- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 23 Apr 2015 12:17:30 -0400
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 04/23/2015 11:45 AM, Mike West wrote: > To be clear, we're skeptical that the current form of the API lends > itself well to the type of extension we'd like to perform. We can do > it, but every approach we've tried thus far feels like a hack and > we'd probably end up defining a new API rather than extending the one > currently defined (clearly, that's not a good thing and we want to > avoid that). > > That's disappointing to hear. Turn that frown upside down, buddy. :) I'm not disappointed in that we're talking and as long as we keep talking we'll be able to figure out if what we'd like to see happen is possible, or if it's too much of a stretch for the WebAppSec group given their current (limited) charter on the topic. It's going to take time to work through the issue. I don't think we can expect to spend a week on it and figure it out. We were hopeful based on our discussion last week that we would be able to use what was put forward in the compromise, but having taken a further look into it, we'd like to propose some alternatives. > We've made a number of compromises in the API in order to increase > the flexibility for the kinds of extensions David (CC'd) has asked > for in https://github.com/w3c/webappsec/issues/256. Since there > hasn't been substantive discussion on that bug since Friday, I > thought we were pretty close to being on the same page. Keep in mind that we're very busy and spread across the Web Payments IG, Credentials CG, and now this group. Conference season is also upon us and we travel extensively to promote the work going on at W3C. You haven't heard from us in two days because we're currently trying to figure out the most effective way of engaging the WebAppSec group as we continue to deliberate. The thought right now is to propose a complete API that we believe would work for all three affected groups at W3C and see if it could be workable. We don't believe we can make progress in the github issue because there are some core philosophy issues that need to get sorted out. For example, you stated that you weren't interested in working on cross-origin credentials. That, however, is exactly what we need for the work we're doing. So, W3C needs to figure out if they're going to think about/support cross-origin credentials and that conversation isn't going to play out in a weeks time. If what we're proposing is not workable via this group, then so be it, but we'd like to try to put together a full proposal and see where it goes. I don't think we're that far away from what we'd need. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: High-Stakes Credentials and Web Login http://manu.sporny.org/2014/identity-credentials/
Received on Thursday, 23 April 2015 16:17:54 UTC