The Credential Management API - Another approach

Regardless if the Credential Management API matches the envisioned needs of the Credentials CG or not, I doubt that this is the right path for the industry.

There are several problems with the approach taken and one of the more obvious is that "Apps" like Skype, Facebook, e-banking, etc. also rely on credentials which makes the idea building such functionality into the browser layer somewhat futile; credentials rather belong to the platform.  Yeah, this is an implementation issue but this is probably not what's on the menu today: "The types of credentials defined in this document are stored locally in a user agent’s credential store".

Due to the fact above, the unknown buy-in from other browser vendors and last but not least the inherent inflexibility of the browser infrastructure with respect to updates, I'm convinced that credential management would be more suited as applications based on "The Extended Web":
https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0220.html

I did indeed wrote applications with an 's' for the simple reason that there unlikely ever will be "the" credential management system, there will rather be a bunch of such.  Here is a pointer to a credential management system that has virtually nothing in common with the Credential Management draft:
https://cyberphone.github.io/openkeystore/resources/docs/keygen2.html
Note: The KeyGen2 invocation interface will be revised to use "The Extended Web".

Anders

Received on Thursday, 23 April 2015 07:40:30 UTC