Fwd: [unhosted] Proposing a centralized fallback for Webfinger.

FYI


---------- Forwarded message ----------
From: Ben Adida <ben@adida.net>
Date: 3 January 2012 15:41
Subject: Re: [unhosted] Proposing a centralized fallback for Webfinger.
To: unhosted@googlegroups.com



Michiel,

This is something Mozilla's been thinking about doing: providing a
centralized bootstrap for profile registry. WebFinger is obviously
high on the list, although I would prefer to keep it as the protocol
for truly public info, wherever possible (given its otherwise
unattractive privacy properties.)

This may be a good simple place of first collaboration?

-Ben


On 1/2/12 8:32 PM, Michiel de Jong wrote:
>
> Some people have their own domain name. For them, we provide things like
> our WordPress plugin and our ownCloud app. But many people rely on one
> of the big three email providers (Hotmail, Yahoo, Gmail) for their user
> address. There is also a possibility that people's Facebook profiles,
> rather than their smtp addresses, will become their main user address in
> a near future.
>
> We could encourage people to get an additional user address; one they
> use specifically for their remote storage. But that's not very user
> friendly. So given that we already defined the open way to link remote
> storage to your user address (namely, via webfinger), we can, without
> loss of openness (and that's the big discussion point, obviously),
> define a fallback option. This is an approach that BrowserId already
> uses with browserid.org <http://browserid.org>, and that has its friends
>
> and its enemies, but that may make sense for our situation, too.
>
> I propose a centralized registry where people can announce their
> remoteStorage whenever their user address doesn't have a webfinger file,
> or when their webfinger file is not user-editable. To edit your records
> at useraddress.net <http://useraddress.net>, simply log in with
>
> BrowserId, and link to a URL where you host your own lrdd or jrd file.
> All useraddress.net <http://useraddress.net> stores are these links. We
>
> would then recommend to application that they support useraddress.net
> <http://useraddress.net> as a fallback whenever webfinger fails, but
>
> never as a replacement for webfinger. That way, openness of the protocol
> stack is still guaranteed, and the only centralized registries we
> actually /rely/ on, will still only be DNS and TLS.
>
> So the application will always try to check your webfinger first, but
> fall back to useraddress.net <http://useraddress.net> whenever webfinger
>
> fails.
>
> yes, it's a centralized registry, and if it gets hacked then you get a
> big phishing risk, so it's not something we want to do just for the fun
> of it. But from the user's point of view, it might be the only option
> that would work well (at least i don't see any others right now;
> alternatives, anyone?).
>
> one alternative would be to simply not support 99% of people's existing
> user addresses. but that's probably the easiest route to letting our
> entire project fail to ever achieve critical mass. I remember the words
> of Ade at fsw-2011 "be linux, not herd" - as in, don't let design
> perfectionism become the enemy of actually building something.
>
> i would say it could easily take 5 years before everybody has their own
> user-editable webfinger file. So we can try out the useraddress.net
> <http://useraddress.net> fallback as a temporary measure, keep
>
> campaiging for webfinger adoption, and plan like a 5-year deprecation track.
>
> but postponing our revolution until after webfinger files are
> user-editable is not a viable option, i think.
>
> Opinions, anyone?
>
>
> cheers!
> Michiel

Received on Tuesday, 3 January 2012 15:00:34 UTC