Server Response language

9 views
Skip to first unread message

Paul E. Jones

unread,
Dec 20, 2012, 11:28:04 AM12/20/12
to webf...@ietf.org, webf...@googlegroups.com

Folks,

 

We had this previously:

 

“If the client queries the WebFinger server and provides a URI for which the server has no information, the server MUST return a 404 status code.”

 

Someone posted to the list that we should talk about positive replies and mention that a client might be rejected with a 401.  So, I wrote this text to be appended to the end of that above paragraph:

 

“If the server is able to provide information in response to a request, it MUST do so using an appropriate 2xx HTTP status code and including the requested representation in the body of the response.  A server MAY also return other HTTP status codes, as appropriate, such as a 401 to indicate that the client is not authorized to issue a request to the server.”

 

Is this agreeable?  Please suggest wording changes, if not.

 

Paul

 

 

James M Snell

unread,
Dec 20, 2012, 12:24:08 PM12/20/12
to Paul E. Jones, webf...@ietf.org, webf...@googlegroups.com

This language is fine but the security considerations ought to recognize and briefly discuss the risk of returning 401's vs. 404's (as I had previously suggested).

_______________________________________________
webfinger mailing list
webf...@ietf.org
https://www.ietf.org/mailman/listinfo/webfinger

Tim Bray

unread,
Dec 20, 2012, 12:29:36 PM12/20/12
to Paul E. Jones, webf...@ietf.org, webf...@googlegroups.com
As in every other case where the WebFinger spec is merely re-iterating standard HTTP rules, I suggest just removing this language. -Tim

Paul E. Jones

unread,
Dec 20, 2012, 12:35:16 PM12/20/12
to Tim Bray, webf...@ietf.org, webf...@googlegroups.com

The 404 bit is needed, since the “webfinger” server was found… just not the resource being queried.  That question absolutely will come up.

 

The new stuff (401, 2xx), I agree: it’s re-stating what HTTP does.

 

If others agree, I’ll not put that into the spec.

 

Paul

Paul E. Jones

unread,
Dec 20, 2012, 12:37:18 PM12/20/12
to James M Snell, webf...@ietf.org, webf...@googlegroups.com

I went through your items from before, but I didn’t add anything related to 404.  Exactly what text are you proposing again?

 

I want others to agree with the insertion.  If I didn’t add it, it meant I didn’t feel it was needed.  (That might mean I didn’t consider it carefully enough, I’ll admit.)

 

Paul

 

From: James M Snell [mailto:jas...@gmail.com]
Sent: Thursday, December 20, 2012 12:24 PM
To: Paul E. Jones
Cc: webf...@ietf.org; webf...@googlegroups.com
Subject: Re: [webfinger] Server Response language

 

This language is fine but the security considerations ought to recognize and briefly discuss the risk of returning 401's vs. 404's (as I had previously suggested).

Goix Laurent Walter

unread,
Dec 20, 2012, 12:58:18 PM12/20/12
to Tim Bray, Paul E. Jones, webf...@ietf.org, webf...@googlegroups.com


Le 20 déc. 2012 à 18:53, "Tim Bray" <tb...@textuality.com> a écrit :

That’s what 404 is for; I quote RFC2616:

10.4.5 404 Not Found

   The server has not found anything matching the Request-URI.

It’s bad practice to incorporate referenced specifications by value not by reference.  -T

Agreed. It's a pity the same was not adopted for jrd ;)
Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.

This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.

rispetta l'ambienteRispetta l'ambiente. Non stampare questa mail se non è necessario.

Paul E. Jones

unread,
Dec 20, 2012, 1:02:59 PM12/20/12
to Tim Bray, webf...@ietf.org, webf...@googlegroups.com

But there server did find something.  It found the “webfinger” resource.  The software that responds to the query has to then decided what it returns.  It might be logical to some, but I’d argue we need to state this to avoid confusion.

 

I don’t think 2xx or 401 needs to be stated, though.

 

Paul

 

From: Tim Bray [mailto:tb...@textuality.com]
Sent: Thursday, December 20, 2012 12:53 PM
To: Paul E. Jones
Cc: webf...@ietf.org; webf...@googlegroups.com
Subject: Re: [webfinger] Server Response language

 

That’s what 404 is for; I quote RFC2616:


 
10.4.5 404 Not Found
 
   The server has not found anything matching the Request-URI.


It’s bad practice to incorporate referenced specifications by value not by reference.  -T

Reply all
Reply to author
Forward
0 new messages