My favorites | Sign in
Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Search
for
Updated Aug 14, 2009 by bradfitzgoog
Labels: Featured
WebFingerProtocol  
the WebFinger protocol

WARNING: DRAFT

This is a draft. A ~dozen of us have discussed this at various times and largely agreed on everything, so it's time to start writing it down.

Protocol

The goal of the protocol is to get an XRD XML file describing how to find a user's public metadata from that user's email address.

Split the email address

Given an email address, foo@example.com, split the email address into two parts, the local part (foo) and the domain (example.com)

Get the domain XRD file

First, you need to get the domain's XRD file. In this case, example.com's XRD file. You try to look that up first using DNS, then falling back to a well-known HTTP URL.

Try DNS first (if you're feeling fancy)

On the domain, example.com, do a DNS lookup ..... TODO: complete this section. SRV doesn't quite work, and TXT is hacky. See DnsLookup page.

Try well-known HTTP location if DNS failed

If the DNS discovery failed, fallback to HTTP-based domain XRD lookup, using a well-known location: 

GET /.well-known/host-meta HTTP/1.1
Host: example.com

The world has enough well-known URLs (/favicon.ico, /crossdomain.xml, /robots.txt), and we felt dirty adding another, so the /.well-known/ prefix (see draft-nottingham-site-meta-02) is the virtual directory where we hope future specs add their well-known URLs too.

Verify the XRD file's signature

If the XRD file is signed by the domain, check the signature.

If it's not signed and either it's ever been signed before, or it's a big company's site which you expect it to be signed from, be afraid. Abort the process. Probably MITM.

Alternatively, request the XRD over SSL, and verify the SSL certificate. This avoids having to do an out-of-band signature process.

Look for the XRD Link-Pattern

Look for the Link-Pattern in the domain XRD file. The Link-Pattern is a template to convert the email address into a URL.

e.g. 

http://meta.example.org/?q={%uri}

Comment (blaine): is there a way we can define just a Link (i.e., not a Link-Pattern) that always has a single known parameter, as defined by a specific rel tag?

e.g., if the link in an HTML header is: 

<link rel='webfinger-query' href="http://meta.example.org/webfinger' />

then implicit is an 'email' or 'q' parameter that gets added, like so: 

http://meta.example.org/webfinger?email=bob%40example.org

Get user's XRD file

Expand the Link-Pattern template with the full email address (not just the local, user part), and that's the user's XRD file.

Appendix

Respect and use DNS TTLs and HTTP caching/expiry headers.


Comment by evan.prodromou, May 06, 2009

Is it worth referencing the URI Template draft spec?

http://tools.ietf.org/html/draft-gregorio-uritemplate-03

It seems to have some traction.

Comment by bslatkin, Jun 01, 2009

How is this different than EAUT? http://eaut.org/

Comment by gerwitz, Aug 14, 2009

I'd like to suggest the Link-Patterns include a provision for one-way address obfuscation, as some hosts may not be comfortable exposing "raw" email addresses. E.g. I might want to set up a domain to point to example.org, but don't want example.org to learn of valid addresses unless it's previously been informed.

My preference would be FOAF-style hashes of a mailto URI.

Comment by acrandal, Aug 14, 2009

So the primary goal is an XRD recovery service?

What would the benefits of XRD be over vcards? A public vcard service would be more directly analogous to classic finger, so what are the design goals that XRD would deliver?

Comment by ptarjan, Aug 15, 2009

Great idea.

As most of you guys are very familiar with openid, I'm sure you've already thought of this. But I'll bring it up anyways :

How about using YADIS for discovery on the root url for example.com? Big sites will understand the Accept header and small sites can just add the meta element.

Comment by csytan, Aug 15, 2009

I like this idea, but why not use JSON instead of XML for the XRD file?

Comment by egcrosser, Aug 15, 2009

I feel that it would be a Right Thing if the Link-Pattern allowed substitution of the email's local part and domain part as separate elements. That would allow most common transformations to be done without the need to run any application on the server. For example:

Email: jsmith@example.com

Link-Pattern: http://{%local}.example.com/profile.xrd Result: http://jsmith.example.com/profile.xrd

Link-Pattern: http://profiles.example.com/{%local} Result: http://profiles.example.com/jsmith

Link-Pattern: http://www.{%domain}/~{%local}/ Result: http://www.example.com/~jsmith/

Also: encoding rules for the local part of the address need to be defined, as the local part is allowed to contain characters that are treated as special in the URLs.

Eugene

Comment by PaulHammant, Aug 15, 2009

fred@example.com being webfingerable to http://example.com/@fred would have been much easier for machines and humans.

The 'pattern matching' could have been implemented with HTTP-301 (Moved Permanently)

Comment by hasseily, Aug 15, 2009

So you're basically trying to complicate things by doing id (email address) -> dns -> xrd -> contact data instead of doing .tel domain dns -> contact data ?

Also the id will change when the user's email changes, so the user will have to find an email provider that also provides the whole webfinger protocol.

Comment by hasseily, Aug 15, 2009

Following up on my earlier comment, whatever TLD you choose, just use NAPTRs! In a .tel domain, you could write something like: "E2U+x-xrd:http+x-lbl:my-personal-zrd" "!^.$!http://somedomain.com/myxrdfile.xml!"

Comment by e...@mogensoft.net, Aug 15, 2009

WRT Getting host-meta, couldn't it be linked from the root resource? 

HEAD / HTTP/1.1
Host: example.org

200 OK
Link: <lesser-known/host-meta>; rel=host-meta
Comment by zeckalpha, Aug 15, 2009

Vcard.

Comment by reed.underwood, Aug 16, 2009

vCard + necessary extensions and /@local-name uri:

http://whereismybon.net/@reed

Comment by vingoe, Aug 16, 2009

There is a lot of stuff in enterprise around web service descovery, UDDI etc..

was just thinking there may be some methods ofd doing stuff that could be usefull in there

Comment by ha...@interia.pl, Aug 17, 2009

I feel that the "well known location" of the XRD file should be just hard-wired to <http://example.com/~joe>. This is the default location of a user directory, which would allow most users to join the WebFinger? without the special configuration from web-services providers.

If we should use some sort of </.well-known/host-meta> or even <http://example.com/@joe>, we would have to wait for all the website administrators to reconfigure their servers.

Of course, lazy users will not publish proper finger data on their websites. The administrator could then perform XSLT transformation on the root index file of an user, adding neccessary <link rel='webfinger-query'/> tag.

Comment by earle@downlode.org, Aug 19, 2009

Making sweeping statements about "the default location of a user directory" in this day and age seems unwise. Just a thought.

Comment by ajb732, Nov 30, 2009

Have you looked at Fingerpoint?

http://buzzword.org.uk/2009/fingerpoint/spec

It seems like this is much more in-line with current web architecture than the web finger protocol proposed here.

More commentary here:

http://blogs.sun.com/bblfish/entry/web_finger_proposals_overview


Sign in to add a comment
Hosted by Google Code