Re: Thinking about Webfinger

ne 7. 5. 2023 v 1:43 odesílatel Bob Wyman <> napsal:

> Melvin wrote:
>> in theory you could look up an http url with webfinger, this question did
>> actually come up during the discussions. But of course you'd never do
>> that, because http has its own tooling curl, the browser, xhr etc
> Looking up HTTP URLs with WebFinger not only came up in discussions, it is
> the second example given in the RFC!: (See "3.2.  Getting Author and
> Copyright Information for a Web Page")
>>    GET /.well-known/webfinger?
>>           HTTP/1.1
>>      Host:
> The example response JRD includes data about copyright, etc. and I assume
> it could also provide stuff like public keys, links to did documents, etc.

Webfinger does have an example of how to get JSON data from an HTTP URI.
However, a great deal of the W3C web stack is all about getting JSON data
from an HTTP URI.  Indeed, that's exactly what powers the fediverse.

Dave Winer's presentation argues persuasively that doing the same thing in
two different ways should be avoided in standards.  Webfinger's HTTP lookup
is a good example of that.  Indeed, although webfinger is not part of
ActivityPub it is still around, where having one JSON format for the whole
ecosystem would be simpler.

> Erin Shepard wrote:
>> There's no need for any changes for any URIs with a host component (any
>> containing an @ or //, broadly)
> The WebFinger specification does not require that URI's contain either "@"
> or "//" and, although it strongly recommends that you should use a URI's
> host to do lookups, it doesn't require that one use any particular
> WebFinger service. Also, the spec explicitly permits the lookup of URIs
> that don't have a host component. It says:
>> The host to which a WebFinger query is issued is significant.  If
>> the query target contains a "host" portion (Section 3.2.2 of RFC 3986),
>> then the host to which the WebFinger query is issued SHOULD be the same as
>> the "host" portion of the query target, unless the client receives
>> instructions through some out-of-band mechanism to send the query to
>> another host.  *If the query target does not contain a "host" portion,
>> then the client chooses a host to which it directs the query using
>> additional information it has.*
> So, it seems to me that the RFC allows me to use just about any WebFinger
> service that I like for lookups. It also seems like I should be able to
> extract a host from a did:web like "" and
> use it even though it contains neither "@" nor "//."
> There are, I think, some good reasons for wanting to use a WebFinger other
> than that given by a host. (Even though doing so introduces
> man-in-the-middle issues.) Assuming that I trust the WebFinger service, I
> might want to preserve privacy by not connecting directly to the "proper"
> host WebFinger, and thus leaking my ip address. Or, in the case of doing
> lookups for obscure did-methods, I might simply not have the necessary code
> in my client.
> Given that these things are permitted by the WebFinger RFC, and even
> explicitly mentioned in the RFC, I don't understand the hesitancy to use
> them
> bob wyman

Received on Sunday, 7 May 2023 05:01:03 UTC