Re: The Credential Management API - Another approach

Hi, Anders!

On Thu, Apr 23, 2015 at 9:39 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> Regardless if the Credential Management API matches the envisioned needs
> of the Credentials CG or not, I doubt that this is the right path for the
> industry.
>

It's not clear what concrete changes, if any, you're suggesting.

There are several problems with the approach taken and one of the more
> obvious is that "Apps" like Skype, Facebook, e-banking, etc. also rely on
> credentials which makes the idea building such functionality into the
> browser layer somewhat futile; credentials rather belong to the platform.


The claim that "Native apps rely on credentials" doesn't seem to have much
impact, given that "Web origins rely on credentials" is also true. Given
that a browser interacts with a wide variety of the latter, it's not clear
to me that layering an API on top of the already-built functionality at the
browser layer is anything but helpful.

Due to the fact above, the unknown buy-in from other browser vendors and
> last but not least the inherent inflexibility of the browser infrastructure
> with respect to updates, I'm convinced that credential management would be
> more suited as applications based on "The Extended Web":
> https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0220.html


"Unknown buy-in from other browser vendors" doesn't seem like something
we'd solve by moving the spec to the CG you suggest. Nor do I understand
the claim of "inherent inflexibility" of browsers; isn't this spec an
existence proof of the opposite?

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)