You get someone’s address, @email@example.com. You put that into your web browser, and you get a warning that says, “You are about to log in to the site ‘example.com’ with the username ‘%40bob’, but the website does not require authentication. This may be an attempt to trick you. Is ‘example.com’ the site you want to visit?” You back out of the error message and try to manually reformat the address. example.com/bob? 404. Maybe it’s example.com/@bob? That doesn’t work either. You read a tutorial on Webfinger addresses and learn that you can load their “resource profile” by going to example.com/.well-known/webfinger?resource=acct:firstname.lastname@example.org. So you put that into your web browser, which then downloads a blob of JSON text. Buried in it is the URL example.com/user/bob. Finally, progress.