W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2014

Re: Proposal for a credential management API.

From: Hill, Brad <bhill@paypal.com>
Date: Mon, 18 Aug 2014 17:07:25 +0000
To: Mike West <mkwst@google.com>
CC: Jonas Sicking <jonas@sicking.cc>, WebApps WG <public-webapps@w3.org>
Message-ID: <CC5531FC-640B-41AF-8CFD-73B64D0F41B5@paypal.com>
I think the broader goals Jonas has articulated probably belong in their own group, perhaps chartered along with some of what comes out of the upcoming Web Crypto Next Steps workshop.  

http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers.html

I'll say by way of indicating possible conflict-of-interest that the FIDO Alliance is also working on parts of this problem space (https://fidoalliance.org) but is focusing more specifically on enabling strong authentication without passwords.  We (FIDO) are presenting a paper at the workshop.

Ideally, then, without being too optimistic, I'd like to see passwords replaced entirely by better technology rather than continuing to kludge upon them.  They're still a fundamentally broken technology in many important respects even with better management tools.

Also, we should be careful in decomposing our targets here.  Federation is a different layer than replacing passwords or password management.  There are already a number of standards in that area which could be given "native" support in a browser without having to re-invent the wheel.  (e.g. SAML2, WS-Federation, OpenID Connect / OAuth2, etc.)

-Brad


On Aug 18, 2014, at 4:45 AM, Mike West <mkwst@google.com> wrote:

> On Tue, Aug 12, 2014 at 10:19 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> > One- or two-click sign _up_, on the other hand, will likely be more
> > difficult given the complexities of authorization (scopes, etc).
> 
> I'm not sure what you count as sign-up? Today, if I visit a new
> website that I've never visited before, I can log in to that website
> in two clicks using identity providers as facebook/twitter/google. I
> don't think anything more than that is going get the support we need.
> 
> You're right. I was thinking about username/password flows for sign-up, which can be significantly more complex than IDP's general "pick an IDP, then grant access" flows.
> 
> I'd like to support both, for what it's worth.
> 
> -mike
> 
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 
Received on Monday, 18 August 2014 17:07:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:26 UTC