Re: Looking for a home for a proposed Credential Management API.

On 09/24/2014 09:57 AM, Mike West wrote:
> There's a credentials community group that has nothing to do with
> the proposal

There's more in common than you might think. Fundamentally, the
Credentials CG would like to ensure that the Credentials API that you're
proposing supports the type of high-stakes, digitally signed credentials
(like government-issued passports, professional licenses, background
checks, etc.) that we need for the Web Payments work.

I suggest reading up on what we'd like to see here:

http://manu.sporny.org/2014/credential-based-login/

http://manu.sporny.org/2014/identity-credentials/

I'll do a review of your spec and use cases from a Credentials CG
viewpoint. I'm happy to get on the phone w/ you and discuss things in
more technical depth when you become available.

That said, the right place to discuss the API is most likely Web Apps
with input from WebCrypto WG, Security IG, Web Payments IG, FIDO
Alliance, and the Credentials CG. I don't think you can do a good job on
the API you're proposing without all of their involvement.

> and given the weak IPR protections of a CG, I'd prefer to avoid them 
> in the long run (though they might be the right place for short-term 
> incubation).

I agree that the Credentials CG (or any CG) isn't the right place for
the work in the long run. Keep in mind that the Web Payments work will
most likely be starting soon, and they'll be in charge of recommending
new WGs to be chartered to support the work. Transmitting credentials is
a big part of the problem and a few modifications to your API could
address that issue.

> Another option would be to create a new a new CG (although I suppose
>  there could be some confusion with Manu's Credentials CG 
> <http://www.w3.org/community/credentials/>).

The Credentials CG can provide input, but most of the right people to
talk about the API (and all of the potential security issues) probably
exist in WebApps. As Robin said earlier in the thread, I wouldn't focus
too much on the process and "the right group" too much. Get documents
published, get implementations and polyfills done, then ping all of the
groups listed above to get their feedback. The Credentials CG would be
happy to provide input on the API as it relates to our use cases.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: High-Stakes Credentials and Web Login
http://manu.sporny.org/2014/identity-credentials/

Received on Friday, 3 October 2014 14:00:21 UTC