Fwd: [apps-discuss] WebFinger should be HTTPS only

---------- Forwarded message ----------
From: Mike Jones <Michael.Jones@microsoft.com>
Date: 11 September 2012 19:43
Subject: [apps-discuss] WebFinger should be HTTPS only
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>


 Having looked at the WebFinger specification a bit more, I recently
realized that it currently does not require TLS to be used.  Section 5.1 -
Performing a WebFinger Query – currently begins “The first step a client
must perform in executing a WebFinger query is to query for the host
metadata using HTTPS or HTTP”.  This concerns me, since this may enable
classes of phishing attacks in some situations.****

** **

I would therefore request that the specification be updated to prohibit
non-TLS connections.****

** **

                                                            Thank you,****

                                                            -- Mike****

** **

_______________________________________________
apps-discuss mailing list
apps-discuss@ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss

Received on Tuesday, 11 September 2012 17:46:35 UTC