Re: Thinking about Webfinger from Bob Wyman on 2023-05-06 (public-swicg@w3.org from May 2023)

From: Bob Wyman <bob@wyman.us>
Date: Sat, 6 May 2023 19:43:11 -0400
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Erin Shepherd <erin.shepherd@e43.eu>, public-swicg@w3.org
Message-ID: <CAA1s49WcZoQL3gXu__c8xPk=RTLSmNYCCGz2ygWeubt-DbrBkg@mail.gmail.com>

Melvin wrote:

> in theory you could look up an http url with webfinger, this question did
> actually come up during the discussions. But of course you'd never do
> that, because http has its own tooling curl, the browser, xhr etc

Looking up HTTP URLs with WebFinger not only came up in discussions, it is
the second example given in the RFC!: (See "3.2.  Getting Author and
Copyright Information for a Web Page")

>    GET /.well-known/webfinger?
>           resource=http%3A%2F%2Fblog.example.com%2Farticle%2Fid%2F314
>           HTTP/1.1
>      Host: blog.example.com

The example response JRD includes data about copyright, etc. and I assume
it could also provide stuff like public keys, links to did documents, etc.

Erin Shepard wrote:

> There's no need for any changes for any URIs with a host component (any
> containing an @ or //, broadly)

The WebFinger specification does not require that URI's contain either "@"
or "//" and, although it strongly recommends that you should use a URI's
host to do lookups, it doesn't require that one use any particular
WebFinger service. Also, the spec explicitly permits the lookup of URIs
that don't have a host component. It says:

> The host to which a WebFinger query is issued is significant.  If
> the query target contains a "host" portion (Section 3.2.2 of RFC 3986),
> then the host to which the WebFinger query is issued SHOULD be the same as
> the "host" portion of the query target, unless the client receives
> instructions through some out-of-band mechanism to send the query to
> another host.  *If the query target does not contain a "host" portion,
> then the client chooses a host to which it directs the query using
> additional information it has.*

So, it seems to me that the RFC allows me to use just about any WebFinger
service that I like for lookups. It also seems like I should be able to
extract a host from a did:web like "did:web:example.com:user:alice" and use
it even though it contains neither "@" nor "//."

There are, I think, some good reasons for wanting to use a WebFinger other
than that given by a host. (Even though doing so introduces
man-in-the-middle issues.) Assuming that I trust the WebFinger service, I
might want to preserve privacy by not connecting directly to the "proper"
host WebFinger, and thus leaking my ip address. Or, in the case of doing
lookups for obscure did-methods, I might simply not have the necessary code
in my client.

Given that these things are permitted by the WebFinger RFC, and even
explicitly mentioned in the RFC, I don't understand the hesitancy to use
them

bob wyman

Received on Saturday, 6 May 2023 23:43:31 UTC