- From: Sandro Hawke <sandro@w3.org>
- Date: Sat, 17 May 2014 19:42:35 -0400
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- CC: public-webid <public-webid@w3.org>
On May 17, 2014 5:36:56 PM EDT, Melvin Carvalho <melvincarvalho@gmail.com> wrote: >On 17 May 2014 19:36, Sandro Hawke <sandro@w3.org> wrote: > >> On 05/17/2014 12:28 PM, Melvin Carvalho wrote: >> >> >> Note: also that webfinger tried to open this can of works and ended >up >> minting a acct: URI scheme ... seems like fragmentation is >undesirable ... >> >> >> >> Can you summarize the story there, or point to a summary? I missed >that. >> > >The idea of webfinger was to get an HTTP URL from an email address that >gave machine readable information, such as, name, avatar, blog etc. > >So it originally looked something like this > >/.well-known/webfinger?subject=user@host > >But then there was confusion ... was user@host the subject or the >object. >It was decided that user@host (ie mailto:) was the object. Which left >the >awkward question, what's the subject? To tackle this the idea was that >users have "accounts" at websites. So a new URI scheme was minted >acct:user@host, which would be the subject of the query. > >So now you go to > >/.well-known/webfinger?subject=acct:user@host > >But now we have fragmentation of the the common user@host pattern. Is >it >mailto: ? is it acct: ? is it xmpp: is it sip: ? etc. When do I use it >as >a primary key or foreign key at web scale? > >Of course here you could have just used mailto: as an indirect >identifier >or as a reverse lookup on the object. But that's not how the spec >went, so >things got complicated. > Interesting... I'm think the utility of webfinger is rather reduced in a world where the mapping between email addresses and identity-provider accounts is one-to-many, instead of one-to-one as used to be imagined. For example, Alice might have two Google accounts, alice@gmail.com and alice@w3.org. And meanwhile she might have two more accounts at ExampleCorp, using the same two email addresses. So when I grant access to one of her accounts using alice@gmail.com, I need to also say whether I'm granting it to the Google or ExampleCorp account associated with that email. It's kind of a mess. In practice I think the options are 1. I send Alice a secret capability URL, which she'll attach to the account or accounts of her choice. 2. I'll find Alice and some of her accounts through mutual third parties that I trust. In that case knowing her email address isn't all that useful. - Sandro >A clean architecture is helpful in building things that scale. Do you >have >a specific pain point that we could think about addressing? > > >> >> -- Sandro >> >> >> >>> -- Sandro >>> >>> [1] http://en.wikipedia.org/wiki/Role-based_access_control >>> >>> >> >>
Received on Saturday, 17 May 2014 23:42:45 UTC