On Fri, 20 Jul 2018 23:56:31 -0600, pradeep@xxxxxxxxxxxxxxxxx said: > Hello > > Please approve a mailing list for these drafts or inform me of > procedure how to Create > one. > > https://datatracker.ietf.org/doc/draft-pradeepkumarxplorer-httpi/ > https://datatracker.ietf.org/doc/draft-pradeepkumarxplorer-httpuserinfo/ These are both one-paragraph drafts calling for solutions to problems that have been solved quite some time ago. 'httpi://' isn't needed, because we already have all the pieces we need to do this. In fact, if anything, many websites have so many "related" and "you might be interested in" links that we've coined the term "clickbait" for attempts to get your attention among the mass of links. And let's face it - this is a service that should be under the user's control. This has two results: 1) It doesn't need to be sent to the destination site so they can decorate the page they're sending you, so a new protocol isn't needed. 2) Since it's better done by the user, what you *really* want is a browser extension that does all the markup and searching, without the user even having to type 'httpi://'. For example, see how Chrome or Firefox can deal with the user typing a search string into the URL bar, and giving suggested completions - each new set of completions was an entire new query from the browser to a search engine. Or see any of the many browser extensions that do real-time markup of pages - everything from replacing all pictures of Donald Trump in news stories with pictures of kittens, to extended search and annotation, to a whole bunch of other things: Annotation: https://www.maketecheasier.com/google-chrome-extensions-annotate-text-on-the-web/ Searching for related terms: https://www.pcworld.com/article/2158690/improve-your-search-chops-and-save-time-with-these-chrome-extensions.html Word definitions: https://www.makeuseof.com/tag/7-chrome-extensions-lookup-words-meanings-browse/ (Think for a moment about how the web extension knows that the picture is one of Donald Trump... that's not as easy as it looks...) And userinfo isn't needed either - we already know how to do authenticated user via any number of means - anything from per-user PKI certificates, to userid/ password schemes, to 2-factor authentication with physical tokens or biometric information, to a whole collection of other methods. As your userinfo draft says: " Right now to hide sensitive or subscription based information i have to implement username password restrictions in the website code i am publishing.I should be able to say that only a HTTP client request that has in addition to location and IP address some User information should be served information from my website." You probably want to find out who Jeff Bezos is, and why his company was able to work around this problem and make billions of dollars. Also, you'll need to explain *why* "you should be able to", and why it requires a new protocol, and why other solutions aren't sufficient. Hint 1 - how do weather.com and Google Maps know where you are? (Google even knows which way I'm facing with the cellphone.. think about that for a bit while you think about how you're going to explain a new protocol is needed to do that...) Hint 2 - the Internet is growing increasingly mobile - so "location" isn't a very reliable identifier any more. I've paid utility bills from a laptop tethered to a cellphone while at a Boy Scout camp 6 hours drive from where I live - so it isn't safe to say that "me" is only at my apartment or my office. In addition, if it reports "the wireless network at Virginia Tech" as my location, that doesn't separate me from all the other users, because that "location" is a single wireless SSID that spans 2,000+ access points in 200 buildings and over 19,000 users during weekday afternoons when classes are in session. In short, "Me" isn't tied to a location, and a location usually doesn't identify "me" as opposed to everybody else using the network/cellphone at that location. Hint 3 - you still have an authentication issue. You're unclear whether your website should get the information as part of the user's http request, or from a third party. If you're getting it from the user, you'd just re-invented the very bad idea of user-side authentication - you're relying on the user to be honest and not send you false authenticators (and of course, the Bad Guys(tm) will send falsified information). If you're calling a third party, you avoid the user-side authentication problem, but now have a different problem - you have only the information the user provided - an IP address and *maybe* a userid/password, as information that you can send this third party to get your "userinfo" data. Hint 4 - you can work around those problems in Hint 3 if you're clever - at which point you've re-invented "identity provider services" such as Shibboleth: https://www.shibboleth.net/ which can be used for cross-organization single-sign-on, and leveraged to provide services such as EduRoam: https://www.eduroam.org/ - the end result is that I can be visiting Europe, go to Riga Technical University, and authenticate to their wireless network - but only if I know my userid/password at Virginia Tech and have either a specific Yubikey 4 with me, or one of several other 2-factor authenticators supported by Virginia Tech. One of those involves calling my cellphone (which has a phone number assigned to the southwest part of Virginia, in the US - and having it ring even if I'm in eastern Europe. Think about that for a moment) And all this stuff gets done without any new protocols being needed... To get a mailing list for these proposals, you'll have to convince people that these solved problems are in fact not solved, and explain what's wrong with the solutions, and do so in a way that demonstrates that you do in fact know what's already doable without these new protocols.... Good luck, you're going to need it....
Attachment:
pgpF24gxK6zxM.pgp
Description: PGP signature
