Fallback flow for /site-meta for top level domains

> (sorry for potential duplicates, I'm having problems posting to the  
> list)
>
> This issue was brought up by Google.
>
> There are many cases where the HTTP server for example.com resides  
> at www.example.com. Should /site-meta specify that if a top level  
> domain returns a 404 for a GET /site-meta, the user-agent must try  
> the same request for www.*?
>
> EHL
>

>
> Dirk.
>
> On Nov 30, 2008 6:56 PM, "Mark Nottingham" <mnot@...> wrote:
>
>
> Absolutely not. the spec is already stomping on an authority's control over
> its namespace quite enough, and it's easy for people to work around this if
> their intent is for the two to be the same.
>
> On 30/11/2008, at 8:55 AM, Eran Hammer-Lahav wrote: > (sorry for potential
> duplicates, I'm havin...
>
> --
> Mark Nottingham     http://www.mnot.net/
>
>
>

>
> Well, here is the scenario: I buy foobar.com for $3/year at  
> cheapdomains.com. I pay an extra dollar to have "email", which means  
> I tell them where I want my email forwarded. I pick dirk@...  
> to be forwarded to dirk@.... I pay another extra dollar per  
> year for "web hosting", which means I get a web interface on  
> cheapdomains.com to create some web pages, which get served on www.foobar.com
> . I set up a couple of pages there with pictures of my cats or  
> whatever and I am done.
>
> I now also want to use my email address dirk@... as my OpenID  
> identifier [1] because I heard that that will end my having to  
> create ever-more accounts on the web. I am told that in order to get  
> that to work I need to host a page called "site-meta" on my site  
> with some weird-looking text in it that I don't understand. But,  
> hey, I know how to get that served off www.foobar.com so that's cool.
>
> I have never heard of DNS.
>
> Is that a use case we want to support?
>
> Dirk.
>
> [1] Let's assume that OpenID 3.0 and XRD 2.0 allow that and define  
> some way to discover OpenID endpoints from email addresses.

>
>
> On 02/12/2008, at 1:25 PM, Dirk Balfanz wrote:
>>
>> Well, here is the scenario: I buy foobar.com for $3/year at
>> cheapdomains.com. I pay an extra dollar to have "email", which means I tell
>> them where I want my email forwarded. I pick dirk@... to be forwarded
>> to dirk@.... I pay another extra dollar per year for "web hosting",
>> which means I get a web interface on cheapdomains.com to create some web
>> pages, which get served on www.foobar.com. I set up a couple of pages there
>> with pictures of my cats or whatever and I am done.
>>
>> I now also want to use my email address dirk@... as my OpenID
>> identifier [1] because I heard that that will end my having to create
>> ever-more accounts on the web. I am told that in order to get that to work I
>> need to host a page called "site-meta" on my site with some weird-looking
>> text in it that I don't understand. But, hey, I know how to get that served
>> off www.foobar.com so that's cool.
>>
>> I have never heard of DNS.
>>
>> Is that a use case we want to support?
>>
>> Dirk.
>>
>> [1] Let's assume that OpenID 3.0 and XRD 2.0 allow that and define some
>> way to discover OpenID endpoints from email addresses.
>
> /site-meta on http://foobar.com/ doesn't (and can't, on its own) make any
> authoritative assertions about mailto:dirk@...; even though the
> authority is the same, the URI scheme is different.

> On Tue, Dec 2, 2008 at 4:24 PM, Mark Nottingham <mnot@...> wrote:
>>
>>
>> On 02/12/2008, at 1:25 PM, Dirk Balfanz wrote:
>>>
>>> Well, here is the scenario: I buy foobar.com for $3/year at
>>> cheapdomains.com. I pay an extra dollar to have "email", which  
>>> means I tell
>>> them where I want my email forwarded. I pick dirk@... to be  
>>> forwarded
>>> to dirk@.... I pay another extra dollar per year for "web  
>>> hosting",
>>> which means I get a web interface on cheapdomains.com to create  
>>> some web
>>> pages, which get served on www.foobar.com. I set up a couple of  
>>> pages there
>>> with pictures of my cats or whatever and I am done.
>>>
>>> I now also want to use my email address dirk@... as my OpenID
>>> identifier [1] because I heard that that will end my having to  
>>> create
>>> ever-more accounts on the web. I am told that in order to get that  
>>> to work I
>>> need to host a page called "site-meta" on my site with some weird-
>>> looking
>>> text in it that I don't understand. But, hey, I know how to get  
>>> that served
>>> off www.foobar.com so that's cool.
>>>
>>> I have never heard of DNS.
>>>
>>> Is that a use case we want to support?
>>>
>>> Dirk.
>>>
>>> [1] Let's assume that OpenID 3.0 and XRD 2.0 allow that and define  
>>> some
>>> way to discover OpenID endpoints from email addresses.
>>
>> /site-meta on http://foobar.com/ doesn't (and can't, on its own)  
>> make any
>> authoritative assertions about mailto:dirk@...; even though  
>> the
>> authority is the same, the URI scheme is different.
>
> The email address is a distraction here. The core issue is  
> independent of that.
>
> vanity-example.com (hosted only at www.vanity-example.com) is a small
> site and wants to enable all their user URLs
> www.vanity-example.com/bob, www.vanity-example.com/alice to be useful
> as discovery endpoints for user services. Thankfully some other site,
> more professionally managed, is willing to provide discovery services,
> aggregation, etc., on behalf of the users of these vanity domains.

