Re: [w3ctag/design-reviews] FedCM (was WebID) (Issue #718) from sam goto on 2022-08-13 (public-webapps-github@w3.org from August 2022)

From: sam goto <notifications@github.com>
Date: Fri, 12 Aug 2022 18:42:42 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/718/1213629096@github.com>

(just coming back from vacations now, so apologies for the delay in responding)

> That's very helpful. We're happy with the problem this is setting out to solve, and the general direction, and in particular the alignment with patterns from related well-used mechanisms like OIDC. It is reassuring to see your acknowledgement of known issues, and note that our positive review of this work is based on the assumption they will be addressed as the work progresses.

That's great to hear, thanks for the time put into reviewing this and providing thoughtful feedback!

> Do you have anyone from the WebAppSec WG in the FedID CG? Generally we advise connecting with a WG as early as possible to make sure they're aware of the direction of the work and have an opportunity to input, to make it more likely to be confidently adopted when you are ready to take the work on the REC track.

We've been working with @mikewest since early stages of the API design. We'll start working @hlflanagan (FedID CG chair) and other browsers to figure out whether/where/when to move this to a WG, but we are generally excited about that possibility indeed.

> One final note - I saw in the document you linked to that you have made or may be considering a name change to "Web Identity API"? As I'm sure you're aware, "Identity" is a very ambiguous and loaded term! This might cause misunderstandings or concern about the scope of the work down the line, so we would strongly encourage you to consider "Web Identification API" instead (although sticking with FedCM is also fine).

Yeah, I personally like "Web Identification API" too (largely because it pairs well with "Web Authentication API" as a complement, as opposed to as an alternative), but as you can imagine, naming is hard (we opened suggestions up for voting in this github issue and most people [didn't quite like](https://github.com/fedidcg/FedCM/issues/41#issuecomment-790993119) "Web Identification API"). We haven't settled on a formulation yet (sticking with FedCM is challenging because we are not extending the existing FederatedCredential object anymore, but rather [creating a new one](https://github.com/fedidcg/FedCM/issues/41#issuecomment-1155698153).), but I hear where you are coming from. "Web Identity API" remains my least-worse choice at the moment, but we are actively working towards finding a better framing/naming. 

> Hi @samuelgoto! Thanks for the opportunity to review this work. We largely think it's going in the right direction. this is not a full endorsement of the current API or architecture as specified in the CG report. As this is a big piece of work with multiple moving pieces, we'd like to suggest you come back to us to request indivdual reviews of these components once they reach an appropriate stage of maturity / consensus.

That's great to hear @torgo and @rhiaro and @hadleybeeman (thanks for the [early quick review](https://github.com/w3ctag/design-reviews/issues/622))!! We really appreciate the thought and time you spent into given us advice and recommendations and I hope you feel like we incorporated most of them!



-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/718#issuecomment-1213629096
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/718/1213629096@github.com>

Received on Saturday, 13 August 2022 01:42:55 UTC