index-annost.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta name="robots" content="index,follow" />
    <meta name="creator" content="rfchandler version 0.2" />
      <meta name="citation_author" content="P. Jones"/>
      <meta name="citation_author" content="G. Salgueiro"/>
      <meta name="citation_author" content="M. Jones"/>
      <meta name="citation_author" content="J. Smarr"/>
      <meta name="citation_publication_date" content="September, 2013"/>
      <meta name="citation_title" content="WebFinger"/>
      <meta name="citation_doi" content="10.17487/RFC7033"/>
      <meta name="citation_issn" content="2070-1721"/>
      <meta name="citation_technical_report_number" content="rfc7033"/>
      <meta name="citation_pdf_url" content="https://www.rfc-editor.org/rfc/pdfrfc/rfc7033.txt.pdf"/>
<title>RFC 7033: WebFinger</title>


        <style type="text/css">
	@media only screen
	  and (min-width: 992px)
	  and (max-width: 1199px) {
	    body { font-size: 14pt; }
            div.content { width: 96ex; margin: 0 auto; }
        }
	@media only screen
	  and (min-width: 768px)
	  and (max-width: 991px) {
            body { font-size: 14pt; }
            div.content { width: 96ex; margin: 0 auto; }
        }
	@media only screen
	  and (min-width: 480px)
	  and (max-width: 767px) {
            body { font-size: 11pt; }
            div.content { width: 96ex; margin: 0 auto; }
        }
	@media only screen
	  and (max-width: 479px) {
            body { font-size: 8pt; }
            div.content { width: 96ex; margin: 0 auto; }
        }
	@media only screen
	  and (min-device-width : 375px)
	  and (max-device-width : 667px) {
            body { font-size: 9.5pt; }
            div.content { width: 96ex; margin: 0; }
        }
	@media only screen
	  and (min-device-width: 1200px) {
            body { font-size: 10pt; margin: 0 4em; }
            div.content { width: 96ex; margin: 0; }
        }
        h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
	    font-weight: bold;
           /* line-height: 0pt; */
            display: inline;
            white-space: pre;
            font-family: monospace;
            font-size: 1em;
	    font-weight: bold;
        }
        pre {
            font-size: 1em;
            margin-top: 0px;
            margin-bottom: 0px;
        }
	.pre {
	    white-space: pre;
	    font-family: monospace;
	}
	.header{
	    font-weight: bold;
	}
        .newpage {
            page-break-before: always;
        }
        .invisible {
            text-decoration: none;
            color: white;
        }
        a.selflink {
          color: black;
          text-decoration: none;
        }
        @media print {
            body {
                font-family: monospace;
                font-size: 10.5pt;
            }
            h1, h2, h3, h4, h5, h6 {
                font-size: 1em;
            }

            a:link, a:visited {
                color: inherit;
                text-decoration: none;
            }
            .noprint {
                display: none;
            }
        }
	@media screen {
	    .grey, .grey a:link, .grey a:visited {
		color: #777;
	    }
            .docinfo {
                background-color: #EEE;
            }
            .top {
                border-top: 7px solid #EEE;
            }
            .bgwhite  { background-color: white; }
            .bgred    { background-color: #F44; }
            .bggrey   { background-color: #666; }
            .bgbrown  { background-color: #840; }
            .bgorange { background-color: #FA0; }
            .bgyellow { background-color: #EE0; }
            .bgmagenta{ background-color: #F4F; }
            .bgblue   { background-color: #66F; }
            .bgcyan   { background-color: #4DD; }
            .bggreen  { background-color: #4F4; }

            .legend   { font-size: 90%; }
            .cplate   { font-size: 70%; border: solid grey 1px; }
	}
    </style>
    <!--[if IE]>
    <style>
    body {
       font-size: 13px;
       margin: 10px 10px;
    }
    </style>
    <![endif]-->    <script type="text/javascript"><!--
    function addHeaderTags() {
        var spans = document.getElementsByTagName("span");
        for (var i=0; i < spans.length; i++) {
            var elem = spans[i];
            if (elem) {
                var level = elem.getAttribute("class");
                if (level == "h1" || level == "h2" || level == "h3" || level == "h4" || level == "h5" || level == "h6") {
                    elem.innerHTML = "<"+level+">"+elem.innerHTML+"</"+level+">";
                }
            }
        }
    }
    var legend_html = "Colour legend:<br />      <table>         <tr><td>Unknown:</td>                   <td><span class='cplate bgwhite'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Draft:</td>                     <td><span class='cplate bgred'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Informational:</td>             <td><span class='cplate bgorange'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Experimental:</td>              <td><span class='cplate bgyellow'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Best Common Practice:</td>      <td><span class='cplate bgmagenta'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Proposed Standard:</td>         <td><span class='cplate bgblue'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Draft Standard (old designation):</td> <td><span class='cplate bgcyan'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Internet Standard:</td>         <td><span class='cplate bggreen'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Historic:</td>                  <td><span class='cplate bggrey'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>         <tr><td>Obsolete:</td>                  <td><span class='cplate bgbrown'>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr>     </table>";
    function showElem(id) {
        var elem = document.getElementById(id);
        elem.innerHTML = eval(id+"_html");
        elem.style.visibility='visible';
    }
    function hideElem(id) {
        var elem = document.getElementById(id);
        elem.style.visibility='hidden';
        elem.innerHTML = "";
    }
    // -->
</script>
<script src="annost.js">
    </script></head>
<body>
   <annost-note>
      <h1 id='annost-title' style='display: block; text-align: left; color: #c04040; padding: 20px; border: 1px solid #c04040; font-family: Arial'>
       Annotated by AnnoST. Experimental :-)
      </h1>
      <p>The AnnoST annotations use the following roles (see also sections on Conformance, and on Specification Profiles below):</p>
      <dl>
         <dt>Client</dt>
         <dd>The client role in a WebFinger interaction</dd>
         <dt>Server</dt>
         <dd>The server role in a WebFinger interaction</dd>
          </dl>
     </annost-note>
     <span class="pre noprint docinfo">[<a href="https://www.rfc-editor.org" title="RFC Editor">RFC Home</a>] [<a href="/rfc/rfc7033.txt">TEXT</a>|<a href="/rfc/pdfrfc/rfc7033.txt.pdf">PDF</a>|<a href="/rfc/rfc7033.html">HTML</a>] [<a href='https://datatracker.ietf.org/doc/rfc7033' title='IETF Datatracker information for this document'>Tracker</a>] [<a href="https://datatracker.ietf.org/ipr/search/?rfc=7033&amp;submit=rfc" title="IPR disclosures related to this document">IPR</a>] [<a href='https://www.rfc-editor.org/info/rfc7033' title='Info page'>Info page</a>]                  </span><br/><span class="pre noprint docinfo">                                                                        </span><br /><span class="pre noprint docinfo">                                                       PROPOSED STANDARD</span><br /><span class="pre noprint docinfo">                                                                        </span><pre>Internet Engineering Task Force (IETF)                          P. Jones
Request for Comments: 7033                                  G. Salgueiro
Category: Standards Track                                  Cisco Systems
ISSN: 2070-1721                                                 M. Jones
                                                               Microsoft
                                                                J. Smarr
                                                                  Google
                                                          September 2013


                               <span class="h1">WebFinger</span>

Abstract

   This specification defines the WebFinger protocol, which can be used
   to discover information about people or other entities on the
   Internet using standard HTTP methods.  WebFinger discovers
   information for a URI that might not be usable as a locator
   otherwise, such as account or email URIs.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in <a href="./rfc5741#section-2">Section&nbsp;2 of RFC 5741</a>.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   <a href="https://www.rfc-editor.org/info/rfc7033">http://www.rfc-editor.org/info/rfc7033</a>.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



<span class="grey">Jones, et al.                Standards Track                    [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


