Re: Proposal for a credential management API. from Mike West on 2014-08-19 (public-webapps@w3.org from July to September 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 19 Aug 2014 14:35:46 +0200
To: "Hill, Brad" <bhill@paypal.com>
Cc: Jonas Sicking <jonas@sicking.cc>, WebApps WG <public-webapps@w3.org>
Message-ID: <CAKXHy=c6YpK_oJjFH9yFHSyYS_U6heQ+oUQrb1qSzHxemZLe-A@mail.gmail.com>

On Mon, Aug 18, 2014 at 7:07 PM, Hill, Brad <bhill@paypal.com> wrote:

> I think the broader goals Jonas has articulated probably belong in their
> own group, perhaps chartered along with some of what comes out of the
> upcoming Web Crypto Next Steps workshop.
>

I'm certainly interested in seeing what comes out of that workshop, and I'm
equally curious about FIDO in general.

Ideally, then, without being too optimistic, I'd like to see passwords
> replaced entirely by better technology rather than continuing to kludge
> upon them.  They're still a fundamentally broken technology in many
> important respects even with better management tools.
>

What's a timeframe in which you might reasonably expect that to happen? I
suspect it's not "months" or "next year".

We're having a hard enough time getting folks onto SSL, which is a much
more basic requirement. I, personally, don't honestly expect passwords to
be widely replaced in the near future, especially given how central they
are to identity on today's web. Given the investment in password-based
authentication systems, and the lethargic pace at which things like this
tend to move, I think the use cases spelled out in my proposal remain quite
relevant to today's web, and tomorrow's web. Hopefully they're less
relevant to web 3.0, but that's a ways off. :)

> Also, we should be careful in decomposing our targets here.  Federation is
> a different layer than replacing passwords or password management.  There
> are already a number of standards in that area which could be given
> "native" support in a browser without having to re-invent the wheel.  (e.g.
> SAML2, WS-Federation, OpenID Connect / OAuth2, etc.)
>

I agree with this division. However, I'm hopeful that the strawman I've
proposed is flexible enough to support a number of potential forms of
credentials. It currently defines "local" and "federated" credentials
broadly, and vaguely. In spirit, at least, it's following Mozilla's
position paper's call for "a box implementations can go in", and is
extensible by design.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 19 August 2014 12:36:35 UTC