W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: Proposal: https://example.com/.well-known/modify-credentials

From: John Wilander <wilander@apple.com>
Date: Tue, 03 Apr 2018 20:59:17 -0700
Cc: public-webappsec <public-webappsec@w3.org>
Message-id: <3606141F-F85A-446F-B2B4-3601112ED904@apple.com>
To: Jeffrey Yasskin <jyasskin@google.com>
Hi Jeffrey!

> On Apr 3, 2018, at 8:45 PM, Jeffrey Yasskin <jyasskin@google.com> wrote:
> 
> I don't have a strong opinion about this, but have any existing password managers or websites given you feedback about how they'd use this proposal? For example, LastPass has an "Auto Change Password" option. Would this be enough to help that work in more cases, or do they need something more structured at the endpoint?

We run a popular password manager ourselves which is where this proposal originates. In addition, we have discussed it with one other password manager. Rather than speak for them I’ll see if I can get them to comment straight to the list.

Maybe we have password manager folks on the list already? Would this well-known location be useful to you?

   Regards, John

> 
> Jeffrey
> 
>> On Tue, Apr 3, 2018 at 4:32 PM John Wilander <wilander@apple.com> wrote:
>> Hi WebAppSec!
>> 
>> We’re thinking of proposing a well-known URL location where users can change their password or other credentials. Since this working group owns the Credential Management spec, we’d like to get your feedback before we email wellknown-uri-review@ietf.org.
>> 
>> # The problem
>> When a password/credential manager wants to facilitate a user updating their credentials, there isn't a good way to determine which part of the relevant website to send the user to or to signal to the website that the user's intent is to modify their credentials.
>> 
>> # The proposal
>> https://example.com/.well-known/modify-credentials as a well-known URL endpoint that signals user intent to modify their credentials. The web server can serve a page at this location or do an HTTP or client-side redirect. The location should be restricted to HTTPS, including any redirects. RFC5785 doesn’t mention scheme restrictions but hopefully we can work that out with the reviewers.
>> 
>> What are your thoughts?
>> 
>>    Regards, John
Received on Wednesday, 4 April 2018 03:59:46 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 4 April 2018 03:59:47 UTC