Table of Contents

   <a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
   <a href="#section-2">2</a>. Terminology .....................................................<a href="#page-3">3</a>
   <a href="#section-3">3</a>. Example Uses of WebFinger .......................................<a href="#page-4">4</a>
      <a href="#section-3.1">3.1</a>. Identity Provider Discovery for OpenID Connect .............<a href="#page-4">4</a>
      <a href="#section-3.2">3.2</a>. Getting Author and Copyright Information for a Web Page ....<a href="#page-5">5</a>
   <a href="#section-4">4</a>. WebFinger Protocol ..............................................<a href="#page-7">7</a>
        <a href="#section-4.1">4.1</a>. Constructing the Query Component of the Request URI.......<a href="#page-7">7</a>
        <a href="#section-4.2">4.2</a>. Performing a WebFinger Query..............................<a href="#page-8">8</a>
        <a href="#section-4.3">4.3</a>. The "rel" Parameter.......................................<a href="#page-9">9</a>
        <a href="#section-4.4">4.4</a>. The JSON Resource Descriptor (JRD).......................<a href="#page-11">11</a>
           <a href="#section-4.4.1">4.4.1</a>. subject.............................................<a href="#page-11">11</a>
           <a href="#section-4.4.2">4.4.2</a>. aliases.............................................<a href="#page-11">11</a>
           <a href="#section-4.4.3">4.4.3</a>. properties..........................................<a href="#page-12">12</a>
           <a href="#section-4.4.4">4.4.4</a>. links...............................................<a href="#page-12">12</a>
        <a href="#section-4.5">4.5</a>. WebFinger and URIs.......................................<a href="#page-14">14</a>
   <a href="#section-5">5</a>. Cross-Origin Resource Sharing (CORS) ...........................<a href="#page-14">14</a>
   <a href="#section-6">6</a>. Access Control .................................................<a href="#page-15">15</a>
   <a href="#section-7">7</a>. Hosted WebFinger Services ......................................<a href="#page-15">15</a>
   <a href="#section-8">8</a>. Definition of WebFinger Applications ...........................<a href="#page-16">16</a>
      <a href="#section-8.1">8.1</a>. Specification of the URI Scheme and URI ...................<a href="#page-17">17</a>
      <a href="#section-8.2">8.2</a>. Host Resolution ...........................................<a href="#page-17">17</a>
      <a href="#section-8.3">8.3</a>. Specification of Properties ...............................<a href="#page-17">17</a>
      <a href="#section-8.4">8.4</a>. Specification of Links ....................................<a href="#page-18">18</a>
      <a href="#section-8.5">8.5</a>. One URI, Multiple Applications ............................<a href="#page-18">18</a>
      <a href="#section-8.6">8.6</a>. Registration of Link Relation Types and Properties ........<a href="#page-19">19</a>
   <a href="#section-9">9</a>. Security Considerations ........................................<a href="#page-19">19</a>
      <a href="#section-9.1">9.1</a>. Transport-Related Issues ..................................<a href="#page-19">19</a>
      <a href="#section-9.2">9.2</a>. User Privacy Considerations ...............................<a href="#page-19">19</a>
      <a href="#section-9.3">9.3</a>. Abuse Potential ...........................................<a href="#page-21">21</a>
      <a href="#section-9.4">9.4</a>. Information Reliability ...................................<a href="#page-21">21</a>
   <a href="#section-10">10</a>. IANA Considerations ...........................................<a href="#page-22">22</a>
      <a href="#section-10.1">10.1</a>. Well-Known URI ...........................................<a href="#page-22">22</a>
      <a href="#section-10.2">10.2</a>. JSON Resource Descriptor (JRD) Media Type ................<a href="#page-22">22</a>
      <a href="#section-10.3">10.3</a>. Registering Link Relation Types ..........................<a href="#page-24">24</a>
      <a href="#section-10.4">10.4</a>. Establishment of the "WebFinger Properties" Registry .....<a href="#page-24">24</a>
           <a href="#section-10.4.1">10.4.1</a>. The Registration Template .........................<a href="#page-24">24</a>
           <a href="#section-10.4.2">10.4.2</a>. The Registration Procedures .......................<a href="#page-25">25</a>
   <a href="#section-11">11</a>. Acknowledgments ...............................................<a href="#page-26">26</a>
   <a href="#section-12">12</a>. References ....................................................<a href="#page-26">26</a>
      <a href="#section-12.1">12.1</a>. Normative References .....................................<a href="#page-26">26</a>
      <a href="#section-12.2">12.2</a>. Informative References ...................................<a href="#page-27">27</a>








<span class="grey">Jones, et al.                Standards Track                    [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>.  Introduction</span>

   WebFinger is used to discover information about people or other
   entities on the Internet that are identified by a URI [<a href="#ref-6" title="&quot;Uniform Resource Identifier (URI): Generic Syntax&quot;">6</a>] using
   standard Hypertext Transfer Protocol (HTTP) [<a href="#ref-2" title="&quot;Hypertext Transfer Protocol -- HTTP/1.1&quot;">2</a>] methods over a secure
   transport [<a href="#ref-12" title="&quot;HTTP Over TLS&quot;">12</a>].  A WebFinger resource returns a JavaScript Object
   Notation (JSON) [<a href="#ref-5" title="&quot;The application/json Media Type for JavaScript Object Notation (JSON)&quot;">5</a>] object describing the entity that is queried.
   The JSON object is referred to as the JSON Resource Descriptor (JRD).

   For a person, the type of information that might be discoverable via
   WebFinger includes a personal profile address, identity service,
   telephone number, or preferred avatar.  For other entities on the
   Internet, a WebFinger resource might return JRDs containing link
   relations [<a href="#ref-8" title="&quot;Link Relations&quot;">8</a>] that enable a client to discover, for example, that a
   printer can print in color on A4 paper, the physical location of a
   server, or other static information.

   Information returned via WebFinger might be for direct human
   consumption (e.g., looking up someone's phone number), or it might be
   used by systems to help carry out some operation (e.g., facilitating,
   with additional security mechanisms, logging into a web site by
   determining a user's identity service).  The information is intended
   to be static in nature, and, as such, WebFinger is not intended to be
   used to return dynamic information like the temperature of a CPU or
   the current toner level in a laser printer.

   The WebFinger protocol is designed to be used across many
   applications.  Applications that wish to utilize WebFinger will need
   to specify properties, titles, and link relation types that are
   appropriate for the application.  Further, applications will need to
   define the appropriate URI scheme to utilize for the query target.

   Use of WebFinger is illustrated in the examples in <a href="#section-3">Section 3</a> and
   described more formally in <a href="#section-4">Section 4</a>.  <a href="#section-8">Section 8</a> describes how
   applications of WebFinger may be defined.

<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>.  Terminology</span>

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="#ref-1" title="&quot;Key words for use in RFCs to Indicate Requirement Levels&quot;">1</a>].

   WebFinger makes heavy use of "link relations".  A link relation is an
   attribute-value pair in which the attribute identifies the type of
   relationship between the linked entity or resource and the
   information specified in the value.  In Web Linking [<a href="#ref-4" title="&quot;Web Linking&quot;">4</a>], the link
   relation is represented using an HTTP entity-header of "Link", where
   the "rel" attribute specifies the type of relationship and the "href"



<span class="grey">Jones, et al.                Standards Track                    [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   attribute specifies the information that is linked to the entity or
   resource.  In WebFinger, the same concept is represented using a JSON
   array of "links" objects, where each member named "rel" specifies the
   type of relationship and each member named "href" specifies the
   information that is linked to the entity or resource.  Note that
   WebFinger narrows the scope of a link relation beyond what is defined
   for Web Linking by stipulating that the value of the "rel" member
   needs to be either a single IANA-registered link relation type [<a href="#ref-8" title="&quot;Link Relations&quot;">8</a>] or
   a URI [<a href="#ref-6" title="&quot;Uniform Resource Identifier (URI): Generic Syntax&quot;">6</a>].
</pre>
<annost-xref target="4.4.4.1/1">
Link relation types.
</annost-xref>
<pre>
   The use of URIs throughout this document refers to URIs following the
   syntax specified in <a href="./rfc3986#section-3">Section&nbsp;3 of RFC 3986</a> [<a href="#ref-6" title="&quot;Uniform Resource Identifier (URI): Generic Syntax&quot;">6</a>].  Relative URIs, having
   syntax following that of <a href="./rfc3986#section-4.2">Section&nbsp;4.2 of RFC 3986</a>, are not used with
   WebFinger.
</pre>
<annost-note>
All tests that process URIs MUST check that the URIs are absolute.
</annost-note>
<pre>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>.  Example Uses of WebFinger</span>
   This section shows a few sample uses of WebFinger.  Any application
   of WebFinger would be specified outside of this document, as
   described in <a href="#section-8">Section 8</a>.  The examples in this section should be
   simple enough to understand without having seen the formal
   specifications of the applications.

</pre>
<annost-note>
   No tests derived from this example section 3.
</annost-note>
<pre>

   <span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>.  Identity Provider Discovery for OpenID Connect</span>

   Suppose Carol wishes to authenticate with a web site she visits using
   OpenID Connect [<a href="#ref-15" title="&quot;OpenID Connect Messages 1.0&quot;">15</a>].  She would provide the web site with her OpenID
   Connect identifier, say carol@example.com.  The visited web site
   would perform a WebFinger query looking for the OpenID Connect
   provider.  Since the site is interested in only one particular link
   relation, the WebFinger resource might utilize the "rel" parameter as
   described in <a href="#section-4.3">Section 4.3</a>:

     GET /.well-known/webfinger?
            resource=acct%3Acarol%40example.com&amp;
            rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
            HTTP/1.1
     Host: example.com

</pre>










<span class="grey">Jones, et al.                Standards Track                    [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   The server might respond like this:

     HTTP/1.1 200 OK
     Access-Control-Allow-Origin: *
     Content-Type: application/jrd+json

     {
       "subject" : "acct:carol@example.com",
       "links" :
       [
         {
           "rel" : "<a href="http://openid.net/specs/connect/1.0/issuer">http://openid.net/specs/connect/1.0/issuer</a>",
           "href" : "https://openid.example.com"
         }
       ]
     }

   Since the "rel" parameter only serves to filter the link relations
   returned by the resource, other name/value pairs in the response,
   including any aliases or properties, would be returned.  Also, since
   support for the "rel" parameter is not guaranteed, the client must
   not assume the "links" array will contain only the requested link
   relation.
</pre>
<pre>

<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>.  Getting Author and Copyright Information for a Web Page</span>

   Suppose an application is defined to retrieve metadata information
   about a web page URL, such as author and copyright information.  To
   retrieve that information, the client can utilize WebFinger to issue
   a query for the specific URL.  Suppose the URL of interest is
   http://blog.example.com/article/id/314.  The client would issue a
   query similar to the following:

     GET /.well-known/webfinger?
          resource=http%3A%2F%2Fblog.example.com%2Farticle%2Fid%2F314
          HTTP/1.1
     Host: blog.example.com














<span class="grey">Jones, et al.                Standards Track                    [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   The server might then reply in this way:

     HTTP/1.1 200 OK
     Access-Control-Allow-Origin: *
     Content-Type: application/jrd+json

     {
       "subject" : "http://blog.example.com/article/id/314",
       "aliases" :
       [
         "http://blog.example.com/cool_new_thing",
         "http://blog.example.com/steve/article/7"
       ],
       "properties" :
       {
         "http://blgx.example.net/ns/version" : "1.3",
         "http://blgx.example.net/ns/ext" : null
       },
       "links" :
       [
         {
           "rel" : "copyright",
           "href" : "http://www.example.com/copyright"
         },
         {
           "rel" : "author",
           "href" : "http://blog.example.com/author/steve",
           "titles" :
           {
             "en-us" : "The Magical World of Steve",
             "fr" : "Le Monde Magique de Steve"
           },
           "properties" :
           {
             "http://example.com/role" : "editor"
           }
         }

       ]
     }

   In the above example, we see that the server returned a list of
   aliases, properties, and links related to the subject URL.  The links
   contain references to information for each link relation type.  For
   the author link, the server provided a reference to the author's
   blog, along with a title for the blog in two languages.  The server
   also returned a single property related to the author, indicating the
   author's role as editor of the blog.