>
> On 03/12/2008, at 1:35 PM, Breno de Medeiros wrote:
>
>> On Tue, Dec 2, 2008 at 4:24 PM, Mark Nottingham <mnot@...> wrote:
>>>
>>>
>>> On 02/12/2008, at 1:25 PM, Dirk Balfanz wrote:
>>>>
>>>> Well, here is the scenario: I buy foobar.com for $3/year at
>>>> cheapdomains.com. I pay an extra dollar to have "email", which means I
>>>> tell
>>>> them where I want my email forwarded. I pick dirk@... to be
>>>> forwarded
>>>> to dirk@.... I pay another extra dollar per year for "web
>>>> hosting",
>>>> which means I get a web interface on cheapdomains.com to create some web
>>>> pages, which get served on www.foobar.com. I set up a couple of pages
>>>> there
>>>> with pictures of my cats or whatever and I am done.
>>>>
>>>> I now also want to use my email address dirk@... as my OpenID
>>>> identifier [1] because I heard that that will end my having to create
>>>> ever-more accounts on the web. I am told that in order to get that to
>>>> work I
>>>> need to host a page called "site-meta" on my site with some
>>>> weird-looking
>>>> text in it that I don't understand. But, hey, I know how to get that
>>>> served
>>>> off www.foobar.com so that's cool.
>>>>
>>>> I have never heard of DNS.
>>>>
>>>> Is that a use case we want to support?
>>>>
>>>> Dirk.
>>>>
>>>> [1] Let's assume that OpenID 3.0 and XRD 2.0 allow that and define some
>>>> way to discover OpenID endpoints from email addresses.
>>>
>>> /site-meta on http://foobar.com/ doesn't (and can't, on its own) make any
>>> authoritative assertions about mailto:dirk@...; even though the
>>> authority is the same, the URI scheme is different.
>>
>> The email address is a distraction here. The core issue is independent of
>> that.
>>
>> vanity-example.com (hosted only at www.vanity-example.com) is a small
>> site and wants to enable all their user URLs
>> www.vanity-example.com/bob, www.vanity-example.com/alice to be useful
>> as discovery endpoints for user services. Thankfully some other site,
>> more professionally managed, is willing to provide discovery services,
>> aggregation, etc., on behalf of the users of these vanity domains.
>
> You just lost me. Why is it important to have site metadata for a site that
> doesn't exist, if the e-mail issue is a distraction?
>
> --
> Mark Nottingham     http://www.mnot.net/
>
>

