draft-ietf-appsawg-webfinger-04.txt   draft-ietf-appsawg-webfinger-05.txt 
Network Working Group Paul E. Jones Network Working Group Paul E. Jones
Internet Draft Gonzalo Salgueiro Internet Draft Gonzalo Salgueiro
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: May 21, 2013 Joseph Smarr Expires: May 28, 2013 Joseph Smarr
Google Google
November 21, 2012 November 28, 2012
WebFinger WebFinger
draft-ietf-appsawg-webfinger-04.txt draft-ietf-appsawg-webfinger-05.txt
Abstract Abstract
This specification defines the WebFinger protocol, which can be used This specification defines the WebFinger protocol, which can be used
to discover information about people or other entities on the to discover information about people or other entities on the
Internet using standard HTTP methods. Internet using standard HTTP methods.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 21, 2013. This Internet-Draft will expire on May 28, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
2. Terminology....................................................3 2. Terminology....................................................2
3. Overview.......................................................3 3. Overview.......................................................3
4. Example Use of WebFinger.......................................3 4. Example Use of WebFinger.......................................3
4.1. Locating a User's Blog....................................3 4.1. Locating a User's Blog....................................3
4.2. Auto-Configuration of Email Clients.......................5 4.2. Identity Provider Discovery for OpenID Connect............5
4.3. Retrieving Device Information.............................7 4.3. Auto-Configuration of Email Clients.......................6
4.4. Retrieving Device Information.............................7
5. WebFinger Protocol.............................................8 5. WebFinger Protocol.............................................8
5.1. Performing a WebFinger Query..............................8 5.1. Performing a WebFinger Query..............................8
5.2. The JSON Resource Descriptor (JRD) Document...............9 5.2. The JSON Resource Descriptor (JRD) Document...............9
5.3. The "rel" Parameter.......................................9 5.3. The "rel" Parameter.......................................9
5.4. WebFinger and URIs.......................................11 5.4. WebFinger and URIs.......................................11
6. Cross-Origin Resource Sharing (CORS)..........................12 6. Cross-Origin Resource Sharing (CORS)..........................12
7. Controlling Access to Information.............................12 7. Access Control................................................12
8. Hosted WebFinger Services.....................................13 8. Hosted WebFinger Services.....................................12
9. Security Considerations.......................................14 9. Security Considerations.......................................13
10. IANA Considerations..........................................15 10. IANA Considerations..........................................14
11. Acknowledgments..............................................16 11. Acknowledgments..............................................15
12. References...................................................16 12. References...................................................15
12.1. Normative References....................................16 12.1. Normative References....................................15
12.2. Informative References..................................16 12.2. Informative References..................................16
Author's Addresses...............................................17 Author's Addresses...............................................17
1. Introduction 1. Introduction
There is a utility found on UNIX systems called "finger" [12] that WebFinger is used to discover information about people or other
allows a person to access information about another person or entity entities on the Internet using standard HTTP [2] methods. The
that has a UNIX account. The information queried might be on the WebFinger server returns a structured document that contains link
same computer or a computer anywhere in the world. What is returned relations, properties, and/or other information that is suitable for
via "finger" is a plain text file that contains unstructured automated processing. For a person, the kinds of information that
information provided by the queried user, stored in a file named might be shared via WebFinger include a personal profile address,
.plan in the user's home directory. identity service, telephone number, or preferred avatar. For other
entities on the Internet, the server might return documents
Like the finger command, WebFinger can be used to discover containing link relations that allow a client to discover the amount
information about people or other entities on the Internet. However, of toner in a printer or the physical location of a server.
unlike the legacy finger command, WebFinger uses standard HTTP [2]
methods and utilizes a structured document that contains link
relations that are suitable for automated processes. These link
relations point to information and might return properties related to
information a user or entity on the Internet wishes to share. For a
person, the kinds of information that might be shared include a
personal profile address, identity service, telephone number, or
preferred avatar. WebFinger may also be used to discover information
about other entities on the Internet, such as the amount of toner in
a printer or the physical location of a server.