<span class="grey">Jones, et al.                Standards Track                    [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   It is worth noting that, while the server returned just two links in
   the "links" array in this example, a server might return any number
   of links when queried.

<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>.  WebFinger Protocol</span>

   The WebFinger protocol is used to request information about an entity
   identified by a query target (a URI).  The client can optionally
   specify one or more link relation types for which it would like to
   receive information.

</pre>
<annost-test testid="4/1" name="Server accepts all link rels in the query" role="Server" level="MUST">
A server must accept all link rels in the query, even if it does not understand them.
To test, send a variety of variations on the same query, and make sure the server never
emits an error.
</annost-test>
<pre>

   A WebFinger request is an HTTPS request to a WebFinger resource.  A
   WebFinger resource is a well-known URI [<a href="#ref-3" title="&quot;Defining Well-Known Uniform Resource Identifiers (URIs)&quot;">3</a>] using the HTTPS scheme
   constructed along with the required query target and optional link
   relation types.  WebFinger resources MUST NOT be served with any
   other URI scheme (such as HTTP).

</pre>
<annost-test testid="4/2" name="Client only performs https requests" role="Client" level="MUST">
A client must only perform Webfinger requests over https.
</annost-test>
<annost-test testid="4/3" name="Server only returns JRD in response to https requests" role="Server" level="MUST">
A server must only respond with a JRD document when the request was
made over https. If it was not, the behavior is undefined other than not returning a JRD
document.
</annost-test>
<pre>

   A WebFinger resource is always given a query target, which is another
   URI that identifies the entity whose information is sought.  GET
   requests to a WebFinger resource convey the query target in the
   "resource" parameter of the WebFinger URI's query string; see <a href="#section-4.1">Section</a>
   <a href="#section-4.1">4.1</a> for details.

</pre>
<annost-xref target="4/2">
A client must always specify a resource as a parameter. The value must be a
valid URI that is validly %-encoded.
Already tested there.
</annost-xref>
<annost-xref target="4.2/3">
   Server response to invalid resource URI
</annost-xref>
<pre>
   The host to which a WebFinger query is issued is significant.  If the
   query target contains a "host" portion (<a href="./rfc3986#section-3.2.2">Section&nbsp;3.2.2 of RFC 3986</a>),
   then the host to which the WebFinger query is issued SHOULD be the
   same as the "host" portion of the query target, unless the client
   receives instructions through some out-of-band mechanism to send the
   query to another host.  If the query target does not contain a "host"
   portion, then the client chooses a host to which it directs the query
   using additional information it has.

   The path component of a WebFinger URI MUST be the well-known path
   "/.well-known/webfinger".  A WebFinger URI MUST contain a query
   component that encodes the query target and optional link relation
   types as specified in <a href="#section-4.1">Section 4.1</a>.

</pre>
<annost-xref target="4/4">
Resource parameter.
</annost-xref>
<annost-xref target="4.2/3">
Server response to invalid resource URI
</annost-xref>
<pre>

   The WebFinger resource returns a JSON Resource Descriptor (JRD) as
   the resource representation to convey information about an entity on
   the Internet.  Also, the Cross-Origin Resource Sharing (CORS) [<a href="#ref-7" title="&quot;Cross-Origin Resource Sharing&quot;">7</a>]
   specification is utilized to facilitate queries made via a web
   browser.

</pre>
<annost-xref target="5/1">
Server must provide valid CORS header.
</annost-xref>
<pre>

<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>.  Constructing the Query Component of the Request URI</span>

   A WebFinger URI MUST contain a query component (see <a href="./rfc3986#section-3.4">Section&nbsp;3.4 of
   RFC 3986</a>).  The query component MUST contain a "resource" parameter
   and MAY contain one or more "rel" parameters.  The "resource"



<span class="grey">Jones, et al.                Standards Track                    [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   parameter MUST contain the query target (URI), and the "rel"
   parameters MUST contain encoded link relation types according to the
   encoding described in this section.

</pre>
<annost-xref target="4/4">
Resource parameter.
</annost-xref>
<pre>

   To construct the query component, the client performs the following
   steps.  First, each parameter value is percent-encoded, as per
   <a href="./rfc3986#section-2.1">Section&nbsp;2.1 of RFC 3986</a>.  The encoding is done to conform to the
   query production in <a href="#section-3.4">Section 3.4</a> of that specification, with the
   addition that any instances of the "=" and "&amp;" characters within the
   parameter values are also percent-encoded.  Next, the client
   constructs a string to be placed in the query component by
   concatenating the name of the first parameter together with an equal
   sign ("=") and the percent-encoded parameter value.  For any
   subsequent parameters, the client appends an ampersand ("&amp;") to the
   string, the name of the next parameter, an equal sign, and the
   parameter value.  The client MUST NOT insert any spaces while
   constructing the string.  The order in which the client places each
   attribute-value pair within the query component does not matter in
   the interpretation of the query component.

</pre>
<annost-xref target="4/2">
Client encodes the URI correctly, following the algorithm specified.
Already tested there
</annost-xref>
<annost-test testid="4.1/2" name="Parameter ordering is not significant" role="Server" level="MUST">
Server produces the same response regardless of parameter ordering.
</annost-test>
<pre>

<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>.  Performing a WebFinger Query</span>

   A WebFinger client issues a query using the GET method to the well-
   known [<a href="#ref-3" title="&quot;Defining Well-Known Uniform Resource Identifiers (URIs)&quot;">3</a>] resource identified by the URI whose path component is
   "/.well-known/webfinger" and whose query component MUST include the
   "resource" parameter exactly once and set to the value of the URI for
   which information is being sought.
</pre>
<annost-xref target="4/2">
The client issues the query to the right URI.
Tested there already.
</annost-xref>
<annost-test testid="4.2/2" name="Perform a normal query" role="Server" level="MUST">
</annost-test>
<annost-xref target="4/4">
Resource parameter (client)
</annost-xref>

<pre>
   If the "resource" parameter is absent or malformed, the WebFinger
   resource MUST indicate that the request is bad as per <a href="./rfc2616#section-10.4.1">Section&nbsp;10.4.1
   of RFC 2616</a> [<a href="#ref-2" title="&quot;Hypertext Transfer Protocol -- HTTP/1.1&quot;">2</a>].

</pre>
<annost-note>
 In all tests that test absent or malformed resource parameters, test for HTTP status &quot;<code>400 Bad Request</code>&quot;
 per Section 10.4.1 in RFC 2616.
</annost-note>
<annost-test testid="4.2/3" name="Do not accept requests with missing resource parameter" role="Server" level="MUST">
The server responds with "400 Bad Request" when the resource parameter is missing.
See section 4.2 Note on 400 Bad Request.
</annost-test>
<annost-test testid="4.2/4" name="Do not accept malformed resource parameters" role="Server" level="MUST">
The server responds with "400 Bad Request" when the resource parameter is malformed.
# See section 4.2 Note on 400 Bad Request.
</annost-test>
<pre>

   If the "resource" parameter is a value for which the server has no
   information, the server MUST indicate that it was unable to match the
   request as per <a href="./rfc2616#section-10.4.5">Section&nbsp;10.4.5 of RFC 2616</a>.

</pre>
<annost-note>
   In all tests that valid resource parameters that have no account behind them, test for HTTP
   status &quot;<code>404 Not found</code>&quot; per Section 10.4.5 in RFC 2616.
</annost-note>
<annost-test testid="4.2/5" name="404 for non-existing resources" role="Server" level="MUST">
The server responds with "404 Not Found" when the resource parameter identifies a
non-existent resource.
</annost-test>
<pre>

   A client MUST query the WebFinger resource using HTTPS only.
</pre>
<annost-xref target="4/2">
   The client must use HTTPS.
   Already tested there.
</annost-xref>
<pre>
   If the
   client determines that the resource has an invalid certificate, the
   resource returns a 4xx or 5xx status code, or if the HTTPS connection
   cannot be established for any reason, then the client MUST accept
   that the WebFinger query has failed and MUST NOT attempt to reissue
   the WebFinger request using HTTP over a non-secure connection.

</pre>
<annost-test testid="4.2/7" name="Client must accept failure" role="Client" level="MUST">
The client must not use any result it may have obtained under the preceding
conditions.
</annost-test>
<annost-note>
FIXME: not sure how to test this. How do we know whether a client **uses** the result
of a query when it shouldn't?
</annost-note>
<pre>

   A WebFinger resource MUST return a JRD as the representation for the
   resource if the client requests no other supported format explicitly
   via the HTTP "Accept" header.  The client MAY include the "Accept"
   header to indicate a desired representation; representations other
   than JRD might be defined in future specifications.  The WebFinger



<span class="grey">Jones, et al.                Standards Track                    [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   resource MUST silently ignore any requested representations that it
   does not understand or support.

</pre>
<annost-note>
 Not sure we can create test 4.2/8: Server must provide JRD unless requested otherwise.
 How would we do that?
 We are not testing a client-provided format at all, not even the JRD format.
</annost-note>
<pre>





   The media type used for the JSON
   Resource Descriptor (JRD) is "application/jrd+json" (see <a href="#section-10.2">Section</a>
   <a href="#section-10.2">10.2</a>).

</pre>
<annost-test testid="4.2/9" name="Server must return JRD content type" role="Server" level="MUST">
    A server must return the <code>application/jrd+json</code> content type.
</annost-test>

<pre>
   The properties, titles, and link relation types returned by the
   server in a JRD might be varied and numerous.  For example, the
   server might return information about a person's blog, vCard [<a href="#ref-14" title="&quot;vCard Format Specification&quot;">14</a>],
   avatar, OpenID Connect provider, RSS or ATOM feed, and so forth in a
   reply.  Likewise, if a server has no information to provide, it might
   return a JRD with an empty "links" array or no "links" array.