> The 'naked domain' version of the site may not be DNS-resolvable,
> while the www. prepended version of the domain may be. In addition,
> the fact that a resource URL does not exist (in the sense that it
> might return a 404) does not mean that it cannot have meaningful
> associated meta-data.
>
>
> On Tue, Dec 2, 2008 at 6:40 PM, Mark Nottingham <mnot@...> wrote:
>>
>> On 03/12/2008, at 1:35 PM, Breno de Medeiros wrote:
>>
>>> On Tue, Dec 2, 2008 at 4:24 PM, Mark Nottingham <mnot@...> wrote:
>>>>
>>>>
>>>> On 02/12/2008, at 1:25 PM, Dirk Balfanz wrote:
>>>>>
>>>>> Well, here is the scenario: I buy foobar.com for $3/year at
>>>>> cheapdomains.com. I pay an extra dollar to have "email", which means I
>>>>> tell
>>>>> them where I want my email forwarded. I pick dirk@... to be
>>>>> forwarded
>>>>> to dirk@.... I pay another extra dollar per year for "web
>>>>> hosting",
>>>>> which means I get a web interface on cheapdomains.com to create some web
>>>>> pages, which get served on www.foobar.com. I set up a couple of pages
>>>>> there
>>>>> with pictures of my cats or whatever and I am done.
>>>>>
>>>>> I now also want to use my email address dirk@... as my OpenID
>>>>> identifier [1] because I heard that that will end my having to create
>>>>> ever-more accounts on the web. I am told that in order to get that to
>>>>> work I
>>>>> need to host a page called "site-meta" on my site with some
>>>>> weird-looking
>>>>> text in it that I don't understand. But, hey, I know how to get that
>>>>> served
>>>>> off www.foobar.com so that's cool.
>>>>>
>>>>> I have never heard of DNS.
>>>>>
>>>>> Is that a use case we want to support?
>>>>>
>>>>> Dirk.
>>>>>
>>>>> [1] Let's assume that OpenID 3.0 and XRD 2.0 allow that and define some
>>>>> way to discover OpenID endpoints from email addresses.
>>>>
>>>> /site-meta on http://foobar.com/ doesn't (and can't, on its own) make any
>>>> authoritative assertions about mailto:dirk@...; even though the
>>>> authority is the same, the URI scheme is different.
>>>
>>> The email address is a distraction here. The core issue is independent of
>>> that.
>>>
>>> vanity-example.com (hosted only at www.vanity-example.com) is a small
>>> site and wants to enable all their user URLs
>>> www.vanity-example.com/bob, www.vanity-example.com/alice to be useful
>>> as discovery endpoints for user services. Thankfully some other site,
>>> more professionally managed, is willing to provide discovery services,
>>> aggregation, etc., on behalf of the users of these vanity domains.
>>
>> You just lost me. Why is it important to have site metadata for a site that
>> doesn't exist, if the e-mail issue is a distraction?
>>
>> --
>> Mark Nottingham     http://www.mnot.net/
>>
>>
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>

> Ah, I see where your confusion is coming from. The average user does
> not know that www.vanity-domain.com/bob is a different URL from
> vanity-domain.com/bob (or alternatively, that www.vanity-domain.com is
> a different location than vanity-domain.com). We can thank all the
> major browsers for that.
>
> On Tue, Dec 2, 2008 at 7:45 PM, Breno de Medeiros <breno@...>  
> wrote:
>> The 'naked domain' version of the site may not be DNS-resolvable,
>> while the www. prepended version of the domain may be. In addition,
>> the fact that a resource URL does not exist (in the sense that it
>> might return a 404) does not mean that it cannot have meaningful
>> associated meta-data.
>>
>>
>> On Tue, Dec 2, 2008 at 6:40 PM, Mark Nottingham <mnot@...>  
>> wrote:
>>>
>>> On 03/12/2008, at 1:35 PM, Breno de Medeiros wrote:
>>>
>>>> On Tue, Dec 2, 2008 at 4:24 PM, Mark Nottingham <mnot@...>  
>>>> wrote:
>>>>>
>>>>>
>>>>> On 02/12/2008, at 1:25 PM, Dirk Balfanz wrote:
>>>>>>
>>>>>> Well, here is the scenario: I buy foobar.com for $3/year at
>>>>>> cheapdomains.com. I pay an extra dollar to have "email", which  
>>>>>> means I
>>>>>> tell
>>>>>> them where I want my email forwarded. I pick dirk@... to  
>>>>>> be
>>>>>> forwarded
>>>>>> to dirk@.... I pay another extra dollar per year for "web
>>>>>> hosting",
>>>>>> which means I get a web interface on cheapdomains.com to create  
>>>>>> some web
>>>>>> pages, which get served on www.foobar.com. I set up a couple of  
>>>>>> pages
>>>>>> there
>>>>>> with pictures of my cats or whatever and I am done.
>>>>>>
>>>>>> I now also want to use my email address dirk@... as my  
>>>>>> OpenID
>>>>>> identifier [1] because I heard that that will end my having to  
>>>>>> create
>>>>>> ever-more accounts on the web. I am told that in order to get  
>>>>>> that to
>>>>>> work I
>>>>>> need to host a page called "site-meta" on my site with some
>>>>>> weird-looking
>>>>>> text in it that I don't understand. But, hey, I know how to get  
>>>>>> that
>>>>>> served
>>>>>> off www.foobar.com so that's cool.
>>>>>>
>>>>>> I have never heard of DNS.
>>>>>>
>>>>>> Is that a use case we want to support?
>>>>>>
>>>>>> Dirk.
>>>>>>
>>>>>> [1] Let's assume that OpenID 3.0 and XRD 2.0 allow that and  
>>>>>> define some
>>>>>> way to discover OpenID endpoints from email addresses.
>>>>>
>>>>> /site-meta on http://foobar.com/ doesn't (and can't, on its own)  
>>>>> make any
>>>>> authoritative assertions about mailto:dirk@...; even  
>>>>> though the
>>>>> authority is the same, the URI scheme is different.
>>>>
>>>> The email address is a distraction here. The core issue is  
>>>> independent of
>>>> that.
>>>>
>>>> vanity-example.com (hosted only at www.vanity-example.com) is a  
>>>> small
>>>> site and wants to enable all their user URLs
>>>> www.vanity-example.com/bob, www.vanity-example.com/alice to be  
>>>> useful
>>>> as discovery endpoints for user services. Thankfully some other  
>>>> site,
>>>> more professionally managed, is willing to provide discovery  
>>>> services,
>>>> aggregation, etc., on behalf of the users of these vanity domains.
>>>
>>> You just lost me. Why is it important to have site metadata for a  
>>> site that
>>> doesn't exist, if the e-mail issue is a distraction?
>>>
>>> --
>>> Mark Nottingham     http://www.mnot.net/
>>>
>>>
>>
>>
>>
>> --
>> --Breno
>>
>> +1 (650) 214-1007 desk
>> +1 (408) 212-0135 (Grand Central)
>> MTV-41-3 : 383-A
>> PST (GMT-8) / PDT(GMT-7)
>>
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)