Information returned via WebFinger might be for direct human Information returned via WebFinger might be for direct human
consumption (e.g., another user's phone number) or it might be used consumption (e.g., looking up someone's phone number), or it might be
by systems to help carry out some operation (e.g., facilitate logging used by systems to help carry out some operation (e.g., facilitate
into a web site by determining a user's identity service). logging into a web site by determining a user's identity service).
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
WebFinger makes heavy use of "Link Relations". Briefly, a Link WebFinger makes heavy use of "Link Relations". Briefly, a Link
Relation is an attribute and value pair used on the Internet wherein Relation is an attribute and value pair used on the Internet wherein
the attribute identifies the type of link to which the associated the attribute identifies the type of link to which the associated
skipping to change at page 3, line 40 skipping to change at page 3, line 29
Notation (JSON) [5] Resource Descriptor (JRD) document [11] Notation (JSON) [5] Resource Descriptor (JRD) document [11]
containing link relations. The request MUST include the URI or IRI containing link relations. The request MUST include the URI or IRI
[7] for the entity for which information is sought as a parameter [7] for the entity for which information is sought as a parameter
named "resource". named "resource".
Use of WebFinger is illustrated in the examples in Section 4, then Use of WebFinger is illustrated in the examples in Section 4, then
described more formally in Section 5. described more formally in Section 5.
4. Example Use of WebFinger 4. Example Use of WebFinger
In this section, we show a few samples using WebFinger so you can see This non-normative section shows a few sample uses of WebFinger.
what the protocol looks like. This is not an exhaustive list of
possible uses and the entire section is non-normative.
4.1. Locating a User's Blog 4.1. Locating a User's Blog
Assume you receive an email from Bob and he refers to something he Assume you receive an email from Bob and he refers to something he
posted on his blog, but you do not know where Bob's blog is located. posted on his blog, but you do not know where Bob's blog is located.
It would be simple to discover the address of Bob's blog if he makes It would be simple to discover the address of Bob's blog if he makes
that information available via WebFinger. that information available via WebFinger.
Let's assume your email client can discover the blog for you. After Assume your email client can discover the blog for you. After
receiving the message from Bob (bob@example.com), you instruct your receiving the message from Bob (bob@example.com), you instruct your
email client to perform a WebFinger query. It does so by issuing the email client to perform a WebFinger query. It does so by issuing the
following HTTPS query to example.com: following HTTPS query to example.com:
GET /.well-known/webfinger? GET /.well-known/webfinger?
resource=acct%3Abob%40example.com HTTP/1.1 resource=acct%3Abob%40example.com HTTP/1.1
Host: example.com Host: example.com
The server might then respond with a message like this: The server might then respond with a message like this:
skipping to change at page 5, line 4 skipping to change at page 4, line 39
"titles" : "titles" :
{ {
"en-us" : "The Magical World of Bob", "en-us" : "The Magical World of Bob",
"fr" : "Le monde magique de Bob" "fr" : "Le monde magique de Bob"
} }
}, },
{ {
"rel" : "vcard", "rel" : "vcard",
"href" : "http://www.example.com/~bob/bob.vcf" "href" : "http://www.example.com/~bob/bob.vcf"
} }
] ]
} }
The email client would take note of the The email client would take note of the "blog" link relation in the
"http://packetizer.com/rel/blog" link relation in the above JRD above JRD document that refers to Bob's blog. This URL would then be
document that refers to Bob's blog. This URL would then be presented presented to you so that you could then visit his blog. The email
to you so that you could then visit his blog. The email client might client might also note that Bob has published an avatar link relation
also note that Bob has published an avatar link relation and use that and use that picture to represent Bob inside the email client.
picture to represent Bob inside the email client. Lastly, the client Lastly, the client might consider the vcard [14] link relation in
might consider the vcard [14] link relation in order to update order to update contact information for Bob.
contact information for Bob.