</pre>
<annost-xref target="4/2">
   The client must accept that the XRD document may not contain a links array.
   Already tested there.
</annost-xref>
<annost-xref target="4/2">
   The client must accept that the XRD document may contain an empty links array.
   Already tested there.
</annost-xref>
<pre>

   A WebFinger resource MAY redirect the client; if it does, the
   redirection MUST only be to an "https" URI and the client MUST
   perform certificate validation again when redirected.

</pre>
<annost-test testid="4.2/12" name="Client must follow redirects" role="Client" level="MUST">
   The client must follow a redirect, if it leads to an HTTPS URI, and fail if it does not.
</annost-test>
<annost-test testid="4.2/13" name="Client must check certificates on the redirect target" role="Client" level="MUST">
   If the client is redirected, it must check the certificate of the new URI and not accept
   any obtained JRD if not valid.
</annost-test>
<annost-note>
   Not sure what constitutes a valid certificate for the purposes of our tests. FIXME?
</annost-note>
<annost-test testid="4.2/14" name="Server must only redirect to https" role="Server" level="MUST">
  The server must only redirect to https.
</annost-test>
<pre>

   A WebFinger resource can include cache validators in a response to
   enable conditional requests by the client and/or expiration times as
   per <a href="./rfc2616#section-13">Section&nbsp;13 of RFC 2616</a>.

<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>.  The "rel" Parameter</span>

   When issuing a request to a WebFinger resource, the client MAY
   utilize the "rel" parameter to request only a subset of the
   information that would otherwise be returned without the "rel"
   parameter.  When the "rel" parameter is used and accepted, only the
   link relation types that match the link relation type provided via
   the "rel" parameter are included in the array of links returned in
   the JRD.  If there are no matching link relation types defined for
   the resource, the "links" array in the JRD will be either absent or
   empty.  All other information present in a resource descriptor
   remains present, even when "rel" is employed.

</pre>
<annost-test testid="4.3/1" name="Subset or all when query asks for specific rels" role="Server" level="MUST">
If a request includes one or more rels, the resulting set of links in the JRD must be a subset,
the same as in the response to a request that does not include any rel parameter.
All other parts of the JRD must be the same.
</annost-test>
<annost-xref target="4.2/10">
Non-existing links.
</annost-xref>
<annost-xref target="4.2/11">
Empty links.
</annost-xref>
<pre>

   The "rel" parameter MAY be included multiple times in order to
   request multiple link relation types.

</pre>
<annost-xref target="4/1">
A server must accept requests that have multiple rel parameters. Already tested there.
</annost-xref>
<pre>
   The purpose of the "rel" parameter is to return a subset of "link
   relation objects" (see <a href="#section-4.4.4">Section 4.4.4</a>) that would otherwise be
   returned in the resource descriptor.  Use of the parameter might
   reduce processing requirements on either the client or server, and it
   might also reduce the bandwidth required to convey the partial
   resource descriptor, especially if there are numerous link relation
   values to convey for a given "resource" value.  Note that if a client
   requests a particular link relation type for which the server has no
   information, the server MAY return a JRD with an empty "links" array
   or no "links" array.

</pre>
<annost-xref target="4.2/10">
Non-existing links.
</annost-xref>
<annost-xref target="4.2/11">
Empty links.
</annost-xref>
<pre>



<span class="grey">Jones, et al.                Standards Track                    [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   WebFinger resources SHOULD support the "rel" parameter.  If the
   resource does not support the "rel" parameter, it MUST ignore the
   parameter and process the request as if no "rel" parameter values
   were present.

</pre>
<annost-xref target="4/1">
   A server must accept requests with any rel parameters, even if it does not understand them.
   Already tested there.
</annost-xref>
<pre>

   The following example uses the "rel" parameter to request links for
   two link relation types:

    GET /.well-known/webfinger?
        resource=acct%3Abob%40example.com&amp;
        rel=http%3A%2F%2Fwebfinger.example%2Frel%2Fprofile-page&amp;
        rel=http%3A%2F%2Fwebfinger.example%2Frel%2Fbusinesscard HTTP/1.1
    Host: example.com

</pre>
<annost-xref target="4/1">
A server must accept the preceding query (adjusted with an identifier that the
server can resolve) as valid.
Already tested there.
</annost-xref>
<annost-xref target="4/1">
 A server must return the same JRD, or the same JRD with a shorter links array if the rel parameters
are specified. The removed elements must correspond to the rels.
Already tested there.
</annost-xref>
<annost-note>
The spec talks about a "subset", which, as a set, is commonly interpreted to be unordered. However,
they allow that the ordering of links is meaningful (see 4.4.4). So I think they probably don't mean
subset, but sub-sequence.
</annost-note>
<pre>

   In this example, the client requests the link relations of type
   "http://webfinger.example/rel/profile-page" and
   "http://webfinger.example/rel/businesscard".  The server then
   responds with a message like this:

     HTTP/1.1 200 OK
     Access-Control-Allow-Origin: *
     Content-Type: application/jrd+json

     {
       "subject" : "acct:bob@example.com",
       "aliases" :
       [
         "https://www.example.com/~bob/"
       ],
       "properties" :
       {
           "http://example.com/ns/role" : "employee"
       },
       "links" :
       [
         {
           "rel" : "http://webfinger.example/rel/profile-page",
           "href" : "https://www.example.com/~bob/"
         },
         {
           "rel" : "http://webfinger.example/rel/businesscard",
           "href" : "https://www.example.com/~bob/bob.vcf"
         }
       ]
     }

</pre>
<annost-test testid="4.3/6" name="Client accepts example response" role="Client" level="MUST">
A client must accept the preceding example response as valid.
</annost-test>
<pre>





<span class="grey">Jones, et al.                Standards Track                   [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   As you can see in the response, the resource representation contains
   only the links of the types requested by the client and for which the
   server had information, but the other parts of the JRD are still
   present.  Note also in the above example that the links returned in
   the "links" array all use HTTPS, which is important if the data
   indirectly obtained via WebFinger needs to be returned securely.

<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>.  The JSON Resource Descriptor (JRD)</span>

   The JSON Resource Descriptor (JRD), originally introduced in <a href="./rfc6415">RFC 6415</a>
   [<a href="#ref-16" title="&quot;Web Host Metadata&quot;">16</a>] and based on the Extensible Resource Descriptor (XRD) format
   [<a href="#ref-17" title="&quot;Extensible Resource Descriptor (XRD) Version 1.0&quot;">17</a>], is a JSON object that comprises the following name/value pairs:

           o subject
           o aliases
           o properties
           o links

</pre>
<annost-note>
All content provided by a server with a successful status code must be valid JSON.
</annost-note>
<annost-test testid="4.4/1" name="Client rejects invalid JSON" role="Client" level="MUST">
   A client must reject any received content that is not valid JSON.
</annost-test>
<pre>

   The member "subject" is a name/value pair whose value is a string,
   "aliases" is an array of strings, "properties" is an object
   comprising name/value pairs whose values are strings, and "links" is
   an array of objects that contain link relation information.

</pre>
<annost-note>
Although the structure is defined here, rather than in sub-sections, we define
the tests in the sub-sections.
</annost-note>
<pre>

   When processing a JRD, the client MUST ignore any unknown member and
   not treat the presence of an unknown member as an error.

</pre>
<annost-test testid="4.4/2" name="Client accepts unknown entries in the JRD" role="Client" level="MUST">
A client must accept entries on the first level of the JRD that it does not
understand.
</annost-test>
<pre>

   Below, each of these members of the JRD is described in more detail.

<span class="h4"><a class="selflink" id="section-4.4.1" href="#section-4.4.1">4.4.1</a>.  subject</span>

   The value of the "subject" member is a URI that identifies the entity
   that the JRD describes.

   The "subject" value returned by a WebFinger resource MAY differ from
   the value of the "resource" parameter used in the client's request.
   This might happen, for example, when the subject's identity changes
   (e.g., a user moves his or her account to another service) or when
   the resource prefers to express URIs in canonical form.

   The "subject" member SHOULD be present in the JRD.

</pre>
<annost-xref target="4/1">
If a JRD has a subject member, the value must be an absolute URI.
Already tested there.
</annost-xref>
<annost-test testid="4.4.1/2" name="Client accepts JRDs with subject" role="Client" level="MUST">
A client must accept JRD documents that have the subject member.
</annost-test>
<annost-test testid="4.4.1/3" name="Client accepts JRDs without subject" role="Client" level="MUST">
A client must accept JRD documents that do not have the subject member.
</annost-test>
<pre>

<span class="h4"><a class="selflink" id="section-4.4.2" href="#section-4.4.2">4.4.2</a>.  aliases</span>

   The "aliases" array is an array of zero or more URI strings that
   identify the same entity as the "subject" URI.

   The "aliases" array is OPTIONAL in the JRD.

</pre>
<annost-xref target="4/1">
If a JRD has an aliases member, it must be an array of any length.
Each array member must be a valid, absolute URI.
Already tested there.
</annost-xref>
<annost-xref target="4.2/10">
A client must accept JRD documents that do have zero or more aliases.
Already tested there.
</annost-xref>
<annost-xref target="4.2/10">
A client must accept JRD documents that do not have the aliases member.
Already tested there.
</annost-xref>
<pre>



<span class="grey">Jones, et al.                Standards Track                   [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


<span class="h4"><a class="selflink" id="section-4.4.3" href="#section-4.4.3">4.4.3</a>.  properties</span>

   The "properties" object comprises zero or more name/value pairs whose
   names are URIs (referred to as "property identifiers") and whose
   values are strings or null.  Properties are used to convey additional
   information about the subject of the JRD.  As an example, consider
   this use of "properties":

     "properties" : { "http://webfinger.example/ns/name" : "Bob Smith" }

   The "properties" member is OPTIONAL in the JRD.

