How to get the webfinger acct uri from a salmon slap sent by status.net ?

[Laurent Eschenauer]

Hi all,
I'm trying to implement salmon and test interop with status.net but have an issue with the salmon flow when trying to verify signatures: how do I know who sent the slap ? And when I say who,  I mean: what is the webfinger acct uri of the sender ? Similar issue when looking up the webfinger uri of the person mentioned in the acitivity.

In the payload, here is what I get for the author of the note (i have removed some links/poco stuff for brevity).

<author>
  <activity:object-type>http://activitystrea.ms/schema/1.0/person</activity:object-type>
  <uri>http://identi.ca/user/385216</uri>
  <name>shoutr</name>
  <link rel="alternate" type="text/html" href="http://identi.ca/shoutr"/>
  <poco:preferredUsername>shoutr</poco:preferredUsername>
  <poco:displayName>Shoutr</poco:displayName>
</author>

There is no mention of the original webfinger acct uri of the sender. Thus, how can I find out the public key from the sender ?.  Do I miss something ?

Two ideas to simplify things:
- Add a link with: <link rel='webfinger' and href='acct:lau...@eschenauer.be'/>
- Add a http header with something like: "From: acct:user@domain". 

(See Blaine's proposal on privacy here: http://www.iab.org/about/workshops/privacy/papers/blaine_cook.pdf)

Similarly, in the activity itself, the 'mentioned' link only has a href to the user profile, no references to the webfinger acct uri. A simple solution may be to add a ref attribute with the acct uri when available. 

Example: <link rel="mentioned" href="http://eschenauer.be/users/laurent"/> 
becomes: <link rel="mentioned" href="http://eschenauer.be/users/laurent" ref="acct:lau...@eschenauer.be"/>

However I'm not sure that ref is authorized in an atom link.  What do you think ? Other ideas ?

Thanks,

Laurent

[Tuomas Koski]

Hi Laurent,

On 23 February 2011 10:55, Laurent Eschenauer <lau...@eschenauer.be> wrote:
> Hi all,
> I'm trying to implement salmon and test interop with status.net but have an
> issue with the salmon flow when trying to verify signatures: how do I know
> who sent the slap ? And when I say who,  I mean: what is the webfinger acct
> uri of the sender ? Similar issue when looking up the webfinger uri of the
> person mentioned in the acitivity.
>
> In the payload, here is what I get for the author of the note (i have
> removed some links/poco stuff for brevity).
>
> <author>
>   <activity:object-type>http://activitystrea.ms/schema/1.0/person</activity:object-type>
>   <uri>http://identi.ca/user/385216</uri>
>   <name>shoutr</name>
>   <link rel="alternate" type="text/html" href="http://identi.ca/shoutr"/>
>   <poco:preferredUsername>shoutr</poco:preferredUsername>
>   <poco:displayName>Shoutr</poco:displayName>
> </author>

I have to admit that it's some time since I worked on this the last
time. (So if I'm wrong and missing the latest specs, please slap me),
but the uri -element of the author is the one you can use.

For example for the user http://identi.ca/user/385216 you can ask for
the LRDD from http://identi.ca/.well-known/host-meta

With the lrdd template given by the .host-meta you can build the
webfinger query.

For example for Identi.ca the template is
"http://identi.ca/main/xrd?uri={uri}". Using the template the end
result would be the webfinger URL:
http://identi.ca/main/xrd?uri=http%3A%2F%2Fidenti.ca%2Fuser%2F385216

You can test with this too:
http://www.madebymonsieur.com/ostatus_discovery (amazingly it seems to
still work :D)

I could probably change it be an open source code and provide a web
service too that would return JSON for example. Would there be any
interest for that?

On 23 February 2011 10:55, Laurent Eschenauer <lau...@eschenauer.be> wrote:
> There is no mention of the original webfinger acct uri of the sender. Thus,
> how can I find out the public key from the sender ?.  Do I miss something ?
> Two ideas to simplify things:
> - Add a link with: <link rel='webfinger' and
> href='acct:lau...@eschenauer.be'/>
> - Add a http header with something like: "From: acct:user@domain".
> (See Blaine's proposal on privacy
> here: http://www.iab.org/about/workshops/privacy/papers/blaine_cook.pdf)
> Similarly, in the activity itself, the 'mentioned' link only has a href to
> the user profile, no references to the webfinger acct uri. A simple solution
> may be to add a ref attribute with the acct uri when available.
> Example: <link rel="mentioned" href="http://eschenauer.be/users/laurent"/>
> becomes: <link rel="mentioned" href="http://eschenauer.be/users/laurent"
> ref="acct:lau...@eschenauer.be"/>
> However I'm not sure that ref is authorized in an atom link.  What do you
> think ? Other ideas ?

I believe you are right and there is most likely a way to optimise the
work-flow. But what is the correct way, I don't know.

Cheers,
--
tuomas

[Laurent Eschenauer]

Hello Tuomas !

 

> I'm trying to implement salmon and test interop with status.net but have an
> issue with the salmon flow when trying to verify signatures: how do I know
> who sent the slap ? And when I say who,  I mean: what is the webfinger acct
> uri of the sender ? 
>

I have to admit that it's some time since I worked on this the last
time. (So if I'm wrong and missing the latest specs, please slap me),
but the uri -element of the author is the one you can use.