In the above example, an "acct" URI [8] is used in the query, though In the above example, an "acct" URI [8] is used in the query, though
any valid alias for the user might also be used. An alias is a URI any valid alias for the user might also be used. An alias is a URI
that is different from the "subject" URI that identifies the same that is different from the "subject" URI that identifies the same
entity. In the above example, there is one "http" alias returned, entity. In the above example, there is one "http" alias returned,
though there might have been more than one. Had the "http:" URI though there might have been more than one. Had the "http:" URI
shown as an alias been used to query for information about Bob, the shown as an alias been used to query for information about Bob, the
query would have appeared as: query would have appeared as:
GET /.well-known/webfinger? GET /.well-known/webfinger?
skipping to change at page 7, line 32 skipping to change at page 7, line 17
] ]
} }
In this example, you can see that the WebFinger server advertises an In this example, you can see that the WebFinger server advertises an
SMTP service and an IMAP service. In this example, the "href" SMTP service and an IMAP service. In this example, the "href"
entries associated with the link relation are absent. This is valid entries associated with the link relation are absent. This is valid
when there is no external reference that needs to be made. when there is no external reference that needs to be made.
4.4. Retrieving Device Information 4.4. Retrieving Device Information
As another example, let's suppose there are printers on the network As another example, suppose there are printers on the network and you
and you would like to check the current toner level for a particular would like to check the current toner level for a particular printer
printer identified via the URI device:p1.example.com. While the identified via the URI device:p1.example.com. While the "device" URI
"device" URI scheme is not presently specified, we use it here for scheme is not presently specified, we use it here for illustrative
illustrative purposes. purposes.
Following the procedures similar to those above, a query may be Following the procedures similar to those above, a query may be
issued to get link relations specific to this URI like this: issued to get link relations specific to this URI like this:
GET /.well-known/webfinger?resource= GET /.well-known/webfinger?resource=
device%3Ap1.example.com HTTP/1.1 device%3Ap1.example.com HTTP/1.1
Host: example.com Host: example.com
The link relations that are returned for a device may be quite The link relations that are returned for a device may be quite
different than those for user accounts. Perhaps we may see a different than those for user accounts. Perhaps we may see a
skipping to change at page 8, line 26 skipping to change at page 8, line 11
Transport Independent, Printer/System Interface [15] may be enhanced Transport Independent, Printer/System Interface [15] may be enhanced
with a web interface that allows a device that understands the TIP/SI with a web interface that allows a device that understands the TIP/SI
web interface specification to query the printer for toner levels. web interface specification to query the printer for toner levels.
5. WebFinger Protocol 5. WebFinger Protocol
WebFinger is a simple HTTP-based web service that utilizes the JSON WebFinger is a simple HTTP-based web service that utilizes the JSON
Resource Descriptor (JRD) document format and the Cross-Origin Resource Descriptor (JRD) document format and the Cross-Origin
Resource Sharing (CORS) [10] specification. Resource Sharing (CORS) [10] specification.
This specification defines URI parameters that are passed from the
client to the server when issuing a request. These parameters,
"resource" and "rel", and the parameter values are included in the
"query" component of the URI (see Section 3.4 of RFC 3986). To
construct the "query" component, the client performs the following
steps. First, each parameter value is percent-encoded as per Section
2.1 of RFC 3986. Next, the client constructs a string to be placed
in the query component by concatenating the name of the first
parameter together with an equal sign ("=") and the percent-encoded
parameter value. For any subsequent parameters, the client appends
an ampersand ("&") to the string, the name of the next parameter, an
equal sign, and percent-encoded parameter value. The client MUST NOT
insert any spaces while constructing the string. The order in which
the client places each parameter and its corresponding parameter
value is unspecified.