</pre>
<annost-xref target="4/1">
If a JRD has a properties member, it must be a JSON object of any size.
All keys in the JSON object must be valid absolute URIs.
All values in the JSON object must be of type string or be null.
Already tested there.
</annost-xref>
<annost-xref target="4.2/10">
   A client must accept JRD documents that have zero or more properties members.
   Already tested there.
</annost-xref>
<annost-xref target="4.2/10">
   A client must accept JRD documents that do not have the properties member.
   Already tested there.
</annost-xref>
<pre>

<span class="h4"><a class="selflink" id="section-4.4.4" href="#section-4.4.4">4.4.4</a>.  links</span>

   The "links" array has any number of member objects, each of which
   represents a link [<a href="#ref-4" title="&quot;Web Linking&quot;">4</a>].  Each of these link objects can have the
   following members:

           o rel
           o type
           o href
           o titles
           o properties

</pre>
<annost-note>
 Here is says each link element "may" contain those elements, but further below it says that "rel" is required.
</annost-note>
<pre>
      The "rel" and "href" members are strings representing the link's
   relation type and the target URI, respectively.  The context of the
   link is the "subject" (see <a href="#section-4.4.1">Section 4.4.1</a>).

   The "type" member is a string indicating what the media type of the
   result of dereferencing the link ought to be.

   The order of elements in the "links" array MAY be interpreted as
   indicating an order of preference.  Thus, if there are two or more
   link relations having the same "rel" value, the first link relation
   would indicate the user's preferred link.

   The "links" array is OPTIONAL in the JRD.

</pre>
<annost-xref target="4/1">
If a JRD has a links member, it must be a JSON array of any size.
All members of the array must of type JSON Object.
Already tested there.
</annost-xref>
<annost-xref target="4.2/10">
   A client must accept JRD documents that have zero or more links members.
   Already tested there.
</annost-xref>
<annost-xref target="4.2/10">
   A client must accept JRD documents that do not have the link member.
   Already tested there.
</annost-xref>
<pre>

   Below, each of the members of the objects found in the "links" array
   is described in more detail.  Each object in the "links" array,
   referred to as a "link relation object", is completely independent
   from any other object in the array; any requirement to include a
   given member in the link relation object refers only to that
   particular object.







<span class="grey">Jones, et al.                Standards Track                   [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


<span class="h5"><a class="selflink" id="section-4.4.4.1" href="#section-4.4.4.1">4.4.4.1</a>.  rel</span>

   The value of the "rel" member is a string that is either a URI or a
   registered relation type [<a href="#ref-8" title="&quot;Link Relations&quot;">8</a>] (see <a href="./rfc5988">RFC 5988</a> [<a href="#ref-4" title="&quot;Web Linking&quot;">4</a>]).  The value of the
   "rel" member MUST contain exactly one URI or registered relation
   type.  The URI or registered relation type identifies the type of the
   link relation.

</pre>
<annost-xref target="4/1">
  The server must provide a "rel" entry in each link element, and its value must be a non-empty string.
  The value must be a valid URI or be a relationship type registered
  at <a href="http://www.iana.org/assignments/link-relations/">http://www.iana.org/assignments/link-relations/</a>.
  Already tested there.
</annost-xref>
<pre>

   The other members of the object have meaning only once the type of
   link relation is understood.  In some instances, the link relation
   will have associated semantics enabling the client to query for other
   resources on the Internet.  In other instances, the link relation
   will have associated semantics enabling the client to utilize the
   other members of the link relation object without fetching additional
   external resources.

   URI link relation type values are compared using the "Simple String
   Comparison" algorithm of <a href="./rfc3986#section-6.2.1">Section&nbsp;6.2.1 of RFC 3986</a>.

</pre>
<annost-xref target="4/1">
   If a server chooses to return a subset of the JRD based on one or more provided rel parameters
in the query, the server must return those link elements whose rel values are the same
as at least one of the provided rel parameters, using the "Simple String Comparison"
algorithm.
Already tested there.
</annost-xref>
<pre>

   The "rel" member MUST be present in the link relation object.

<span class="h5"><a class="selflink" id="section-4.4.4.2" href="#section-4.4.4.2">4.4.4.2</a>.  type</span>

   The value of the "type" member is a string that indicates the media
   type [<a href="#ref-9" title="&quot;MIME Media Types&quot;">9</a>] of the target resource (see <a href="./rfc6838">RFC 6838</a> [<a href="#ref-10" title="&quot;Media Type Specifications and Registration Procedures&quot;">10</a>]).

   The "type" member is OPTIONAL in the link relation object.

</pre>
<annost-xref target="4/1">
   If a type member is provided, its value must be a non-empty string
that is a media type as defined in the above standard.
Already tested there.
</annost-xref>
<pre>

<span class="h5"><a class="selflink" id="section-4.4.4.3" href="#section-4.4.4.3">4.4.4.3</a>.  href</span>

   The value of the "href" member is a string that contains a URI
   pointing to the target resource.

   The "href" member is OPTIONAL in the link relation object.

</pre>
<annost-xref target="4/1">
   If an href member is provided, its value must be a non-empty, absolute URI.
</annost-xref>
<annost-note>
   I was expecting this to be an http/s URI, but apparently it can be any.
</annost-note><pre>

<span class="h5"><a class="selflink" id="section-4.4.4.4" href="#section-4.4.4.4">4.4.4.4</a>.  titles</span>

   The "titles" object comprises zero or more name/value pairs whose
   names are a language tag [<a href="#ref-11" title="&quot;Tags for Identifying Languages&quot;">11</a>] or the string "und".  The string is
   human-readable and describes the link relation.  More than one title
   for the link relation MAY be provided for the benefit of users who
   utilize the link relation, and, if used, a language identifier SHOULD
   be duly used as the name.  If the language is unknown or unspecified,
   then the name is "und".

</pre>
<annost-xref target="4/1">
   If a titles entry is provided, its value is a JSON object of any size.
   Already tested there.
</annost-xref>
<annost-xref target="4/1">
   The JSON object contains only names that are the value "und" or the name
   of a language according to RFC 5646.
   Already tested there.
</annost-xref>
<annost-xref target="4/1">
   The values in any titles entry must be non-empty string.
   Already tested there.
</annost-xref>
<annost-xref target="4.2/10">
   A client must accept JDK link elements that have zero or more title members.
   Already tested there.
</annost-xref>
<annost-xref target="4.2/10">
   A client must accept JDK link elements that do not have the title member.
   Already tested there.
</annost-xref>

<pre>

   A JRD SHOULD NOT include more than one title identified with the same
   language tag (or "und") within the link relation object.  Meaning is
   undefined if a link relation object includes more than one title



<span class="grey">Jones, et al.                Standards Track                   [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   named with the same language tag (or "und"), though this MUST NOT be
   treated as an error.  A client MAY select whichever title or titles
   it wishes to utilize.

   Here is an example of the "titles" object:

     "titles" :
     {
       "en-us" : "The Magical World of Steve",
       "fr" : "Le Monde Magique de Steve"
     }

   The "titles" member is OPTIONAL in the link relation object.

<span class="h5"><a class="selflink" id="section-4.4.4.5" href="#section-4.4.4.5">4.4.4.5</a>.  properties</span>

   The "properties" object within the link relation object comprises
   zero or more name/value pairs whose names are URIs (referred to as
   "property identifiers") and whose values are strings or null.
   Properties are used to convey additional information about the link
   relation.  As an example, consider this use of "properties":

     "properties" : { "http://webfinger.example/mail/port" : "993" }

   The "properties" member is OPTIONAL in the link relation object.

</pre>
<annost-xref target="4/1">
   If a properties entry is provided, it must be a JSON object of any size.
   All keys in the JSON object must be valid absolute URIs.
   All values in the JSON object must be of type string or be null.
   Already tested there.
 </annost-xref>
<pre>

<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>.  WebFinger and URIs</span>

   WebFinger requests include a "resource" parameter (see <a href="#section-4.1">Section 4.1</a>)
   specifying the query target (URI) for which the client requests
   information.  WebFinger is neutral regarding the scheme of such a
   URI: it could be an "acct" URI [<a href="#ref-18" title="&quot;The 'acct' URI Scheme&quot;">18</a>], an "http" or "https" URI, a
   "mailto" URI [<a href="#ref-19" title="&quot;The 'mailto' URI Scheme&quot;">19</a>], or some other scheme.

</pre>
<annost-test testid="4.5/1" name="Any URI scheme for resource identifiers" role="Server" level="MUST">
The server must accept resource identifiers provided in the query that use any scheme.
It appears that this implies it must return "404 not found" for URI schemes it does not understand.
(It accepts the query, so it can't be 400, but has no knowledge about the acct.)
</annost-test>
<pre>

<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>.  Cross-Origin Resource Sharing (CORS)</span>

   WebFinger resources might not be accessible from a web browser due to
   "Same-Origin" policies.  The current best practice is to make
   resources available to browsers through Cross-Origin Resource Sharing
   (CORS) [<a href="#ref-7" title="&quot;Cross-Origin Resource Sharing&quot;">7</a>], and servers MUST include the Access-Control-Allow-Origin
   HTTP header in responses.  Servers SHOULD support the least
   restrictive setting by allowing any domain access to the WebFinger
   resource:

      Access-Control-Allow-Origin: *


<span class="grey">Jones, et al.                Standards Track                   [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   There are cases where defaulting to the least restrictive setting is
   not appropriate.  For example, a server on an intranet that provides
   sensitive company information SHOULD NOT allow CORS requests from any
   domain, as that could allow leaking of that sensitive information.  A
   server that wishes to restrict access to information from external
   entities SHOULD use a more restrictive Access-Control-Allow-Origin
   header.

