- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Fri, 03 Oct 2014 09:59:44 -0400
- To: Mike West <mkwst@google.com>
- CC: Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, chaals@yandex-team.ru, Virginie.Galindo@gemalto.com, Webapps WG <public-webapps@w3.org>, Jonas Sicking <sicking@mozilla.com>, plh@w3.org, ylafon@w3.org, xiaoqian@w3.org, Wendy Seltzer <wseltzer@w3.org>, hhalpin@w3.org, Credentials Community Group <public-credentials@w3.org>
On 09/24/2014 09:57 AM, Mike West wrote: > There's a credentials community group that has nothing to do with > the proposal There's more in common than you might think. Fundamentally, the Credentials CG would like to ensure that the Credentials API that you're proposing supports the type of high-stakes, digitally signed credentials (like government-issued passports, professional licenses, background checks, etc.) that we need for the Web Payments work. I suggest reading up on what we'd like to see here: http://manu.sporny.org/2014/credential-based-login/ http://manu.sporny.org/2014/identity-credentials/ I'll do a review of your spec and use cases from a Credentials CG viewpoint. I'm happy to get on the phone w/ you and discuss things in more technical depth when you become available. That said, the right place to discuss the API is most likely Web Apps with input from WebCrypto WG, Security IG, Web Payments IG, FIDO Alliance, and the Credentials CG. I don't think you can do a good job on the API you're proposing without all of their involvement. > and given the weak IPR protections of a CG, I'd prefer to avoid them > in the long run (though they might be the right place for short-term > incubation). I agree that the Credentials CG (or any CG) isn't the right place for the work in the long run. Keep in mind that the Web Payments work will most likely be starting soon, and they'll be in charge of recommending new WGs to be chartered to support the work. Transmitting credentials is a big part of the problem and a few modifications to your API could address that issue. > Another option would be to create a new a new CG (although I suppose > there could be some confusion with Manu's Credentials CG > <http://www.w3.org/community/credentials/>). The Credentials CG can provide input, but most of the right people to talk about the API (and all of the potential security issues) probably exist in WebApps. As Robin said earlier in the thread, I wouldn't focus too much on the process and "the right group" too much. Get documents published, get implementations and polyfills done, then ping all of the groups listed above to get their feedback. The Credentials CG would be happy to provide input on the API as it relates to our use cases. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: High-Stakes Credentials and Web Login http://manu.sporny.org/2014/identity-credentials/
Received on Friday, 3 October 2014 14:00:23 UTC