5.1. Performing a WebFinger Query 5.1. Performing a WebFinger Query
WebFinger clients issue queries to the well-known resource /.well- WebFinger clients issue queries to the well-known resource /.well-
known/webfinger. All queries MUST include the "resource" parameter known/webfinger. All queries MUST include the "resource" parameter
exactly once and set to the value of the URI for which information is exactly once and set to the value of the URI for which information is
being sought. If the "resource" parameter is absent or malformed, being sought. If the "resource" parameter is absent or malformed,
the WebFinger server MUST return a 400 status code. the WebFinger server MUST return a 400 status code.
Clients MUST first attempt a query the server using HTTPS and utilize Clients MUST first attempt a query the server using HTTPS and utilize
HTTP only if an HTTPS connection cannot be established. If the HTTPS HTTP only if an HTTPS connection cannot be established. If the HTTPS
server has an invalid certificate or returns an HTTP status code server has an invalid certificate or returns an HTTP status code
indicating some error, including a 4xx or 5xx, the client MUST NOT indicating some error, including a 4xx or 5xx, the client MUST NOT
use HTTP in attempt to complete the discovery. use HTTP in attempt to complete the discovery.
WebFinger servers MUST return JRD documents as the default WebFinger servers MUST return JRD documents as the default
representation for the resource. A client MAY include the "Accept" representation for the resource. A client MAY include the "Accept"
header to indicate a desired format, though no other format is header to indicate a desired representation, though no other
defined in this specification. For the JRD document, the media type representation is defined in this specification. For the JRD
is "application/json" [5]. document, the media type is "application/json" [5].
If the client queries the WebFinger server and provides a URI for If the client queries the WebFinger server and provides a URI for
which the server has no information, the server MUST return a 404 which the server has no information, the server MUST return a 404
status code. status code.
WebFinger servers MAY include cache validators in a response to WebFinger servers can include cache validators in a response to
enable conditional requests by clients and/or expiration times as per enable conditional requests by clients and/or expiration times as per
RFC 2616 section 13. RFC 2616 section 13.
5.2. The JSON Resource Descriptor (JRD) Document 5.2. The JSON Resource Descriptor (JRD) Document
The JSON Resource Descriptor (JRD) document is formally described in The JSON Resource Descriptor (JRD) document is formally described in
Appendix A of [11]. There is a RECOMMENDED order of JRD elements. Appendix A of [11]. There is a RECOMMENDED order of JRD elements.
Further, WebFinger requires some elements and some are optional. The Further, WebFinger requires some elements and some are optional. The
following list indicates the preferred order and comments on the following list indicates the preferred order and comments on the
presence or absence: presence or absence of elements:
o "expires" (element) is optional o "expires" (element) is optional
o "subject" (element) is required and MUST be the value of the o "subject" (element) is required and MUST be the value of the
"resource" parameter "resource" parameter
o "aliases" (array) is optional and absence or an empty array o "aliases" (array) is optional and absence or an empty array
are semantically the same are semantically the same
o "properties" (array) is optional and absence or an empty o "properties" (array) is optional and absence or an empty
array are semantically the same array are semantically the same
o "links" (array) is optional and absence or an empty array are o "links" (array) is optional and absence or an empty array are
semantically the same semantically the same
Any array elements within the "links" array are presented by the Array elements within the "links" array are presented by the server
server in order of preference. in order of preference.
The "links" array is comprised of several elements. As above, the The "links" array is comprised of several elements. As above, the
following list indicates the preferred order or elements within a following list indicates the preferred order or elements within a
link array element and comments on the presence or absence: "links" array element and comments on the presence or absence of
elements within the array:
o "rel" (element) is required o "rel" (element) is required
o "type" (element) is optional o "type" (element) is optional
o "href" (element) is optional o "href" (element) is optional
o "template" (element) is forbidden o "template" (element) is forbidden
o "titles" (array) is optional and absence or an empty array o "titles" (array) is optional and absence or an empty array
are semantically the same are semantically the same
o "properties" (array) is optional and absence or an empty o "properties" (array) is optional and absence or an empty
array are semantically the same array are semantically the same
Clients MUST ignore any unknown or forbidden elements received in the
JRD document.
