Folks,
We had this previously:
“If the client queries the WebFinger server and provides a URI for which the server has no information, the server MUST return a 404 status code.”
Someone posted to the list that we should talk about positive replies and mention that a client might be rejected with a 401. So, I wrote this text to be appended to the end of that above paragraph:
“If the server is able to provide information in response to a request, it MUST do so using an appropriate 2xx HTTP status code and including the requested representation in the body of the response. A server MAY also return other HTTP status codes, as appropriate, such as a 401 to indicate that the client is not authorized to issue a request to the server.”
Is this agreeable? Please suggest wording changes, if not.
Paul
This language is fine but the security considerations ought to recognize and briefly discuss the risk of returning 401's vs. 404's (as I had previously suggested).
_______________________________________________
webfinger mailing list
webf...@ietf.org
https://www.ietf.org/mailman/listinfo/webfinger
The 404 bit is needed, since the “webfinger” server was found… just not the resource being queried. That question absolutely will come up.
The new stuff (401, 2xx), I agree: it’s re-stating what HTTP does.
If others agree, I’ll not put that into the spec.
Paul
I went through your items from before, but I didn’t add anything related to 404. Exactly what text are you proposing again?
I want others to agree with the insertion. If I didn’t add it, it meant I didn’t feel it was needed. (That might mean I didn’t consider it carefully enough, I’ll admit.)
Paul
From: James M Snell [mailto:jas...@gmail.com]
Sent: Thursday, December 20, 2012 12:24 PM
To: Paul E. Jones
Cc: webf...@ietf.org; webf...@googlegroups.com
Subject: Re: [webfinger] Server Response language
This language is fine but the security considerations ought to recognize and briefly discuss the risk of returning 401's vs. 404's (as I had previously suggested).
That’s what 404 is for; I quote RFC2616:
10.4.5 404 Not Found The server has not found anything matching the Request-URI.
It’s bad practice to incorporate referenced specifications by value not by reference. -T
Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi
altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.
This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks. |
But there server did find something. It found the “webfinger” resource. The software that responds to the query has to then decided what it returns. It might be logical to some, but I’d argue we need to state this to avoid confusion.
I don’t think 2xx or 401 needs to be stated, though.
Paul
From: Tim Bray [mailto:tb...@textuality.com]
Sent: Thursday, December 20, 2012 12:53 PM
To: Paul E. Jones
Cc: webf...@ietf.org; webf...@googlegroups.com
Subject: Re: [webfinger] Server Response language
That’s what 404 is for; I quote RFC2616:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI.
It’s bad practice to incorporate referenced specifications by value not by reference. -T