- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 13 Apr 2015 17:23:38 +0000
- To: Wendy Seltzer <wseltzer@w3.org>, Mike West <mkwst@google.com>, Manu Sporny <msporny@digitalbazaar.com>, Dan Veditz <dveditz@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Credentials Community Group <public-credentials@w3.org>, Web Payments IG <public-webpayments-ig@w3.org>
- Message-ID: <CAEeYn8i1WhU1gTjwqdgDTRPNwEPdBHiCL7+baB6fUnO9QG5HhQ@mail.gmail.com>
Manu, Before you continue tossing around threats of Formal Objections, I'll suggest you refer the process document: http://www.w3.org/2014/Process-20140801/ "An individual who registers a Formal Objection SHOULD cite technical arguments and propose changes that would remove the Formal Objection; these proposals MAY be vague or incomplete. Formal Objections that do not provide substantive arguments or rationale are unlikely to receive serious consideration by the Director." I hope you will at least do this group the courtesy of the same: a substantive technical rationale for the objection and proposals for changes (within the chartered scope of this WG: http://www.w3.org/2015/03/webappsec-charter-2015.html) that would remove the objection, and give us an opportunity to respond to those suggestions. Credential is a very overloaded term, as the CG's executive summary document makes abundantly clear. The concrete problem of improving the reliability, functionality and security of management tools for username/password and federated credentials - tools that are in wide deployment today - is real and pressing, and that is what we put in the scope of our charter. As the Credentials CG summary seems to consider 'credentials' as potentially including payment instruments, identities, verifiable age claims, and more, and there is no technical report giving any technical details of how such would be represented, it seems impossible to judge at this time whether this specification would accommodate those concerns or not, or whether the use case scenarios even overlap (automatically applying a username/password for login is quite different than automatically applying a payment instrument!) without further clarification. thank you, Brad Hill Co-Chair, WebAppSec WG On Mon, Apr 13, 2015 at 6:01 AM Wendy Seltzer <wseltzer@w3.org> wrote: > On 04/13/2015 04:45 AM, Mike West wrote: > > (Forking the thread for clarity) > > > > Hi Manu! > > > > I've put forward this draft of the credential management spec in order to > > seek exactly this sort of feedback from developers. If there are indeed > > technical deficiencies in the spec that make it unsuitable for use cases > > that we ought to support, then we certainly need to change it. > > > > Indeed, the API proposed in this document is intended to be fairly > generic > > (it has ~2 methods) and extensible (by subclassing `Credential`) so as > not > > to block future innovation. It would be helpful to understand how exactly > > it blocks you from doing the work you'd like to be doing. > > > > On Mon, Apr 13, 2015 at 3:44 AM, Manu Sporny <msporny@digitalbazaar.com> > > wrote: > > > >> On 04/10/2015 04:21 PM, Mike West wrote: > >>> Well, wait no longer! This is a real call for consensus to publish > >>> the following draft of "Credential Management" as a First Public > >>> Working Draft: > >> > >> -1, the spec completely ignores the very substantial work going on in > >> the Credentials CG and the Web Payments IG that is related to the API > >> you're proposing. > >> > > > > Perhaps the word "credentials" is causing problems; after skimming the > > documents you pointed to, I don't see significant overlap between this > spec > > and those groups. Is your concern that we're co-opting the term? Or is > > there something deeper? > > Apart from using a common term differently, I don't see much overlap and > hence potential conflict between the different pieces of work. Mike's > WebAppSec draft is certainly not asserting that it is the sole source of > meaning for the term "credential," nor is it saying that web users could > not request or express richer credentials. > > > > > I suggest the Web AppSec Chairs start coordinating w/ the Web Payments > >> IG and the Credentials CG before proposing the publication of this FPWD. > >> > > > > +Brad, Dan, Wendy. > > I'll join this morning's Web Payments IG call and am happy to work to > help resolve the disagreement. > > --Wendy > > > > > -- > > Mike West <mkwst@google.com>, @mikewest > > > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > > Flores > > (Sorry; I'm legally required to add this exciting detail to emails. > Bleh.) > > > > > -- > Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) > Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) > http://wendy.seltzer.org/ +1.617.863.0613 (mobile) > >
Received on Monday, 13 April 2015 17:24:08 UTC