RE: Looking for a home for a proposed Credential Management API.

Dear Mike, and all,
What kind of skills do you think this API should benefit ?
Good web app dev and architects, security nerds, or crypto people. This may also ease the specification deployment, if it lands in a WG with the right skilled people.
My 2 cents,

-----Original Message-----
From: Harry Halpin []
Sent: mercredi 24 septembre 2014 16:01
To: Mike West; Brad Hill; Dan Veditz;; GALINDO Virginie; Webapps WG
Cc: Jonas Sicking;;;; Wendy Seltzer
Subject: Re: Looking for a home for a proposed Credential Management API.

Hash: SHA1

On 09/24/2014 03:57 PM, Mike West wrote:
> (I'd originally sent this just to the folks on to: and cc:. Art
> reminded me that public is better, so I'm resending to
> public-webapps@, and BCCing public-webappsec@ for visibility).
> Hello, chairs of the WebApps, WebAppSec, and WebCrypto WGs!
> On Friday, I had an encouraging discussion with Jonas Sicking
> (CC'd) about the Credential Management API proposed a month or so ago
> on WebApps (
> Chrome has started experimenting with an implementation, and though
> we're nowhere near even considering shipping it, I'd like to make sure
> that our implementation doesn't get too far out ahead of the spec
> process.
> I think it's fair to say that Mozilla is interested in continuing the
> discussion around the short-term and long-term goals of such an API in
> an appropriate venue. I'd like your collective opinion about what that
> venue might be. WebApps seems like the right place just in terms of
> having the right people involved. It would require a recharter,
> however, and it's not clear to me that that would be a worthwhile use
> of folks' time.
> Both WebCrypto and WebAppSec are in the process of rechartering, which
> resolves that potential issue, but neither really seems to be
> appropriate, as they're concerned with aspects other than credentials
> and authentication.
> There's a credentials community group that has nothing to do with the
> proposal, and given the weak IPR protections of a CG, I'd prefer to
> avoid them in the long run (though they might be the right place for
> short-term incubation).
> Brad suggested that an authentication WG might be spun up out of the
> conversations in the recent WebCrypto workshop. Are there concrete
> plans for such a group?

We've just started those discussions. A "high-level" authentication API was brought up as a possible deliverable and this looks on the right level. Whether or not it goes in WebAppSec or WebCrypto or a new WG is up in the air - the discussion *just* started.

The Google folks there also wanted to make sure this dovetailed with their work on U2F in FIDO and of course later work in UAF, so we were kinda waiting for them to make that public.
> Thanks!
> -mike
> -- Mike West <> Google+:, Twitter:
> @mikewest, Cell: +49 162 10 255 91
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891 Sitz der
> Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth
> Flores (Sorry; I'm legally required to add this exciting detail to
> emails. Bleh.)
Version: GnuPG v1.4.11 (GNU/Linux)

 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Received on Monday, 29 September 2014 07:34:16 UTC