For example for the user http://identi.ca/user/385216 you can ask for
the LRDD from http://identi.ca/.well-known/host-meta

With the lrdd template given by the .host-meta you can build the
webfinger query.

Thanks for figuring this out and sharing. I'll give it a try.

However, with this flow, I'll authenticate the salmon slap as coming from "http://identi.ca/user/385216", but that identifier will be unknown to me as a user. I only know the sender as 'sho...@identi.ca'. The LRDD may link back to the webfinger URI, but how am i supposed to trust that association ? The flow is rather complex:

Example:

My identity is lau...@eschenauer.be

My LRDD delegates my profile to http://social.web/user/laurent

When I get a salmon slap, if it is signed by "http://social.web/user/laurent", I need to :

- execute discover on "http://social.web/user/laurent"

- the LRDD should have an alias to "lau...@eschenauer.be" (but I can't trust this immediately so...)

- I then need to do discovery on "lau...@eschenauer.be"

- If that contains an alias to "http://social.web/user/laurent" then I can successfully authenticate the message.

Can anyone from status.net comment on this ? Why did you prefer using the links and not the webfinger uris ? Don't you see this as a problem ?

For what its worth, in the salmon spec, all examples are based on using acct uri for the sender identity.

Cheers,

Laurent

[Andrea Messina]

 > However, with this flow, I'll authenticate the salmon slap as coming from "http://identi.ca/user/385216", but that identifier will be unknown to me as a user.
 > I only know the sender as 'sho...@identi.ca'

Why do you say that you only know the sender "sho...@identi.ca"?? If you don't own any kind of relationtionship(follower, following) with sho...@identi.ca and you receive a salmon mention by that user, you will only know the identifier http://identi.ca/user/385216. So, you should perform the LRDD discovery process to obtain a magic-key, which would be used to verify the received Salmon. I remark here the fact that WebFinger, is merely a proper subset of LRDD(for example the HTTP header and the HTML discovery isn't applicabile to an uri of type ACCT:NAME@DOMAIN). The presence of a Webfinger identifier, isn't compulsory for the operation of OStatus/Salmon in general, it is only more intuitive.

Dealing with Status.Net accounts, for example, they bring the same XRD document, both if you use the WebFinger identifier and the URI/HTTP identifier.

If you look at Atom profile feed, you will notice that the atom:author element, incorporate the URI element http://identi.ca/user/385216.

So, if you decide to follow this user, you will search for sho...@identi.ca(you probably will enter this kind of identifier in your form) and you will receive his atom feed when you will look for other important information about the user, like the salmon endpoint, the hub url and the URI(http://identi.ca/user/385216) !!! This is the real user identifier, that you should store in your DB and this is the URI which would be used by sho...@identi.ca to send you the salmon messages!!

On the other hand, if sho...@identi.ca will start following your profile, you will receive a particular Salmon message (FOLLOW type) which will contain the same URI(http://identi.ca/user/385216) identifier. In this situation, you could infer the Webfinger Alias of http://identi.ca/user/385216, performing a LRDD discovery on it. This is the actual situation!

>Why did you prefer using the links and not the webfinger uris ?

I don't know, perhaps because they refer to an accessible resource(the html profile page) and they can be naturally used by a browser, whilst an uri of type "ACCT:" would not be recognized as well.

ACCT are for humans, HTTP are for machines... :-)

Cheers

--
Politecnico di Torino

Andrea Messina

[Daniel Chapman]

You shouldn't need to do discovery every single time. That is what caches are for, and why XRD allows for an expires link:

http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html#element.expires

As Andrea pointed out, if you have a mutual relationship with that person (following each other) then you should be able to trust the cached copy of the XRD, if you don't have a relationship (or previous contact), then you do the discovery, and cache the resulting XRD (or the values therein), rediscovering once the expires date has passed.

Even then if the xrd is setup well you should be able to just ping it with the previous document id and get back a 304 not modified.

[Laurent Eschenauer]

On Thu, Feb 24, 2011 at 11:09 PM, Andrea Messina <messin...@gmail.com> wrote:

 > However, with this flow, I'll authenticate the salmon slap as coming from "http://identi.ca/user/385216", but that identifier will be unknown to me as a user.
 > I only know the sender as 'sho...@identi.ca'

Why do you say that you only know the sender "sho...@identi.ca"?? If you don't own any kind of relationtionship(follower, following) with sho...@identi.ca and you receive a salmon mention by that user, you will only know the identifier http://identi.ca/user/385216. So, you should perform the LRDD discovery process to obtain a magic-key, which would be used to verify the received Salmon. I remark here the fact that WebFinger, is merely a proper subset of LRDD(for example the HTTP header and the HTML discovery isn't applicabile to an uri of type ACCT:NAME@DOMAIN). The presence of a Webfinger identifier, isn't compulsory for the operation of OStatus/Salmon in general, it is only more intuitive.

Thank you Andreas, it really helped. 

I was looking at it the other way around and never considered http://identi.ca/user/385216 to be the "canonical identifier", however, it makes perfect sense as it is also independent of the username and the mapping between the HTTP URI and the ACCT URI is indeed always provided in the XRD. 

As you point out, it is just a matter of storing all the aliases associated with the webfinger uri when doing discovery for the first time.

Cheers,

Laurent