Re: Thinking about Webfinger

po 8. 5. 2023 v 11:47 odesílatel Matthias Pfefferle <>

> Hi,
> when we are already discussing WebFinger, I would love to add a pro
> argument of integrating WebFinger even more into the ActivityPub spec, to
> decouple some of the "single platform“ issues. The most criticized part of
> ActivityPub is actually the identity portability, the direct dependency of
> the identity to the current used platform (I think this is also discussed
> in an other mailing thread)
> Protocols like AT
> and nostr seem to have some better handlings for that and ironically
> nostr’s NIP-05 is very similar to WebFinger (sadly they refused to use
> WebFinger ) but used a
> bit different.

I'd like to mention that NIP-05 [1] (which is similar to webfinger) has
been working effectively. It enables users to obtain JSON from a
.well-known domain name associated with a public key, which then points
back to the public key. Although it introduces another JSON format, it was
standardized quickly and offers ease of migration. It can also serve as a
bridge to existing web systems, allowing users to verify their accounts at
a domain of their choice, similar to the Twitter blue check mark.  BlueSky
I believe are making their own version of NIP-05.

The team at Kosmos proposed an integration worth considering: "NIP-05 user
addresses (i.e., make your pubkey discoverable via your
address)" [2]. Integrating this into both Solid and the fediverse could be
relatively straightforward, as it uses regular JSON without a new URI
scheme. While it doesn't utilize linked data, there is potential for
modeling everything in Nostr with linked data in the future, as indicated
by the ongoing development of a vocabulary that I am working on [3].  But
that will be a longer journey.


> I would love to see WebFinger used more in the NIP-05 way, as a proxy-like
> identifier for ActivityPub. Hosting WebFinger on a self-owned domain is
> very easy and having a small service to customize the JSON too. With a
> better WebFinger support, a user will be able to control his ID (
> username@owndomain.tld) and delegate the ActivityPub-part (and and a lot
> of others, maybe its possible to decouple ActivityPub even more) to, for
> example, Mastodon. This is already possible, but Mastodon is using the
> canonical identifier that is linked in the JSON instead of the WebFinger
> ID. WebFinger as canonical ID in the fediverse, would allow users to change
> servers without much effort (maybe import/esport follower/following lists).
> Because WebFinger is already common sense in the fediverse, it would not
> cost that much of investment, to have a first step into a more decoupled
> fediverse ecosystem.
> Matthias Pfefferle
> Am 07.05.2023 um 07:00 schrieb Melvin Carvalho <>:
> ne 7. 5. 2023 v 1:43 odesílatel Bob Wyman <> napsal:
>> Melvin wrote:
>>> in theory you could look up an http url with webfinger, this question
>>> did actually come up during the discussions. But of course you'd never
>>> do that, because http has its own tooling curl, the browser, xhr etc
>> Looking up HTTP URLs with WebFinger not only came up in discussions, it
>> is the second example given in the RFC!: (See "3.2.  Getting Author and
>> Copyright Information for a Web Page")
>>>    GET /.well-known/webfinger?
>>> <>%2Farticle%2Fid%2F314
>>>           HTTP/1.1
>>>      Host:
>> The example response JRD includes data about copyright, etc. and I assume
>> it could also provide stuff like public keys, links to did documents, etc.
> Webfinger does have an example of how to get JSON data from an HTTP URI.
> However, a great deal of the W3C web stack is all about getting JSON data
> from an HTTP URI.  Indeed, that's exactly what powers the fediverse.
> Dave Winer's presentation argues persuasively that doing the same thing in
> two different ways should be avoided in standards.  Webfinger's HTTP lookup
> is a good example of that.  Indeed, although webfinger is not part of
> ActivityPub it is still around, where having one JSON format for the whole
> ecosystem would be simpler.
>> Erin Shepard wrote:
>>> There's no need for any changes for any URIs with a host component (any
>>> containing an @ or //, broadly)
>> The WebFinger specification does not require that URI's contain either
>> "@" or "//" and, although it strongly recommends that you should use a
>> URI's host to do lookups, it doesn't require that one use any particular
>> WebFinger service. Also, the spec explicitly permits the lookup of URIs
>> that don't have a host component. It says:
>>> The host to which a WebFinger query is issued is significant.  If
>>> the query target contains a "host" portion (Section 3.2.2 of RFC 3986),
>>> then the host to which the WebFinger query is issued SHOULD be the same as
>>> the "host" portion of the query target, unless the client receives
>>> instructions through some out-of-band mechanism to send the query to
>>> another host.  *If the query target does not contain a "host" portion,
>>> then the client chooses a host to which it directs the query using
>>> additional information it has.*
>> So, it seems to me that the RFC allows me to use just about any WebFinger
>> service that I like for lookups. It also seems like I should be able to
>> extract a host from a did:web like "" and
>> use it even though it contains neither "@" nor "//."
>> There are, I think, some good reasons for wanting to use a WebFinger
>> other than that given by a host. (Even though doing so introduces
>> man-in-the-middle issues.) Assuming that I trust the WebFinger service, I
>> might want to preserve privacy by not connecting directly to the "proper"
>> host WebFinger, and thus leaking my ip address. Or, in the case of doing
>> lookups for obscure did-methods, I might simply not have the necessary code
>> in my client.
>> Given that these things are permitted by the WebFinger RFC, and even
>> explicitly mentioned in the RFC, I don't understand the hesitancy to use
>> them
>> bob wyman

Received on Monday, 8 May 2023 10:18:40 UTC