>> On 02/12/2008, at 4:24 PM, Mark Nottingham wrote:
>>
>> /site-meta on http://foobar.com/ doesn't (and can't, on its own) make
>> any authoritative assertions about mailto:dirk@...; even  
>> though
>> the authority is the same, the URI scheme is different.
>>
>> I know this particular issue is an important one to the OpenID folks,
>> but there needs to be a very careful and broad discussion of allowing
>> policy and metadata from HTTP to be considered *automatically*
>> authoritative for other protocols.
>
> I do not considered /site-meta to be about HTTP resources. It is  
> metadata about the domain authority and uses HTTP as the protocol to  
> deliver that document. It can equally link to HTTP URIs as to other  
> URIs (i.e. point to its robots.txt available at an ftp:// URI). I  
> think it is safe to assume that whoever controls the domain controls  
> any URI scheme within that domain. Companies can split control  
> between departments but you go high enough there is one entity which  
> owns everything under that authority.
>
> HTTP clearly allows: 'GET mailto:eran@...', but what is  
> actually served is up to the server. In theory, that can serve a 303  
> with Link header to the XRD describing the identifier. The problem,  
> of course, is that most web servers will fail on such request, or at  
> least most platforms will not allow the developer easy access to  
> control the response to such requests. But the point is, the HTTP  
> protocol is nowhere restricted to provide information about HTTP  
> URIs alone. The fact that user-agents will use HTTP when the URI  
> scheme is HTTP and use FTP when the URI scheme is FTP is more of a  
> practical convention than a strict requirement.
>
> The issue of what constitute authoritative metadata with regard to  
> the domain authority is not something we can resolve beyond the  
> reasonable expectation that the entity that control the domain has  
> sufficient authority. Can the profile.yahoo.com admin be considered  
> the authority for my profile page? In the context of discovery, I  
> believe the answer is yes. Philosophically, I can argue that only  
> the profile owner has the authority to control that page, but such  
> control in today's infrastructure, is eventually enforced by the  
> domain admin anyway.
>
> EHL