5.3. The "rel" Parameter 5.3. The "rel" Parameter
WebFinger defines the "rel" parameter to request only a subset of the WebFinger defines the "rel" parameter to request only a subset of the
information that would otherwise be returned without the "rel" information that would otherwise be returned without the "rel"
parameter. When the "rel" parameter is used, only the link relations parameter. When the "rel" parameter is used, only the link relations
that match the link relations provided via "rel" are included in the that match the link relations provided via "rel" are included in the
array of links returned in the JSON Resource Descriptor document. array of links returned in the JSON Resource Descriptor document.
All other information normally present in a resource descriptor is All other information normally present in a resource descriptor is
present in the resource descriptor, even when "rel" is employed. present in the resource descriptor, even when "rel" is employed.
The "rel" parameter MAY be transmitted to the server multiple times The "rel" parameter MAY be transmitted to the server multiple times
in order to request multiple types of link relations. in order to request multiple types of link relations.
The purpose of the "rel" parameter is to return a subset of The purpose of the "rel" parameter is to return a subset of
resource's link relations. It is not intended to reduce the work resource's link relations. Use of the parameter might reduce
required of a server to produce a response. That said, use of the processing requirements on either the client or server, and it might
parameter might reduce processing requirements on either the client also reduce the bandwidth required to convey the partial resource
or server, and it might also reduce the bandwidth required to convey descriptor, especially if there are numerous link relation values to
the partial resource descriptor, especially if there are numerous convey for a given resource.
link relation values to convey for a given resource.
Support for the "rel" parameter is OPTIONAL, but RECOMMENDED on the Support for the "rel" parameter is OPTIONAL, but RECOMMENDED on the
server. server. Should the server not support the "rel" parameter, it MUST
ignore it and process the request as if any "rel" parameter values
were not present.
The following example presents the same example as found in section The following example presents the same example as found in section
4.1, but uses the "rel" parameter in order to select two link 4.1, but uses the "rel" parameter in order to select two link
relations: relations:
GET /.well-known/webfinger? GET /.well-known/webfinger?
resource=acct%3Abob%40example.com& resource=acct%3Abob%40example.com&
rel=http%3A%2F%2Fwebfinger.net%2Frel%2Fprofile-page& rel=http%3A%2F%2Fwebfinger.net%2Frel%2Fprofile-page&
rel=vcard HTTP/1.1 rel=vcard HTTP/1.1
Host: example.com Host: example.com
skipping to change at page 11, line 49 skipping to change at page 12, line 5
A host MAY utilize one or more URIs that serve as aliases for the A host MAY utilize one or more URIs that serve as aliases for the
user's account, such as URIs that use the "http" URI scheme [2]. A user's account, such as URIs that use the "http" URI scheme [2]. A
WebFinger server MUST return substantially the same response to both WebFinger server MUST return substantially the same response to both
an "acct" URI and any alias URI for the account, including the same an "acct" URI and any alias URI for the account, including the same
set of link relations and properties. The only elements in the set of link relations and properties. The only elements in the
response that MAY be different include "subject", "expires", and response that MAY be different include "subject", "expires", and
"aliases". In addition, the server SHOULD include the entire list "aliases". In addition, the server SHOULD include the entire list
aliases for the user's account in the JRD returned when querying the aliases for the user's account in the JRD returned when querying the
LRDD resource or when utilizing the "resource" parameter. LRDD resource or when utilizing the "resource" parameter.
5.5. "webfinger" Subdomain
It may be difficult or impossible for some hosts wanting to support
WebFinger requests to make a WebFinger server available for the host
at the path /.well-known/webfinger. For instance, in the case of
hosted domains, no web server may be running on the host at all.
For that reason, WebFinger servers for a host MAY be located on a
specific subdomain named "webfinger". For example, the WebFinger
server for the host example.com MAY be located at the URI
https://webfinger.example.com/.well-known/webfinger.
