Re: Splitting "Credential Management"? from Mike West on 2017-04-05 (public-webappsec@w3.org from April 2017)

From: Mike West <mkwst@google.com>
Date: Wed, 5 Apr 2017 19:30:57 +0200
To: Mike West <mike@mikewest.org>
Cc: "Hodges, Jeff" <jeff.hodges@paypal.com>, Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dominic Battre <battre@google.com>, Václav Brožek <vabr@google.com>, Angelo Liao <huliao@microsoft.com>, "pdolanjski@mozilla.com" <pdolanjski@mozilla.com>, Daniel Bates <dbates@webkit.org>
Message-ID: <CAKXHy=c-ZEd5aWwRdB+vE0QaJ3xL-m9AKsfwZqJTB1077k_UMA@mail.gmail.com>

Or, were you concerned about getting the process question of getting the
core CM API to CR in sync with WebAuthn moving to CR?

-mike

On Wed, Apr 5, 2017 at 6:10 PM, Mike West <mike@mikewest.org> wrote:

>
>
> On Wed, Apr 5, 2017 at 5:58 PM, Hodges, Jeff <jeff.hodges@paypal.com>
> wrote:
>
>> some thoughts wrt the original experiment of splitting credman up  (ie
>> this thread up thru 17-Mar-2017):
>>
>> >> On Thu, Mar 16, 2017 at 6:26 AM, Mike West <mkwst@google.com> wrote:
>> >> Hey folks!
>> >>
>> >> While re-reading through the Credential Management API, I realized
>> >> that the extension mechanisms aren't at all clear. As a thought
>> >> exercise, I'm mostly finished with splitting the document into a
>> >> generic API that defines the high-level architecture
>> >> <https://w3c.github.io/webappsec-credential-management/base.html>,
>> >> and a document that specifies `PasswordCredential` and
>> >> `FederatedCredental` as an extension
>> >> <https://w3c.github.io/webappsec-credential-management/sitebound.html
>> >.
>> >>
>> >>  WDYT? Is this a sane division? Does it actually make the integration
>> >> points clearer by forcing us to use them, or is it more confusing
>> >> than not to have the pieces in distinct documents?
>>
>>
>> On 3/17/17, 7:40 PM, "Jeffrey Yasskin" <jyasskin@google.com> wrote:
>> >
>> > 3 thoughts here:
>> >
>> > 1) I strongly approve of you using the extension points to define the
>> > initial credential types. Without doing this, it'd be hard for an
>> > extender to use the extension points as you intended, even if you
>> > managed to get them right.
>>
>> agreed.
>>
>>
>> > I think it's less important to put the
>> > initial extensions in a separate document, although doing so does
>> > force you to figure out how future extensions will be registered.
>>
>> Although, if WebAuthn is adds credman as a dependency <
>> https://github.com/w3c/webauthn/pull/384>,
>> then from a timeline perspective it may be more expeditious to have
>> credman divided into "base" and "password+Fed" (nee 'sitebound'), as he
>> proposed in his original msg above. Thus we (WebAppSec+WebAuthn) can
>> concentrate on progressing credman base and webauthn, and hopefully any
>> issues particular to the "password+Fed" spec will not slow down the former
>> specs.
>>
>
> The rejoined document splits those out into distinct sections, with no
> dependencies on each other. My hope is that this internal division
> exercises the extension points enough to ensure that completely external
> specs are equally well-supported. Your feedback there would be
> super-helpful.
>
> -mike
>

Received on Wednesday, 5 April 2017 17:31:51 UTC