Harmonizing same-origin and cross-origin credentials

Just keeping this group in the loop wrt. WebAppSec and credentials.

The discussion with the Web Application Security WG is ongoing. We just
had a telecon today[1] (search for "manu") about a status update related
to harmonizing same-origin and cross-origin credentials:

https://lists.w3.org/Archives/Public/public-webappsec/2015May/0101.html

In general, here's where we are:

1. The Credentials Management API has an extensibility mechanism, and
   we assert that the future Web Payments IG/WG and Credentials CG/WG
   work would like to use it.
2. We don't know if this extensibility mechanism will work for
   cross-origin credentials, which will more than likely be a hard
   requirement for the future Web Payments IG/WG and Credentials CG/WG.
3. We don't want the future Web Payments IG/WG and Credentials CG/WG
   to effectively duplicate the work done in this group because the
   extensibility mechanism doesn't work for them.
4. We're working on getting a concrete but drafty cross-origin
   extension done in the Credentials CG by the end of this week.
5. We don't want WebAppSec to take on work they're not chartered to do.

-- manu

[1] http://www.w3.org/2015/05/18-webappsec-minutes.html

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: High-Stakes Credentials and Web Login
http://manu.sporny.org/2014/identity-credentials/

Received on Monday, 18 May 2015 20:13:13 UTC