Note that a WebFinger service can operate on any host, such as
bldg6.hq.example.com. As such, the alternate location for the
WebFinger service in that example would be at the host named
webfinger.bldg6.hq.example.com.
WebFinger clients MUST first attempt to make a WebFinger request to
the host's /.well-known/webfinger endpoint, and then if that fails,
clients MUST then attempt to make the request to the WebFinger
endpoint at the "webfinger" subdomain of that host.
It should be appreciated that a 4xx, 5xx, or other status code from
the web server at the host indicates that a web server is operational
and such responses MUST NOT be considered a failure for the purposes
of this section. For the sake of operational efficiency, a client
MUST query the "webfinger" subdomain only if it has reason to believe
that a web server is not operating at the host, such as when there is
a failure to establish an HTTP(S) connection to the host.
6. Cross-Origin Resource Sharing (CORS) 6. Cross-Origin Resource Sharing (CORS)
WebFinger is most useful when it is accessible without restrictions WebFinger might not be useable by code running in web browsers due to
on the Internet, including web browsers. Therefore, WebFinger "Same-Origin" policies. Therefore, WebFinger servers MUST support
servers MUST support Cross-Origin Resource Sharing (CORS) [10] by Cross-Origin Resource Sharing (CORS) [10] and SHOULD do so by
including the following HTTP header in responses: including the following HTTP header in responses:
Access-Control-Allow-Origin: * Access-Control-Allow-Origin: *
Enterprise WebFinger servers that wish to restrict access to Enterprise WebFinger servers that wish to restrict access to
information from external entities SHOULD use a more restrictive information from external entities MAY use a more restrictive Access-
Access-Control-Allow-Origin header. Control-Allow-Origin header.
7. Access Control 7. Access Control
As with all web resources, access to the /.well-known/webfinger As with all web resources, access to the /.well-known/webfinger
resource MAY require authentication. Further, failure to provide resource MAY require authentication. Further, failure to provide
required credentials MAY result in the server forbidding access or required credentials MAY result in the server forbidding access or
providing a different response than had the client authenticated with providing a different response than had the client authenticated with
the server. the server.
Likewise, a server MAY provide different responses to different Likewise, a server MAY provide different responses to different
skipping to change at page 13, line 39 skipping to change at page 13, line 13
email, mail servers for a domain are identified by MX records. An MX email, mail servers for a domain are identified by MX records. An MX
record points to the mail server to which mail for the domain should record points to the mail server to which mail for the domain should
be delivered. It does not matter to the sending mail server whether be delivered. It does not matter to the sending mail server whether
those MX records point to a server in the destination domain or a those MX records point to a server in the destination domain or a
different domain. different domain.
Likewise, a domain owner might utilize the services of a third party Likewise, a domain owner might utilize the services of a third party
to provide WebFinger services on behalf of its users. Just as a to provide WebFinger services on behalf of its users. Just as a
domain owner was required to insert MX records into DNS to allow for domain owner was required to insert MX records into DNS to allow for
hosted email serves, the domain owner is required to redirect HTTP(S) hosted email serves, the domain owner is required to redirect HTTP(S)
queries to its domain to allow for hosted WebFinger services (if a queries to its domain to allow for hosted WebFinger services.
web server is operating at the domain) or insert DNS records for the
"webfinger" subdomain described in section 5.5.
When a query is issued to /.well-known/webfinger and the target host When a query is issued to /.well-known/webfinger, the web server MUST
is operating a web server, the web server MUST return a 301, 302, or return a 301, 302, or 307 response status code that includes a
307 response status code that includes a Location header pointing to Location header pointing to the location of the hosted WebFinger
the location of the hosted WebFinger service URL. The WebFinger service URL. The WebFinger service URL does not need to point to
service URL does not need to point to /.well-known/* on the hosting /.well-known/* on the hosting service provider server. WebFinger
service provider server. In fact, it should not, as that location clients MUST follow all 301, 302, or 307 redirection requests.
would be reserved for queries relating to the service provider's
domain. WebFinger clients MUST follow all 301, 302, or 307
redirection requests.
