Re: Overlap with Credentials/Web Payments CG (was Re: CfC to publish a FPWD of Credential Management; ending April 17th.)


Before you continue tossing around threats of Formal Objections, I'll
suggest you refer the process document:

"An individual who registers a Formal Objection SHOULD cite technical
arguments and propose changes that would remove the Formal Objection; these
proposals MAY be vague or incomplete. Formal Objections that do not provide
substantive arguments or rationale are unlikely to receive serious
consideration by the Director."

I hope you will at least do this group the courtesy of the same: a
substantive technical rationale for the objection and proposals for changes
(within the chartered scope of this WG:  that would remove
the objection, and give us an opportunity to respond to those suggestions.

Credential is a very overloaded term, as the CG's executive summary
document makes abundantly clear.  The concrete problem of improving the
reliability, functionality and security of management tools for
username/password and federated credentials - tools that are in wide
deployment today - is real and pressing, and that is what we put in the
scope of our charter.

As the Credentials CG summary seems to consider 'credentials' as
potentially including payment instruments, identities, verifiable age
claims, and more, and there is no technical report giving any technical
details of how such would be represented, it seems impossible to judge at
this time whether this specification would accommodate those concerns or
not, or whether the use case scenarios even overlap (automatically applying
a username/password for login is quite different than automatically
applying a payment instrument!) without further clarification.

thank you,

Brad Hill
Co-Chair, WebAppSec WG

On Mon, Apr 13, 2015 at 6:01 AM Wendy Seltzer <> wrote:

> On 04/13/2015 04:45 AM, Mike West wrote:
> > (Forking the thread for clarity)
> >
> > Hi Manu!
> >
> > I've put forward this draft of the credential management spec in order to
> > seek exactly this sort of feedback from developers. If there are indeed
> > technical deficiencies in the spec that make it unsuitable for use cases
> > that we ought to support, then we certainly need to change it.
> >
> > Indeed, the API proposed in this document is intended to be fairly
> generic
> > (it has ~2 methods) and extensible (by subclassing `Credential`) so as
> not
> > to block future innovation. It would be helpful to understand how exactly
> > it blocks you from doing the work you'd like to be doing.
> >
> > On Mon, Apr 13, 2015 at 3:44 AM, Manu Sporny <>
> > wrote:
> >
> >> On 04/10/2015 04:21 PM, Mike West wrote:
> >>> Well, wait no longer! This is a real call for consensus to publish
> >>> the following draft of "Credential Management" as a First Public
> >>> Working Draft:
> >>
> >> -1, the spec completely ignores the very substantial work going on in
> >> the Credentials CG and the Web Payments IG that is related to the API
> >> you're proposing.
> >>
> >
> > Perhaps the word "credentials" is causing problems; after skimming the
> > documents you pointed to, I don't see significant overlap between this
> spec
> > and those groups. Is your concern that we're co-opting the term? Or is
> > there something deeper?
> Apart from using a common term differently, I don't see much overlap and
> hence potential conflict between the different pieces of work. Mike's
> WebAppSec draft is certainly not asserting that it is the sole source of
> meaning for the term "credential," nor is it saying that web users could
> not request or express richer credentials.
> >
> > I suggest the Web AppSec Chairs start coordinating w/ the Web Payments
> >> IG and the Credentials CG before proposing the publication of this FPWD.
> >>
> >
> > +Brad, Dan, Wendy.
> I'll join this morning's Web Payments IG call and am happy to work to
> help resolve the disagreement.
> --Wendy
> >
> > --
> > Mike West <>, @mikewest
> >
> > Google Germany GmbH, Dienerstrasse 12, 80331 München,
> > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> > Flores
> > (Sorry; I'm legally required to add this exciting detail to emails.
> Bleh.)
> >
> --
> Wendy Seltzer -- +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
>        +1.617.863.0613 (mobile)

Received on Monday, 13 April 2015 17:24:07 UTC