draft-ietf-appsawg-webfinger-13.txt   draft-ietf-appsawg-webfinger-14.txt 
Network Working Group Paul E. Jones Network Working Group Paul E. Jones
Internet Draft Gonzalo Salgueiro Internet Draft Gonzalo Salgueiro
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: October 16, 2013 Joseph Smarr Expires: November 26, 2013 Joseph Smarr
Google Google
April 16, 2013 May 26, 2013
WebFinger WebFinger
draft-ietf-appsawg-webfinger-13.txt draft-ietf-appsawg-webfinger-14.txt
Abstract Abstract
This specification defines the WebFinger protocol, which can be used This specification defines the WebFinger protocol, which can be used
to discover information about people or other entities on the to discover information about people or other entities on the
Internet using standard HTTP methods. WebFinger discovers Internet using standard HTTP methods. WebFinger discovers
information for a URI that might not be usable as a locator information for a URI that might not be usable as a locator
otherwise, such as account or email URIs. otherwise, such as account or email URIs.
Status of this Memo Status of this Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 16, 2013. This Internet-Draft will expire on November 26, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 8, line 47 skipping to change at page 8, line 47
A WebFinger resource is always given a query target, which is another A WebFinger resource is always given a query target, which is another
URI that identifies the entity whose information is sought. GET URI that identifies the entity whose information is sought. GET
requests to a WebFinger resource convey the query target in the requests to a WebFinger resource convey the query target in the
"resource" parameter in the WebFinger URI's query string; see Section "resource" parameter in the WebFinger URI's query string; see Section
4.1 for details. 4.1 for details.
The host to which a WebFinger query is issued is significant. If the The host to which a WebFinger query is issued is significant. If the
query target contains a "host" portion (Section 3.2.2 of RFC 3986), query target contains a "host" portion (Section 3.2.2 of RFC 3986),
then the host to which the WebFinger query is issued MUST be the same then the host to which the WebFinger query is issued MUST be the same
as the "host" portion of the query target. If the query target does as the "host" portion of the query target, unless the client receives
not contain a "host" portion, then the client MAY choose a host to instructions through some out-of-band mechanism to send the query to
which it directs the query based on local policy. another host. If the query target does not contain a "host" portion,
then the client MAY choose a host to which it directs the query using
additional information it has.
The path component of a WebFinger URI MUST be the well-known path The path component of a WebFinger URI MUST be the well-known path
"/.well-known/webfinger". A WebFinger URI MUST contain a query "/.well-known/webfinger". A WebFinger URI MUST contain a query
component that encodes the query target and optional link relation component that encodes the query target and optional link relation
types as specified in Section 4.1. types as specified in Section 4.1.
The WebFinger resource returns a JSON Resource Descriptor (JRD) as The WebFinger resource returns a JSON Resource Descriptor (JRD) as
the resource representation to convey information about an entity on the resource representation to convey information about an entity on
the Internet. Also, the Cross-Origin Resource Sharing (CORS) [9] the Internet. Also, the Cross-Origin Resource Sharing (CORS) [9]
specification is utilized to facilitate queries made via a web specification is utilized to facilitate queries made via a web
skipping to change at page 10, line 18 skipping to change at page 10, line 18
9.2). 9.2).
A WebFinger resource MAY redirect the client; if it does, the A WebFinger resource MAY redirect the client; if it does, the
redirection MUST only be to an "https" URI and the client MUST redirection MUST only be to an "https" URI and the client MUST
perform certificate validation again when redirected. perform certificate validation again when redirected.
A WebFinger resource can include cache validators in a response to A WebFinger resource can include cache validators in a response to
enable conditional requests by the client and/or expiration times as enable conditional requests by the client and/or expiration times as
per Section 13 of RFC 2616. per Section 13 of RFC 2616.
A WebFinger client MAY utilize the HEAD method when querying a
WebFinger resource. Consequently, a WebFinger resource MUST support
the receipt of the HEAD method.
4.3. The "rel" Parameter 4.3. The "rel" Parameter
When issuing a request to a WebFinger resource, the client MAY When issuing a request to a WebFinger resource, the client MAY
utilize the "rel" parameter to request only a subset of the utilize the "rel" parameter to request only a subset of the
information that would otherwise be returned without the "rel" information that would otherwise be returned without the "rel"
parameter. When the "rel" parameter is used and accepted, only the parameter. When the "rel" parameter is used and accepted, only the
link relation types that match the link relation types provided via link relation types that match the link relation types provided via
the "rel" parameter are included in the array of links returned in the "rel" parameter are included in the array of links returned in
the JRD. If there are no matching link relation types defined for the JRD. If there are no matching link relation types defined for
the resource, the "links" array in the JRD will either be absent or the resource, the "links" array in the JRD will either be absent or
skipping to change at page 12, line 26 skipping to change at page 12, line 21
The value of the "subject" member is a URI that identifies the entity The value of the "subject" member is a URI that identifies the entity
that the JRD describes. that the JRD describes.
The "subject" value returned by a WebFinger resource MAY differ from The "subject" value returned by a WebFinger resource MAY differ from
the value of the "resource" parameter used in the client's request. the value of the "resource" parameter used in the client's request.
This might happen, for example, when the subject's identity changes This might happen, for example, when the subject's identity changes
(e.g., a user moves his or her account to another service) or when (e.g., a user moves his or her account to another service) or when
the resource prefers to express URIs in canonical form. the resource prefers to express URIs in canonical form.
