[Openid-specs-fastfed] WebFinger discovery using subdomain

Jared Hanson jaredhanson at gmail.com
Sat Oct 31 01:06:42 UTC 2020 

The latest draft (02) of FastFed Core includes a mechanism for discovery
that uses the "fastfed._well_known" subdomain, resulting in requests to
URLs such as "https://fastfed._well_known.example.com"

I am a proponent of moving in this direction, as I'd like to see a
mechanism for discovery that is both operationally easy to delegate as well
as secure.

There are a couple issues that need addressing in the current draft:

1. The CA Browser Forum no longer allows issuing TLS certificates to domain
names containing underscores.  Details here:
https://blog.entrust.com/2019/01/removal-of-underscores-from-domain-names/

I assume the intent of using underscores was to align with RFC8552.
However, the use of underscores in that specification, alongside
generalized DNS resource records (TXT, SRV, URL), does not require use of
HTTPS (and associated certificates).  Due to the fact that this mechanism
does require HTTPS, I believe we should be using domain names that are
valid hostnames.  That implies we need to not use underscores.

I suggest we use "well-known" as the subdomain.  If anyone knows of issues
that would prevent that, please let the group know.

2. I'm unclear on why "fastfed._well_known" is being used as a way to
locate the
WebFinger endpoint.  Why not use "webfinger._well_known"?

The later would be more general purpose, and would allow other applications
(such as OIDC) to make use of the same mechanism.  It'd be nice to align
the work being done here so that the discovery mechanism is reusable by
other protocols.

Regarding this, I am working on pulling this capability out into its own
draft specification, so that other protocols can take advantage of it.  For
anyone who
wants to assist or comment, that draft is currently here:
https://github.com/jaredhanson/draft-well-known-dns-subdomain/blob/master/spec.txt

Thanks,
Jared Hanson

-- 
Jared Hanson <http://jaredhanson.net/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20201030/8d7c4bbc/attachment.html>

More information about the Openid-specs-fastfed mailing list