</pre>
<annost-test testid="5/1" name="CORS" role="Server" level="MUST">
The server must provide a valid value for HTTP Header "Access-Control-Allow-Origin".
</annost-test>
<pre>

<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>.  Access Control</span>

   As with all web resources, access to the WebFinger resource could
   require authentication.  Further, failure to provide required
   credentials might result in the server forbidding access or providing
   a different response than had the client authenticated with the
   server.

</pre>
<annost-note>
   A server response with HTTP status 401 (Unauthorized), 402 (Payment required), 403 (Forbidden),
   407 (Proxy Authentication Required) is acceptable.
</annost-note>
<pre>
   Likewise, a WebFinger resource MAY provide different responses to
   different clients based on other factors, such as whether the client
   is inside or outside a corporate network.  As a concrete example, a
   query performed on the internal corporate network might return link
   relations to employee pictures, whereas link relations for employee
   pictures might not be provided to external entities.

   Further, link relations provided in a WebFinger resource
   representation might point to web resources that impose access
   restrictions.  For example, the aforementioned corporate server may
   provide both internal and external entities with URIs to employee
   pictures, but further authentication might be required in order for
   the client to access the picture resources if the request comes from
   outside the corporate network.

   The decisions made with respect to what set of link relations a
   WebFinger resource provides to one client versus another and what
   resources require further authentication, as well as the specific
   authentication mechanisms employed, are outside the scope of this
   document.

<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>.  Hosted WebFinger Services</span>

   As with most services provided on the Internet, it is possible for a
   domain owner to utilize "hosted" WebFinger services.  By way of
   example, a domain owner might control most aspects of their domain
   but use a third-party hosting service for email.  In the case of
   email, mail exchange (MX) records identify mail servers for a domain.
   An MX record points to the mail server to which mail for the domain
   should be delivered.  To the sending server, it does not matter
   whether those MX records point to a server in the destination domain
   or a different domain.



<span class="grey">Jones, et al.                Standards Track                   [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   Likewise, a domain owner might utilize the services of a third party
   to provide WebFinger services on behalf of its users.  Just as a
   domain owner is required to insert MX records into DNS to allow for
   hosted email services, the domain owner is required to redirect HTTP
   queries to its domain to allow for hosted WebFinger services.

   When a query is issued to the WebFinger resource, the web server MUST
   return a response with a redirection status code that includes a
   Location header pointing to the location of the hosted WebFinger
   service URI.  This WebFinger service URI does not need to point to
   the well-known WebFinger location on the hosting service provider
   server.

</pre>
<annost-xref target=""4.2/12">
If a server issues a redirect in response to a query, the client must use
the provided Location URI, even if it has different query parameters or does
not use the .well-known location.
Already tested there.
</annost-xref>
<pre>

   As an example, assume that example.com's WebFinger services are
   hosted by wf.example.net.  Suppose a client issues a query for
   acct:alice@example.com like this:

     GET /.well-known/webfinger?
                   resource=acct%3Aalice%40example.com HTTP/1.1
     Host: example.com

   The server might respond with this:

     HTTP/1.1 307 Temporary Redirect
     Access-Control-Allow-Origin: *
     Location: https://wf.example.net/example.com/webfinger?
                   resource=acct%3Aalice%40example.com

   The client can then follow the redirection, reissuing the request to
   the URI provided in the Location header.  Note that the server will
   include any required URI parameters in the Location header value,
   which could be different than the URI parameters the client
   originally used.


<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>.  Definition of WebFinger Applications</span>

   This specification details the protocol syntax used to query a domain
   for information about a URI, the syntax of the JSON Resource
   Descriptor (JRD) that is returned in response to that query, security
   requirements and considerations, hosted WebFinger services, various
   expected HTTP status codes, and so forth.  However, this
   specification does not enumerate the various possible properties or
   link relation types that might be used in conjunction with WebFinger
   for a particular application, nor does it define what properties or
   link relation types one might expect to see in response to querying
   for a particular URI or URI scheme.  Nonetheless, all of these
   unspecified elements are important in order to implement an
   interoperable application that utilizes the WebFinger protocol and



<span class="grey">Jones, et al.                Standards Track                   [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   MUST be specified in the relevant document(s) defining the particular
   application making use of the WebFinger protocol according to the
   procedures described in this section.

<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>.  Specification of the URI Scheme and URI</span>

   Any application that uses WebFinger MUST specify the URI scheme(s),
   and to the extent appropriate, what forms the URI(s) might take.  For
   example, when querying for information about a user's account at some
   domain, it might make sense to specify the use of the "acct" URI
   scheme [<a href="#ref-18" title="&quot;The 'acct' URI Scheme&quot;">18</a>].  When trying to obtain the copyright information for a
   web page, it makes sense to specify the use of the web page URI
   (either http or https).

   The examples in Sections <a href="#section-3.1">3.1</a> and <a href="#section-3.2">3.2</a> illustrate the use of different
   URI schemes with WebFinger applications.  In the example in <a href="#section-3.1">Section</a>
   <a href="#section-3.1">3.1</a>, WebFinger is used to retrieve information pertinent to OpenID
   Connect.  In the example in <a href="#section-3.2">Section 3.2</a>, WebFinger is used to
   discover metadata information about a web page, including author and
   copyright information.  Each of these WebFinger applications needs to
   be fully specified to ensure interoperability.

<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>.  Host Resolution</span>

   As explained in <a href="#section-4">Section 4</a>, the host to which a WebFinger query is
   issued is significant.  In general, WebFinger applications would
   adhere to the procedures described in <a href="#section-4">Section 4</a> in order to properly
   direct a WebFinger query.

   However, some URI schemes do not have host portions and there might
   be some applications of WebFinger for which the host portion of a URI
   cannot or should not be utilized.  In such instances, the application
   specification MUST clearly define the host resolution procedures,
   which might include provisioning a "default" host within the client
   to which queries are directed.

<span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>.  Specification of Properties</span>

   WebFinger defines both subject-specific properties (i.e., properties
   described in <a href="#section-4.4.3">Section 4.4.3</a> that relate to the URI for which
   information is queried) and link-specific properties (see <a href="#section-4.4.4.5">Section</a>
   <a href="#section-4.4.4.5">4.4.4.5</a>).  This section refers to subject-specific properties.

   Applications that utilize subject-specific properties MUST define the
   URIs used in identifying those properties, along with valid property
   values.





<span class="grey">Jones, et al.                Standards Track                   [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   Consider this portion of the JRD found in the example in <a href="#section-3.2">Section 3.2</a>.

       "properties" :
       {
         "http://blgx.example.net/ns/version" : "1.3",
         "http://blgx.example.net/ns/ext" : null
       }

   Here, two properties are returned in the WebFinger response.  Each of
   these would be defined in a WebFinger application specification.
   These two properties might be defined in the same WebFinger
   application specification or separately in different specifications.
   Since the latter is possible, it is important that WebFinger clients
   not assume that one property has any specific relationship with
   another property, unless some relationship is explicitly defined in
   the particular WebFinger application specification.

<span class="h3"><a class="selflink" id="section-8.4" href="#section-8.4">8.4</a>.  Specification of Links</span>

   The links returned in a WebFinger response each comprise several
   pieces of information, some of which are optional (refer to <a href="#section-4.4.4">Section</a>
   <a href="#section-4.4.4">4.4.4</a>).  The WebFinger application specification MUST define each
   link and any values associated with a link, including the link
   relation type ("rel"), the expected media type ("type"), properties,
   and titles.

   The target URI to which the link refers (i.e., the "href"), if
   present, would not normally be specified in an application
   specification.  However, the URI scheme or any special
   characteristics of the URI would usually be specified.  If a
   particular link does not require an external reference, then all of
   the semantics related to the use of that link MUST be defined within
   the application specification.  Such links might rely only on
   properties or titles in the link to convey meaning.

<span class="h3"><a class="selflink" id="section-8.5" href="#section-8.5">8.5</a>.  One URI, Multiple Applications</span>

   It is important to be mindful of the fact that different WebFinger
   applications might specify the use of the same URI scheme, and in
   effect, the same URI for different purposes.  That should not be a
   problem, since each of property identifier (see Sections <a href="#section-4.4.3">4.4.3</a> and
   4.4.4.5) and link relation type would be uniquely defined for a
   specific application.

   It should be noted that when a client requests information about a
   particular URI and receives a response with a number of different
   property identifiers or link relation types that the response is
   providing information about the URI without any particular semantics.



<span class="grey">Jones, et al.                Standards Track                   [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   How the client interprets the information SHOULD be in accordance
   with the particular application specification or set of
   specifications the client implements.

   Any syntactically valid properties or links the client receives and
   that are not fully understood SHOULD be ignored and SHOULD NOT cause
   the client to report an error.

<span class="h3"><a class="selflink" id="section-8.6" href="#section-8.6">8.6</a>.  Registration of Link Relation Types and Properties</span>

   Application specifications MAY define a simple token as a link
   relation type for a link.  In that case, the link relation type MUST
   be registered with IANA as specified in Sections <a href="#section-10.3">10.3</a>.

   Further, any defined properties MUST be registered with IANA as
   described in <a href="#section-10.4">Section 10.4</a>.

<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>.  Security Considerations</span>

<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>.  Transport-Related Issues</span>

   Since this specification utilizes Cross-Origin Resource Sharing
   (CORS) [<a href="#ref-7" title="&quot;Cross-Origin Resource Sharing&quot;">7</a>], all of the security considerations applicable to CORS are
   also applicable to this specification.

   The use of HTTPS is REQUIRED to ensure that information is not
   modified during transit.  It should be acknowledged that in
   environments where a web server is normally available, there exists
   the possibility that a compromised network might have its WebFinger
   resource operating on HTTPS replaced with one operating only over
   HTTP.  As such, clients MUST NOT issue queries over a non-secure
   connection.

