.well-known/avatar

&gt; - No this isn&#x27;t like WebFinger. That only returns JSON.<p>Couldn&#x27;t it be done with WebFinger though?<p><pre><code> { &quot;links&quot; : [ { &quot;rel&quot; : &quot;http:&#x2F;&#x2F;webfinger.shkspr.mobi&#x2F;rel&#x2F;avatar&quot;, &quot;href&quot; : &quot;https:&#x2F;&#x2F;cdn.ojford.com&#x2F;images&#x2F;avatar.png&quot; } ], &#x2F;&#x2F; ... }</code></pre>

This seems like a boon to credential stuffing attacks. Given a list of passwords and email addresses, having a well known, email keyed URL would allow an attacker to quickly find if any of the emails have an account on the service, before going through the better secured and more time consuming login page.

I&#x27;m not sure why this would need to be its own well-known url instead of just a WebFinger resource, considering it&#x27;s nearly identical to WebFinger already. Would just have to always return a link to an image instead the image itself (or a base64 blob of image data in a property, I guess) regardless of image&#x2F;* being in the Accept header.

I might just be getting curmudgeonly in middle age, but I don&#x27;t like this. I want it to be <i>harder</i> for services to share information about me. My address and phone number are also &quot;public&quot; but that doesn&#x27;t mean I want every site to keep a copy of them.

&gt; When I sign up to a web service, I don&#x27;t want to faff around uploading an image to use as my avatar. I want that service to look at my email address or social-sign-in and automatically pick up my preferred graphic.<p>&quot;Faff around&quot; meaning, like, probably four or so clicks?

I am a bit surprised the proposal doesn&#x27;t suggest using a hash (such as SHA-2) rather than directly passing the email address.

One idea to consider. Make it easier to implement by changing the query syntax.<p>Instead of a query parameter, which always requires a script to process:<p>example.com&#x2F;.well-known&#x2F;avatar?resource=acct:username@example.com<p>Make the requested email address part of the path:<p>example.com&#x2F;.well-known&#x2F;avatar&#x2F;username@example.com<p>People can put images into their HTTP server directory named as email addresses. This makes it easier to implement for vanity domains. No server-side code necessary. It still allows someone to build a dynamic script that handles the &quot;&#x2F;.well-known&#x2F;avatar&#x2F;&quot; path.

The dynamic aspect seems weird to be for a well-known. Are there other well-knows that are similarly dynamic?

Go register it with IANA <i>Well-Known URIs</i>. I don&#x27;t think IANA demands you have it all figured out to do so! Good idea! <a href="https:&#x2F;&#x2F;www.iana.org&#x2F;assignments&#x2F;well-known-uris&#x2F;well-known-uris.xhtml" rel="nofollow">https:&#x2F;&#x2F;www.iana.org&#x2F;assignments&#x2F;well-known-uris&#x2F;well-known-...</a>

It just occurred to me that Gravatar data is owned by the same folks who decided on selling Tumblr data for AI training: <a href="https:&#x2F;&#x2F;www.theverge.com&#x2F;2024&#x2F;2&#x2F;27&#x2F;24084884&#x2F;tumblr-midjourney-openai-training-data-deal-report" rel="nofollow">https:&#x2F;&#x2F;www.theverge.com&#x2F;2024&#x2F;2&#x2F;27&#x2F;24084884&#x2F;tumblr-midjourne...</a> …<p>While I don&#x27;t know enough about the nuances to weigh in on this specific proposal, decentralized solutions are going to become increasingly important!

WebFinger sounds like it&#x27;s a cyber proctology exam.

Honestly, I like it. I&#x27;ll happily build this into Known.

&gt;This makes it incredibly simple for people to use the same avatar everywhere.<p>lol. who needs privacy or the ability to have disconnected identities online? right?<p>terrible idea.