Point your (web)finger at me

Reading Time: 4 minutes

Well … at least in Poland we are saying that what happens once can happen again … like in Battlestar Galactica world. In last days it turned out that the same saying is true for network protocols. At least for one of them some time ago well known as Finger.

For those who are too young to remember (and I think we have right now generation of Internet users who might never heard about Finger), it was protocol which allowed to issue simple query to server (if somebody established one) to get some basic information about given user. Simple

finger tomaszon@server

would return information like real name etc.

It turned out that some people at Google has come with idea that we can get the same protocol idea and apply it in current Internet world. But instead of using some form of client (finger was a client to a service) and server address it should use something more familiar to ordinary user … e-mail address. Just send it to WebFinger service and you will get some information about owner of this e-mail. That simple.

(cc) ethangibbs808

Right now e-mail address is … well … just e-mail address. Can it be something more with WebFinger? Let just speak the project web page:

If I give you my email address today, you can't do anything with it except email me. I can't attach public metadata to my email address to give you more information. WebFinger is about making email addresses more valuable, by letting people attach public metadata to them. That metadata might include:

  • public profile data
  • pointer to identity provider (e.g. OpenID server)
  • a public key
  • other services used by that email address (e.g. Flickr, Picasa, Smugmug, Twitter, Facebook, and usernames for each)
  • a URL to an avatar
  • profile data (nickname, full name, etc)
  • whether the email address is also a JID, or explicitly declare that it's NOT an email, and ONLY a JID, or any combination to disambiguate all the addresses that look like something@somewhere.com
  • or even a public declaration that the email address doesn't have public metadata, but has a pointer to an endpoint that, provided authentication, will tell you some protected metadata, depending on who you authenticate as.

… but rather than fight about the exact contents.

Wow … so “Show me your e-mail and I will tell You who You are !”.  E-mail as identity or at least as Universal Identity Locator (UIR).

Some kind of similar idea is behind i-names or OpenID (I know, analogy is too big but there is). But WebFinger is trying to address one thing which stands in front of these technology adoption by ordinary Internet user – need to remember some new name \ URL \ identifier. Everybody knows their e-mail … OpenID provider … only geeks can remember that ;).

How it might be used … let see … OpenID. Instead of providing URL to OpenID provider user will provide Relaying Party with his e-mail and RP will use WebFinger to get details of OpenID URL and will handle redirection to correct web page.

PKI and e-mail … while writing e-mail to a person you are hitting ‘encrypt’ magic button and your mail agent contacts proper WebFinger server and retrieves public key of such person. Recipient mail agent is doing the same when e-mail is being read. Public key exchange made easy …

… not mentioning all Web 2.0 application developers who will be in a heaven of information about user applications, places he uses etc. Connections made easy.

Sounds great …

Just on the side note … does it remind You something? Identity Provider? Security Token Service? Does it ring the bell :)? At the end this is very similar what STS would do … 

But looking at this idea from other side …

… first, what one of users on my Polish blog has pointed me on is that in some way such service would be great source of information for all sorts of spammers etc. But as spam is still a problem I think that this might be mitigated in some way.

… second, I’m really not sure if I’m completely sold to e-mail as identity or UIR idea. People are using many e-mail addresses … business, private, private from school time etc. Via WebFinger e-mail is no longer identity attribute (claim) but it turns into integral element of one identity. Right now changing and e-mail is just inconvenient … you have to notify you address book citizens and probably change it in many service \ applications (once again – switch to IP \ STS \ claims might solve some of these problems). But when e-mail IS your identity pointer in Internet space changing it is not so easy … and at the end for one of biggest (if not biggest) e-mail SaaS provider as Google keeping You attached to you (g)mail is what is important for them 🙂 …isn’t it?

That way or another this is interesting idea … will see if it will become a real thing or it will end up on forgotten protocols pile