As an example, let's assume that example.com's WebFinger services are As an example, assume that example.com's WebFinger services are
hosted by example.net. Suppose a client issues a query for hosted by example.net. Suppose a client issues a query for
acct:alice@example.com like this: acct:alice@example.com like this:
GET /.well-known/webfinger? GET /.well-known/webfinger?
resource=acct%3Aalice%40example.com HTTP/1.1 resource=acct%3Aalice%40example.com HTTP/1.1
Host: example.com Host: example.com
The server might respond with this: The server might respond with this:
HTTP/1.1 307 Temporary Redirect HTTP/1.1 307 Temporary Redirect
skipping to change at page 15, line 16 skipping to change at page 14, line 35
of the protocol, not a limitation. If one wishes to limit access to of the protocol, not a limitation. If one wishes to limit access to
information available via WebFinger, such as a WebFinger server for information available via WebFinger, such as a WebFinger server for
use inside a corporate network, the network administrator must take use inside a corporate network, the network administrator must take
measures necessary to limit access from outside the network. Using measures necessary to limit access from outside the network. Using
standard methods for securing web resources, network administrators standard methods for securing web resources, network administrators
do have the ability to control access to resources that might return do have the ability to control access to resources that might return
sensitive information. Further, WebFinger servers can be employed in sensitive information. Further, WebFinger servers can be employed in
such a way as to require authentication and prevent disclosure of such a way as to require authentication and prevent disclosure of
information to unauthorized entities. information to unauthorized entities.
A WebFinger server has no means of ensuring that information provided Finally, a WebFinger server has no means of ensuring that information
by a user is accurate. Likewise, neither the server nor the client provided by a user is accurate. Likewise, neither the server nor the
can be absolutely guaranteed that information has not been client can be absolutely guaranteed that information has not been
manipulated either at the server or along the communication path manipulated either at the server or along the communication path
between the client and server. Use of HTTPS helps to address some between the client and server. Use of HTTPS helps to address some
concerns with manipulation of information along the communication concerns with manipulation of information along the communication
path, but it clearly cannot address issues where the server provided path, but it clearly cannot address issues where the server provided
incorrect information, either due to being provided false information incorrect information, either due to being provided false information
or due to malicious behavior on the part of the server administrator. or due to malicious behavior on the part of the server administrator.
As with any information service available on the Internet, users As with any information service available on the Internet, users
should wary of information received from untrusted sources. should wary of information received from untrusted sources.
Because WebFinger requests for a host may be served by the
"webfinger" subdomain of the host, it should be ensured that the
"webfinger" subdomain is under the same administrative control as the
domain itself (just as one would typically expect that the "www"
subdomain should be controlled by the same authority as the domain
itself).
10. IANA Considerations 10. IANA Considerations
This specification registers the "webfinger" well-known URI in the This specification registers the "webfinger" well-known URI in the
Well-Known URI Registry as defined by [3]. Well-Known URI Registry as defined by [3].
URI suffix: webfinger URI suffix: webfinger
Change controller: IETF Change controller: IETF
Specification document(s): RFC QQQ Specification document(s): RFC QQQ
Related information: The JSON Resource Descriptor (JRD) documents Related information: The JSON Resource Descriptor (JRD) documents
obtained via the WebFinger web service are described in RFC 6415 obtained via the WebFinger web service are described in RFC 6415
Appendix A and RFC QQQ. Appendix A and RFC QQQ.
[RFC EDITOR: Please replace "QQQ" references in this section with the [RFC EDITOR: Please replace "QQQ" references in this section with the
number for this RFC.] number for this RFC.]
 End of changes. 32 change blocks. 
129 lines changed or deleted 94 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/