable input.
11. References
11.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [2] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[3] Crockford, D., "The application/json Media Type for [3] Nottingham, M., "Web Linking", RFC 5988, October 2010.
[4] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[4] Crocker, D. and P. Overell, "Augmented BNF for Syntax [5] Berners-Lee, T., Fielding, R., and Masinter, L., "Uniform
Specifications: ABNF", STD 68, RFC 5234, January 2008. Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
January 2005.
[5] Resnick, P., "Internet Message Format", RFC 5322, October 2008. [6] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[6] Van Kesteren, A., "Cross-Origin Resource Sharing", W3C CORS [7] Van Kesteren, A., "Cross-Origin Resource Sharing", W3C CORS
http://www.w3.org/TR/cors/, July 2010. http://www.w3.org/TR/cors/, July 2010.
[7] Hammer-Lahav, E. and W. Norris, "Extensible Resource [8] Hammer-Lahav, E. and W. Norris, "Extensible Resource Descriptor
Descriptor (XRD) Version 1.0", (XRD) Version 1.0", <http://docs.oasis-
<http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html>. open.org/xri/xrd/v1.0/xrd-1.0.html>.
[8] Hammer-Lahav, E., Cook, B., "Web Host Metadata", draft-hammer- [9] Hammer-Lahav, E. and Cook, B., "Web Host Metadata", RFC 6415,
hostmeta-17, September 2011. October 2011.
[9] American National Standards Institute, "Coded Character Set - [10] American National Standards Institute, "Coded Character Set -
7-bit American Standard Code for Information Interchange", ANSI 7-bit American Standard Code for Information Interchange", ANSI
X3.4, 1986. X3.4, 1986.
10.2. Informative References [11] The Unicode Consortium. The Unicode Standard, Version 6.1.0,
(Mountain View, CA: The Unicode Consortium, 2012. ISBN 978-1-
936213-02-3) http://www.unicode.org/versions/Unicode6.1.0/.
[10] Zimmerman, D., "The Finger User Information Protocol", RFC [12] Klensin, J., "Internationalized Domain Names in Applications
(IDNA): Protocol", RFC 5891, August 2010.
[13] Duerst, M., "Internationalized Resource Identifiers (IRIs)",
RFC 3987, January 2005.
11.2. Informative References
[14] Zimmerman, D., "The Finger User Information Protocol", RFC
1288, December 1991. 1288, December 1991.
[11] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and [15] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and
Registration Procedures for New URI Schemes", BCP 35, RFC 4395, Registration Procedures for New URI Schemes", BCP 35, RFC 4395,
February 2006. February 2006.
[12] Perreault, S., "vCard Format Specification", RFC 6350, August [16] Perreault, S., "vCard Format Specification", RFC 6350, August
2011. 2011.
[13] Internet Assigned Numbers Authority (IANA) Registry, "Uniform [17] Internet Assigned Numbers Authority (IANA) Registry, "Uniform
Resource Identifier (URI) Schemes", Resource Identifier (URI) Schemes",
<http://www.iana.org/assignments/uri-schemes.html>. <http://www.iana.org/assignments/uri-schemes.html>.
[18] "Transport Independent, Printer/System Interface", IEEE Std
1284.1-1997, 1997.
[19] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC
2279, November 2003.
[20] Information Systems -- Coded Character Sets 7-Bit American
National Standard Code for Information Interchange (7-Bit
ASCII), ANSI X3.4-1986, December 30, 1986.
[21] Hoffman, P., Yergeau, F., "UTF-16, an encoding of ISO 10646",
RFC 2781, February 2000.
Author's Addresses Author's Addresses
Paul E. Jones Paul E. Jones
Cisco Systems, Inc. Cisco Systems, Inc.
7025 Kit Creek Rd. 7025 Kit Creek Rd.
Research Triangle Park, NC 27709 Research Triangle Park, NC 27709
USA USA
Phone: +1 919 476 2048 Phone: +1 919 476 2048
Email: paulej@packetizer.com Email: paulej@packetizer.com
skipping to change at page 9, line 45 skipping to change at page 17, line 29
7025 Kit Creek Rd. 7025 Kit Creek Rd.
Research Triangle Park, NC 27709 Research Triangle Park, NC 27709
USA USA
Phone: +1 919 392 3266 Phone: +1 919 392 3266
Email: gsalguei@cisco.com Email: gsalguei@cisco.com
IM: xmpp:gsalguei@cisco.com IM: xmpp:gsalguei@cisco.com
Joseph Smarr Joseph Smarr
Google Google
ADDRESS
Phone: PHONE
Email: jsmarr@google.com Email: jsmarr@google.com
 End of changes. 82 change blocks. 
229 lines changed or deleted 592 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/
X-Generator: pyht 0.35