The "subject" member MUST be present in the JRD. The "subject" member SHOULD be present in the JRD.
4.4.2. aliases 4.4.2. aliases
The "aliases" array is an array of zero or more URI strings that The "aliases" array is an array of zero or more URI strings that
identify the same entity as the "subject" URI. Each URI must be an identify the same entity as the "subject" URI. Each URI must be an
absolute URI. absolute URI.
The "aliases" array is OPTIONAL in the JRD. The "aliases" array is OPTIONAL in the JRD.
4.4.3. properties 4.4.3. properties
skipping to change at page 14, line 15 skipping to change at page 14, line 15
4.4.4.3. href 4.4.4.3. href
The value of the "href" member is a string that contains a URI The value of the "href" member is a string that contains a URI
pointing to the target resource. pointing to the target resource.
The "href" member is OPTIONAL in the link relation object. The "href" member is OPTIONAL in the link relation object.
4.4.4.4. titles 4.4.4.4. titles
The "titles" object comprises zero or more name/value pairs whose The "titles" object comprises zero or more name/value pairs whose
name is a language tag [13] or the string "default". The string is name is a language tag [13] or the string "und". The string is
human-readable and describes the link relation. More than one title human-readable and describes the link relation. More than one title
for the link relation MAY be provided for the benefit of users who for the link relation MAY be provided for the benefit of users who
utilize the link relation and, if used, a language identifier SHOULD utilize the link relation and, if used, a language identifier SHOULD
be duly used as the name. If the language is unknown or unspecified, be duly used as the name. If the language is unknown or unspecified,
then the name is "default". then the name is "und".
A JRD SHOULD NOT include more than one title identified with the same A JRD SHOULD NOT include more than one title identified with the same
language tag (or "default") within the link relation object. Meaning language tag (or "und") within the link relation object. Meaning is
is undefined if a link relation object includes more than one title undefined if a link relation object includes more than one title
named with the same language tag (or "default"), though this MUST NOT named with the same language tag (or "und"), though this MUST NOT be
be treated as an error. A client MAY select whichever title or treated as an error. A client MAY select whichever title or titles
titles it wishes to utilize. it wishes to utilize.
Here is an example of the titles object: Here is an example of the titles object:
"titles" : "titles" :
{ {
"en-us" : "The Magical World of Bob", "en-us" : "The Magical World of Bob",
"fr" : "Le Monde Magique de Bob" "fr" : "Le Monde Magique de Bob"
} }
The "titles" member is OPTIONAL in the link relation object. The "titles" member is OPTIONAL in the link relation object.
skipping to change at page 17, line 38 skipping to change at page 17, line 38
is valid (as defined in [14]) and accept a response only if the is valid (as defined in [14]) and accept a response only if the
certificate is valid. certificate is valid.
8.2. User Privacy Considerations 8.2. User Privacy Considerations
Service providers and users should be aware that placing information Service providers and users should be aware that placing information
on the Internet means that any user can access that information and on the Internet means that any user can access that information and
WebFinger can be used to make it even easier to discover that WebFinger can be used to make it even easier to discover that
information. While WebFinger can be an extremely useful tool for information. While WebFinger can be an extremely useful tool for
discovering one's avatar, blog, or other personal data, users should discovering one's avatar, blog, or other personal data, users should
understand the risks, too. If one does not wish to share certain understand the risks, too.
information with the world, do not allow that information to be
freely accessible on the Internet or discoverable via WebFinger.
Systems or services that expose personal data via WebFinger MUST Systems or services that expose personal data via WebFinger MUST
provide an interface by which users can select which data elements provide an interface by which users can select which data elements
are exposed through the WebFinger interface. For example, social are exposed through the WebFinger interface. For example, social
networking sites might allow users to mark certain data as "public" networking sites might allow users to mark certain data as "public"
and then utilize that marking as a means of determining what and then utilize that marking as a means of determining what
information to expose via WebFinger. The information published via information to expose via WebFinger. The information published via
WebFinger would thus comprise only the information marked as public WebFinger would thus comprise only the information marked as public
by the user. Further, the user has the ability to remove information by the user. Further, the user has the ability to remove information
from publication via WebFinger by removing this marking. from publication via WebFinger by removing this marking.
WebFinger MUST NOT be used to provide any personal data to any party WebFinger MUST NOT be used to provide any personal data unless
unless explicitly authorized by the person whose information is being publishing that data via WebFinger by the relevant service was
explicitly authorized by the person whose information is being
shared. Publishing one's personal data within an access-controlled shared. Publishing one's personal data within an access-controlled
or otherwise limited environment on the Internet does not equate to or otherwise limited environment on the Internet does not equate to
providing implicit authorization of further publication of that data providing implicit authorization of further publication of that data
via WebFinger. via WebFinger.
The privacy and security concerns with publishing personal data via The privacy and security concerns with publishing personal data via
WebFinger are worth emphasizing again with respect to personal data WebFinger are worth emphasizing again with respect to personal data
that might reveal a user's current context (e.g., the user's that might reveal a user's current context (e.g., the user's
location). The power of WebFinger comes from providing a single location). The power of WebFinger comes from providing a single
place where others can find pointers to information about a person, place where others can find pointers to information about a person,
 End of changes. 12 change blocks. 
24 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/