Re: WebAppSec Credentials Management API FPWD consensus plan from Manu Sporny on 2015-04-17 (public-webappsec@w3.org from April 2015)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 17 Apr 2015 08:51:14 -0400
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <553101C2.2080803@digitalbazaar.com>

On 04/17/2015 03:58 AM, Mike West wrote:
> 2. Support fetching credentials from locations that are not the 
> browser (IdP websites, for example) and are not login 
> super-providers.
> 
> I don't think this is in the scope I've signed up for in v1. I do 
> believe we need to ensure that we don't box ourselves out of a nice 
> API for this in the future, but it doesn't seem to me to be a 
> necessary component of the initial iteration.

To be clear, I meant "support" in a "don't box ourselves out of a nice
API for this in the future" way. I want us to have a clear plan for how
this is going to be polyfilled for LinkedDataCredentials this year and
what the implementation plan for that is going to be in the future. A
potential future Credentials WG would like to extend the API by doing a
minimum amount of modification to the CM API to accomplish fetching
LinkedDataCredentials. We want to make sure that we won't have to do
anything awkward with the API to get there. I think you want the same
thing (don't make developers jump through hoops to support other types
of Credentials).

> 3. Come to consensus that the data model in the API will work for 
> both local credentials and Linked Data credentials served from IdP 
> websites without placing an undue burden on the API.
> 
> I know you note this at the bottom, but for clarity I'd like to be 
> explicit here: I don't believe that WebAppSec is chartered in such a
>  way that this is going to be a formal requirement for the spec. I 
> will happily work with the CG and IG to make sure that you have room
>  to extend the API in Linked Data directions (as discussed in #1), 
> but I do not intend to add normative language to the spec to that 
> effect.

+1, we're not asking for normative language wrt.
LinkedDataCredentials... just that the design of the API supports this
sort of extension in the future in a clean way.

Correct me if I'm wrong, but it sounds like we have general agreement on
a concrete path forward. Now all we need to do is hammer out the details.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Friday, 17 April 2015 12:51:39 UTC