> and I'm sure quite a
> few more. This is the de facto standard for what a "Web site" is, and while
> there are many other colloquial meanings of that phrase, this is current
> technical practice.
>
> Trying to establish a standard for site-wide metadata that doesn't follow
> this practice is IMO doomed to sow yet more confusion about an already
> muddled area, and potentially open up security as well as usability and
> technical problems.
>
> That said, there's nothing to stop a particular application -- e.g., OpenID
> -- saying that for a particular purpose, site-meta should be checked on a
> HTTP URL even though the URL presented is mailto: (for example), or even
> that www.example.com should be tried if example.com isn't available
> (although I still don't think it's necessary).
>
> What I'm not willing to do is enshrine these things in standards that are
> supposed to help extend the Web architecture, not dilute it. The fact that a
> few $2 Web hosts don't provide adequate control to their customers in 2008
> should not affect something so fundamental as the definition of what a Web
> site is for the next 30 years (if this succeeds, of course).
>
> Cheers,
>
>
> On 03/12/2008, at 6:32 PM, Eran Hammer-Lahav wrote:
>
>>> On 02/12/2008, at 4:24 PM, Mark Nottingham wrote:
>>>
>>> /site-meta on http://foobar.com/ doesn't (and can't, on its own) make
>>> any authoritative assertions about mailto:dirk@...; even though
>>> the authority is the same, the URI scheme is different.
>>>
>>> I know this particular issue is an important one to the OpenID folks,
>>> but there needs to be a very careful and broad discussion of allowing
>>> policy and metadata from HTTP to be considered *automatically*
>>> authoritative for other protocols.
>>
>> I do not considered /site-meta to be about HTTP resources. It is metadata
>> about the domain authority and uses HTTP as the protocol to deliver that
>> document. It can equally link to HTTP URIs as to other URIs (i.e. point to
>> its robots.txt available at an ftp:// URI). I think it is safe to assume
>> that whoever controls the domain controls any URI scheme within that domain.
>> Companies can split control between departments but you go high enough there
>> is one entity which owns everything under that authority.
>>
>> HTTP clearly allows: 'GET mailto:eran@...', but what is actually
>> served is up to the server. In theory, that can serve a 303 with Link header
>> to the XRD describing the identifier. The problem, of course, is that most
>> web servers will fail on such request, or at least most platforms will not
>> allow the developer easy access to control the response to such requests.
>> But the point is, the HTTP protocol is nowhere restricted to provide
>> information about HTTP URIs alone. The fact that user-agents will use HTTP
>> when the URI scheme is HTTP and use FTP when the URI scheme is FTP is more
>> of a practical convention than a strict requirement.
>>
>> The issue of what constitute authoritative metadata with regard to the
>> domain authority is not something we can resolve beyond the reasonable
>> expectation that the entity that control the domain has sufficient
>> authority. Can the profile.yahoo.com admin be considered the authority for
>> my profile page? In the context of discovery, I believe the answer is yes.
>> Philosophically, I can argue that only the profile owner has the authority
>> to control that page, but such control in today's infrastructure, is
>> eventually enforced by the domain admin anyway.
>>
>> EHL
>
>
> --
> Mark Nottingham     http://www.mnot.net/
>
>
>

> On Wed, Dec 3, 2008 at 10:38 AM, Mark Nottingham <mnot@...>  
> wrote:
>>
>> Considering that one of your core use cases for this is security-
>> related,
>> I'm surprised that you're effectively arguing that HTTP and HTTPS  
>> URLs with
>> the same authority be collapsed into one name space.
>>
>> Many standards and common practices currently sandbox policy and  
>> metadata to
>> a single URL scheme + authority by default, including robots.txt,  
>> p3p.xml,
>> cookie scoping,
>
> Surely cookies are scoped to HTTP and HTTPS by default.

>
> On Wed, Dec 3, 2008 at 12:58 PM, Mark Nottingham <mnot@...> wrote:
>> On 03/12/2008, at 11:32 PM, Ben Laurie wrote:
>>> There are standards for XSS???
>>
>> There's a de facto standard in the browsers (same origin), and these folks
>> are working towards something more formal, maybe;
>>  http://www.w3.org/2006/WSC/
>
> Same origin policy isn't really all that much to do with cross-site
> scripting, surely?
>
>

> There is a bit too much emphasis put on the word 'authoritative' here.
> There is so much that can be considered authoritative about an
> unsigned document, even if served through HTTPS. Serving a document
> over HTTPS just requires defacing a web site, something not that hard
> to do considering the great variety of vulnerable server software out
> there.
>
> When we start talking about signing such documents, and where the
> trust is coming from, then maybe the word authoritative will take a
> real-world significance.
> However, from what I have been hearing, the current proposal does not
> plan for signing of site-meta,

> -----Original Message-----
>> From: Breno de Medeiros [mailto:breno@...]
>> Sent: Wednesday, December 03, 2008 9:33 AM
>>
>> However, from what I have been hearing, the current proposal does not
>> plan for signing of site-meta, and the links pointed to by it will
>> have to carry implicit trust (maybe they will be signed documents, or
>> maybe they are just informative).
>
> /site-meta will certainly support signatures, the open question is where to specify that mechanism. I think this will get resolved in the larger context of what building blocks we end up using
> for the end-to-end discovery protocol. We are arguing about what functionality belongs in which spec, not if the functionality itself is needed.