Re: Splitting "Credential Management"? from Daniel Bates on 2017-03-16 (public-webappsec@w3.org from March 2017)

From: Daniel Bates <dabates@apple.com>
Date: Thu, 16 Mar 2017 10:06:49 -0700
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dominic Battre <battre@google.com>, Václav Brožek <vabr@google.com>, Angelo Liao <huliao@microsoft.com>, pdolanjski@mozilla.com
Message-id: <7F2E5D26-C9C0-470E-936C-E34157D2FE63@apple.com>

> On Mar 16, 2017, at 6:26 AM, Mike West <mkwst@google.com> wrote:
> 
> Hey folks!
> 
> While re-reading through the Credential Management API, I realized that the extension mechanisms aren't at all clear. As a thought exercise, I'm mostly finished with splitting the document into a generic API that defines the high-level architecture (https://w3c.github.io/webappsec-credential-management/base.html <https://w3c.github.io/webappsec-credential-management/base.html>), and a document that specifies `PasswordCredential` and `FederatedCredental` as an extension (https://w3c.github.io/webappsec-credential-management/sitebound.html <https://w3c.github.io/webappsec-credential-management/sitebound.html>).
> 
> WDYT? Is this a sane division? Does it actually make the integration points clearer by forcing us to use them, or is it more confusing than not to have the pieces in distinct documents?

Is this split more for organizational purposes as an editor? If so, I can see the value of it by compartmentalizing knowledge. From the perspective of an implementer, I do not feel that this proposed devision makes the integration points any clearer at the time of writing. Maybe adding a hyperlink from the base spec to the Site Bound Credentials spec would help. Without such a hyperlink, if this proposed division existed before my reading of the Credential Management spec then the devision would have hampered my understanding of the concrete use cases of this API as I would need to read a secondary spec to be able to ascertain them or rediscover them. You state in sections Extension Points and Browser extensions of <https://w3c.github.io/webappsec-credential-management/base.html <https://w3c.github.io/webappsec-credential-management/base.html>> there is a future for just the base Credential Management API outside of usage for passwords and federated credentials, but then leave it largely as an exercise to the reader to imagine such usage. I understand you just split the specs as a step towards expanding these sections. I'm unclear how much we can expand these sections. Is there so much to write about such extensions that would make the spec excessively long so as to warrant separating it into two? How much value is there in just implementing <https://w3c.github.io/webappsec-credential-management/base.html <https://w3c.github.io/webappsec-credential-management/base.html>>?

Dan

Received on Thursday, 16 March 2017 17:08:46 UTC