   Clients MUST verify that the certificate used on an HTTPS connection
   is valid (as defined in [<a href="#ref-12" title="&quot;HTTP Over TLS&quot;">12</a>]) and accept a response only if the
   certificate is valid.

</pre>

<annost-xref target="4.2/7">
A client must not accept a response with an invalid tls certificate.
Already tested over there.
</annost-xref>
<pre>

<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>.  User Privacy Considerations</span>

   Service providers and users should be aware that placing information
   on the Internet means that any user can access that information, and
   WebFinger can be used to make it even easier to discover that
   information.  While WebFinger can be an extremely useful tool for
   discovering one's avatar, blog, or other personal data, users should
   also understand the risks.






<span class="grey">Jones, et al.                Standards Track                   [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   Systems or services that expose personal data via WebFinger MUST
   provide an interface by which users can select which data elements
   are exposed through the WebFinger interface.  For example, social
   networking sites might allow users to mark certain data as "public"
   and then utilize that marking as a means of determining what
   information to expose via WebFinger.  The information published via
   WebFinger would thus comprise only the information marked as public
   by the user.  Further, the user has the ability to remove information
   from publication via WebFinger by removing this marking.

   WebFinger MUST NOT be used to provide any personal data unless
   publishing that data via WebFinger by the relevant service was
   explicitly authorized by the person whose information is being
   shared.  Publishing one's personal data within an access-controlled
   or otherwise limited environment on the Internet does not equate to
   providing implicit authorization of further publication of that data
   via WebFinger.

   The privacy and security concerns with publishing personal data via
   WebFinger are worth emphasizing again with respect to personal data
   that might reveal a user's current context (e.g., the user's
   location).  The power of WebFinger comes from providing a single
   place where others can find pointers to information about a person,
   but service providers and users should be mindful of the nature of
   that information shared and the fact that it might be available for
   the entire world to see.  Sharing location information, for example,
   would potentially put a person in danger from any individual who
   might seek to inflict harm on that person.

   Users should be aware of how easily personal data that one might
   publish can be used in unintended ways.  In one study relevant to
   WebFinger-like services, Balduzzi et al. [<a href="#ref-20" title="&quot;Abusing Social Networks for Automated User Profiling&quot;">20</a>] took a large set of
   leaked email addresses and demonstrated a number of potential privacy
   concerns, including the ability to cross-correlate the same user's
   accounts over multiple social networks.  The authors also describe
   potential mitigation strategies.

   The easy access to user information via WebFinger was a design goal
   of the protocol, not a limitation.  If one wishes to limit access to
   information available via WebFinger, such as WebFinger resources for
   use inside a corporate network, the network administrator needs to
   take necessary measures to limit access from outside the network.
   Using standard methods for securing web resources, network
   administrators do have the ability to control access to resources
   that might return sensitive information.  Further, a server can be
   employed in such a way as to require authentication and prevent
   disclosure of information to unauthorized entities.




<span class="grey">Jones, et al.                Standards Track                   [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


<span class="h3"><a class="selflink" id="section-9.3" href="#section-9.3">9.3</a>.  Abuse Potential</span>

   Service providers should be mindful of the potential for abuse using
   WebFinger.

   As one example, one might query a WebFinger server only to discover
   whether or not a given URI is valid.  With such a query, the person
   may deduce that an email identifier is valid, for example.  Such an
   approach could help spammers maintain a current list of known email
   addresses and to discover new ones.

   WebFinger could be used to associate a name or other personal data
   with an email address, allowing spammers to craft more convincing
   email messages.  This might be of particular value in phishing
   attempts.

   It is RECOMMENDED that implementers of WebFinger server software take
   steps to mitigate abuse, including malicious over-use of the server
   and harvesting of user information.  Although there is no mechanism
   that can guarantee that publicly accessible WebFinger databases won't
   be harvested, rate-limiting by IP address will prevent or at least
   dramatically slow harvest by private individuals without access to
   botnets or other distributed systems.  The reason these mitigation
   strategies are not mandatory is that the correct choice of mitigation
   strategy (if any) depends greatly on the context.  Implementers
   should not construe this as meaning that they do not need to consider
   whether to use a mitigation strategy, and if so, what strategy to
   use.

   WebFinger client developers should also be aware of potential abuse
   by spammers or those phishing for information about users.  As an
   example, suppose a mail client was configured to automatically
   perform a WebFinger query on the sender of each received mail
   message.  If a spammer sent an email using a unique identifier in the
   'From' header, then when the WebFinger query was performed, the
   spammer would be able to associate the request with a particular
   user's email address.  This would provide information to the spammer,
   including the user's IP address, the fact the user just checked
   email, what kind of WebFinger client the user utilized, and so on.
   For this reason, it is strongly advised that clients not perform
   WebFinger queries unless authorized by the user to do so.

<span class="h3"><a class="selflink" id="section-9.4" href="#section-9.4">9.4</a>.  Information Reliability</span>

   A WebFinger resource has no means of ensuring that information
   provided by a user is accurate.  Likewise, neither the resource nor
   the client can be absolutely guaranteed that information has not been
   manipulated either at the server or along the communication path



<span class="grey">Jones, et al.                Standards Track                   [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   between the client and server.  Use of HTTPS helps to address some
   concerns with manipulation of information along the communication
   path, but it clearly cannot address issues where the resource
   provided incorrect information, either due to being provided false
   information or due to malicious behavior on the part of the server
   administrator.  As with any information service available on the
   Internet, users should be wary of information received from untrusted
   sources.

<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>.  IANA Considerations</span>

<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>.  Well-Known URI</span>

   This specification registers the "webfinger" well-known URI in the
   "Well-Known URIs" registry as defined by <a href="./rfc5785">RFC 5785</a> [<a href="#ref-3" title="&quot;Defining Well-Known Uniform Resource Identifiers (URIs)&quot;">3</a>].

   URI suffix:  webfinger

   Change controller:  IETF

   Specification document(s):  <a href="./rfc7033">RFC 7033</a>

   Related information:  The query to the WebFinger resource will
   include one or more parameters in the query string; see <a href="./rfc7033#section-4.1">Section&nbsp;4.1
   of RFC 7033</a>.  Resources at this location are able to return a JSON
   Resource Descriptor (JRD) as described in <a href="./rfc7033#section-4.4">Section&nbsp;4.4 of RFC 7033</a>.

<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>.  JSON Resource Descriptor (JRD) Media Type</span>

   This specification registers the media type application/jrd+json for
   use with WebFinger in accordance with media type registration
   procedures defined in <a href="./rfc6838">RFC 6838</a> [<a href="#ref-10" title="&quot;Media Type Specifications and Registration Procedures&quot;">10</a>].

   Type name: application

   Subtype name: jrd+json

   Required parameters: N/A

   Optional parameters: N/A

     In particular, because <a href="./rfc4627">RFC 4627</a> already defines the character
     encoding for JSON, no "charset" parameter is used.

<annost-note>
  It's unclear whether this is supposed to be a MUST requirement. However, given that RFC 4627 only says &quot;UTF&quot;
  but not UTF-8 or UTF-16, and while apparently one can guess by looking at the first 4 octets, it seems perfectly
  acceptable to specify an encoding here.
</annost-note><pre>

    Encoding considerations: See <a href="./rfc6839#section-3.1">RFC 6839, Section&nbsp;3.1</a>.






<span class="grey">Jones, et al.                Standards Track                   [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   Security considerations:

     The JSON Resource Descriptor (JRD) is a JavaScript Object Notation
     (JSON) object.  It is a text format that must be parsed by entities
     that wish to utilize the format.  Depending on the language and
     mechanism used to parse a JSON object, it is possible for an
     attacker to inject behavior into a running program.  Therefore,
     care must be taken to properly parse a received JRD to ensure that
     only a valid JSON object is present and that no JavaScript or other
     code is injected or executed unexpectedly.

   Interoperability considerations:

     This media type is a JavaScript Object Notation (JSON) object and
     can be consumed by any software application that can consume JSON
     objects.

   Published specification: <a href="./rfc7033">RFC 7033</a>

   Applications that use this media type:

     The JSON Resource Descriptor (JRD) is used by the WebFinger
     protocol (<a href="./rfc7033">RFC 7033</a>) to enable the exchange of information between a
     client and a WebFinger resource over HTTPS.

   Fragment identifier considerations:

     The syntax and semantics of fragment identifiers SHOULD be as
     specified for "application/json".  (At publication of this
     document, there is no fragment identification syntax defined for
     "application/json".)

   Additional information:

     Deprecated alias names for this type: N/A

     Magic number(s): N/A

     File extension(s): jrd

     Macintosh file type code(s): N/A

   Person &amp; email address to contact for further information:

     Paul E. Jones &lt;paulej@packetizer.com&gt;

   Intended usage: COMMON




<span class="grey">Jones, et al.                Standards Track                   [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   Restrictions on usage: N/A

   Author: Paul E. Jones &lt;paulej@packetizer.com&gt;

   Change controller:

   IESG has change control over this registration.

   Provisional registration? (standards tree only): N/A

<span class="h3"><a class="selflink" id="section-10.3" href="#section-10.3">10.3</a>.  Registering Link Relation Types</span>

   <a href="./rfc5988">RFC 5988</a> established a "Link Relation Types" registry that is reused
   by WebFinger applications.

   Link relation types used by WebFinger applications are registered in
   the "Link Relation Types" registry as per the procedures of <a href="./rfc5988#section-6.2.1">Section</a>
   <a href="./rfc5988#section-6.2.1">6.2.1 of RFC 5988</a>.  The "Notes" entry for the registration SHOULD
   indicate if property values associated with the link relation type
   are registered in the "WebFinger Properties" registry with a link to
   the registry.

<span class="h3"><a class="selflink" id="section-10.4" href="#section-10.4">10.4</a>.  Establishment of the "WebFinger Properties" Registry</span>

   WebFinger utilizes URIs to identify properties of a subject or link
   and the associated values (see Sections <a href="#section-8.3">8.3</a> and <a href="#section-8.6">8.6</a>).  This
   specification establishes a new "WebFinger Properties" registry to
   record property identifiers.

