- From: Nate Otto <nate@ottonomy.net>
- Date: Wed, 15 Apr 2015 11:56:22 -0700
- To: Credentials Community Group <public-credentials@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: Mike West <mkwst@google.com>, Web Payments IG <public-webpayments-ig@w3.org>, Gregg Kellogg <gregg@greggkellogg.net>
- Message-ID: <CAPk0ugnP=t4m_bJDHxsanFAO5odDVB+EKahfwYx2C31_rUBv5g@mail.gmail.com>
Thanks all for spending time discussing this issue Hi, I'm a developer working on building software that issues and understands Open Badges, as well as working on developing the Open Badges specification, which is one particular type of credential that fits under the Credentials CG's definition and can operate smoothly with that group's sketched-out technical direction. Open Badges are defined levels of achievement, essentially descriptions of skills, experience, participation or could describe many other types of relationships between an issuer and a recipient. I would like to see a future where services can easily ask for rich credentials of many types in order to decide whether to authenticate a user, but also whether to authorize them to access protected resources. While authentication that a user is indeed the recipient/subject of the provided credentials is essential to this process, I don't see a strong distinction between credentials a user supplies to prove their own identity and verifiable credentials issued by other parties that make claims about the user. In effect, if a service could ask, "401 Permission Denied; Do you have a valid staff credential from one of these three partners?", I think the possible ecosystem of credential issuers and relying parties could be quite exciting. I'm largely agnostic to exactly how this might be implemented, though I see promise to some of the methods devised by the Credentials CG using signed linked data in JSON-LD format. I would like to see services use both of these types together to determine how to respond to requests that require authenticated and privileged access. I'm not steeped in browser APIs thoroughly enough to have an educated opinion on how requests for credentials of different types should be made, but I see being able to request and accept a composition of various credentials from a user agent as a useful part of this process. +1 to starting with login credentials, but please take the Web Payments IG and the young Credentials CG's desire to incorporate other credential types in the future into account. Thanks, *Nate Otto, Developer* concentricsky.com
Received on Wednesday, 15 April 2015 18:57:23 UTC