<span class="h4"><a class="selflink" id="section-10.4.1" href="#section-10.4.1">10.4.1</a>.  The Registration Template</span>

   The registration template for WebFinger properties is:

          o Property Identifier:

          o Link Type:

          o Description:

          o Reference:

          o Notes: [optional]

   The "Property Identifier" must be a URI that identifies the property
   being registered.






<span class="grey">Jones, et al.                Standards Track                   [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   The "Link Type" contains the name of a link relation type with which
   this property identifier is used.  If the property is a subject-
   specific property, then this field is specified as "N/A".

   The "Description" is intended to explain the purpose of the property.

   The "Reference" field points to the specification that defines the
   registered property.

   The optional "Notes" field is for conveying any useful information
   about the property that might be of value to implementers.

<span class="h4"><a class="selflink" id="section-10.4.2" href="#section-10.4.2">10.4.2</a>.  The Registration Procedures</span>

   The IETF has created a mailing list, webfinger@ietf.org, which can be
   used for public discussion of the WebFinger protocol and any
   applications that use it.  Prior to registration of a WebFinger
   property, discussion on the mailing list is strongly encouraged.  The
   IESG has appointed Designated Experts [<a href="#ref-13" title="">13</a>] who will monitor the
   webfinger@ietf.org mailing list and review registrations.

   A WebFinger property is registered with a Specification Required (see
   <a href="./rfc5226">RFC 5226</a> [<a href="#ref-13" title="">13</a>]) after a review by the Designated Experts.  The review
   is normally expected to take on the order of two to four weeks.
   However, the Designated Experts may approve a registration prior to
   publication of a specification once the Designated Experts are
   satisfied that such a specification will be published.  In evaluating
   registration requests, the Designated Experts should make an effort
   to avoid registering two different properties that have the same
   meaning.  Where a proposed property is similar to an already-defined
   property, the Designated Experts should insist that enough text be
   included in the description or notes section of the template to
   sufficiently differentiate the new property from an existing one.

   The registration procedure begins with a completed registration
   template (as defined above) sent to webfinger@ietf.org.  Once
   consensus is reached on the mailing list, the registration template
   is sent to iana@iana.org.  IANA will then contact the Designated
   Experts and communicate the results to the registrant.  The WebFinger
   mailing list provides an opportunity for community discussion and
   input, and the Designated Experts may use that input to inform their
   review.  Denials should include an explanation and, if applicable,
   suggestions as to how to make the request successful if resubmitted.








<span class="grey">Jones, et al.                Standards Track                   [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   The specification registering the WebFinger property MUST include the
   completed registration template shown above.  Once the registration
   procedure concludes successfully, IANA creates or modifies the
   corresponding record in the "WebFinger Properties" registry.

<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>.  Acknowledgments</span>

   This document has benefited from extensive discussion and review by
   many of the members of the APPSAWG working group.  The authors would
   like to especially acknowledge the invaluable input of Eran Hammer-
   Lahav, Blaine Cook, Brad Fitzpatrick, Laurent-Walter Goix, Joe
   Clarke, Peter Saint-Andre, Dick Hardt, Tim Bray, James Snell, Melvin
   Carvalho, Evan Prodromou, Mark Nottingham, Elf Pavlik, Bjoern
   Hoehrmann, Subramanian Moonesamy, Joe Gregorio, John Bradley, and
   others that we have undoubtedly, but inadvertently, missed.

   The authors would also like to express their gratitude to the chairs
   of the APPSAWG working group, especially Salvatore Loreto for his
   assistance in shepherding this document.  We also want to thank Barry
   Leiba and Pete Resnick, the Applications Area Directors, for their
   support and exhaustive reviews.

<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>.  References</span>

<span class="h3"><a class="selflink" id="section-12.1" href="#section-12.1">12.1</a>.  Normative References</span>

   [<a id="ref-1">1</a>]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.

   [<a id="ref-2">2</a>]   Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
         Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol
         -- HTTP/1.1", <a href="./rfc2616">RFC 2616</a>, June 1999.

   [<a id="ref-3">3</a>]   Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
         Uniform Resource Identifiers (URIs)", <a href="./rfc5785">RFC 5785</a>, April 2010.

   [<a id="ref-4">4</a>]   Nottingham, M., "Web Linking", <a href="./rfc5988">RFC 5988</a>, October 2010.

   [<a id="ref-5">5</a>]   Crockford, D., "The application/json Media Type for JavaScript
         Object Notation (JSON)", <a href="./rfc4627">RFC 4627</a>, July 2006.

   [<a id="ref-6">6</a>]   Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
         Resource Identifier (URI): Generic Syntax", STD 66, <a href="./rfc3986">RFC 3986</a>,
         January 2005.

   [<a id="ref-7">7</a>]   Van Kesteren, A., "Cross-Origin Resource Sharing", W3C CORS,
         July 2010, &lt;<a href="http://www.w3.org/TR/cors/">http://www.w3.org/TR/cors/</a>&gt;.




<span class="grey">Jones, et al.                Standards Track                   [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


   [<a id="ref-8">8</a>]   IANA, "Link Relations",
         &lt;<a href="http://www.iana.org/assignments/link-relations/">http://www.iana.org/assignments/link-relations/</a>&gt;.

   [<a id="ref-9">9</a>]   IANA, "MIME Media Types",
         &lt;<a href="http://www.iana.org/assignments/media-types">http://www.iana.org/assignments/media-types</a>&gt;.

   [<a id="ref-10">10</a>]  Freed, N., Klensin, J., and T. Hansen, "Media Type
         Specifications and Registration Procedures", <a href="https://www.rfc-editor.org/bcp/bcp13">BCP 13</a>, <a href="./rfc6838">RFC 6838</a>,
         January 2013.

   [<a id="ref-11">11</a>]  Phillips, A., Ed., and M. Davis, Ed., "Tags for Identifying
         Languages", <a href="https://www.rfc-editor.org/bcp/bcp47">BCP 47</a>, <a href="./rfc5646">RFC 5646</a>, September 2009.

   [<a id="ref-12">12</a>]  Rescorla, E., "HTTP Over TLS", <a href="./rfc2818">RFC 2818</a>, May 2000.

   [<a id="ref-13">13</a>]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
         Considerations Section in RFCs", <a href="https://www.rfc-editor.org/bcp/bcp26">BCP 26</a>, <a href="./rfc5226">RFC 5226</a>, May 2008.

<span class="h3"><a class="selflink" id="section-12.2" href="#section-12.2">12.2</a>.  Informative References</span>

   [<a id="ref-14">14</a>]  Perreault, S., "vCard Format Specification", <a href="./rfc6350">RFC 6350</a>, August
         2011.

   [<a id="ref-15">15</a>]  Sakimura, N., Bradley, J., Jones, M., de Medeiros, B.,
         Mortimore, C., and E. Jay, "OpenID Connect Messages 1.0",
         July 2013,
         &lt;<a href="http://openid.net/specs/openid-connect-messages-1_0.html">http://openid.net/specs/openid-connect-messages-1_0.html</a>&gt;.

   [<a id="ref-16">16</a>]  Hammer-Lahav, E., Ed., and B. Cook, "Web Host Metadata", <a href="./rfc6415">RFC</a>
         <a href="./rfc6415">6415</a>, October 2011.

   [<a id="ref-17">17</a>]  Hammer-Lahav, E. and W. Norris, "Extensible Resource Descriptor
         (XRD) Version 1.0",
         &lt;<a href="http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html">http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html</a>&gt;.

   [<a id="ref-18">18</a>]  Saint-Andre, P., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&amp;q=inurl:draft-+%22The+%27acct%27+URI+Scheme%22'>"The 'acct' URI Scheme"</a>, Work in Progress,
         July 2013.

   [<a id="ref-19">19</a>]  Duerst, M., Masinter, L., and J. Zawinski, "The 'mailto' URI
         Scheme", <a href="./rfc6068">RFC 6068</a>, October 2010.

   [<a id="ref-20">20</a>]  Balduzzi, M., Platzer, C., Thorsten, H., Kirda, E., Balzarotti,
         D., and C. Kruegel "Abusing Social Networks for Automated User
         Profiling", Recent Advances in Intrusion Detection, Springer
         Berlin Heidelberg, March 2010,
         &lt;<a href="https://www.eurecom.fr/en/publication/3042/download/rs-publi-3042_1.pdf">https://www.eurecom.fr/en/publication/3042/download/</a>
         <a href="https://www.eurecom.fr/en/publication/3042/download/rs-publi-3042_1.pdf">rs-publi-3042_1.pdf</a>&gt;.




<span class="grey">Jones, et al.                Standards Track                   [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc7033">RFC 7033</a>                        WebFinger                 September 2013</span>


Authors' Addresses

   Paul E. Jones
   Cisco Systems, Inc.
   7025 Kit Creek Rd.
   Research Triangle Park, NC 27709
   USA

   Phone: +1 919 476 2048
   EMail: paulej@packetizer.com
   IM: xmpp:paulej@packetizer.com


   Gonzalo Salgueiro
   Cisco Systems, Inc.
   7025 Kit Creek Rd.
   Research Triangle Park, NC 27709
   USA

   Phone: +1 919 392 3266
   EMail: gsalguei@cisco.com
   IM: xmpp:gsalguei@cisco.com


   Michael B. Jones
   Microsoft

   EMail: mbj@microsoft.com
   URI: <a href="http://self-issued.info/">http://self-issued.info/</a>


   Joseph Smarr
   Google

   EMail: jsmarr@google.com
   URI: <a href="http://josephsmarr.com/">http://josephsmarr.com/</a>















Jones, et al.                Standards Track                   [Page 28]
</pre>

</body>
</html>