Re: CfC to publish a FPWD of Credential Management; ending April 17th. from Jonathan Kingston on 2015-04-13 (public-webappsec@w3.org from April 2015)

From: Jonathan Kingston <jonathan@jooped.com>
Date: Mon, 13 Apr 2015 19:31:57 +0100
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <CAKrjaaWUzUwcWmGZyVSqhnXPLK4y0n0QCeH2F8f33gSnzOPdsw@mail.gmail.com>

Is there any motivation to add in hooks to other credential management
systems outside the browser at all? It seems as if credential management
systems like LastPass would benefit from all the advantages you are setting
out here.
It seems like extensions could hook into a standard API much like they
currently do for geolocation etc.

Also I started the following test site the other day for this exact reason
to improve the usability of password generators:
password-generation-test-cases.herokuapp.com
The AJAX form submission and saving of passwords would be resolved with
this specification (Assuming the API is used. - I can add a test case there
when the API solidifies).
However the other remaining item is supporting password generation
restrictions like 25+ chars minimum, is this something that would belong in
this specification? It could hang odd the pattern attribute of form fields.

Thanks for submitting this.

On 10 April 2015 at 21:21, Mike West <mkwst@google.com> wrote:

> Hello, lovely WebAppSecians. Remember way back in January when I sent out
> a pre-CfC to prime the pump for the credential management API[1]? You've
> probably been checking your inbox daily since then, waiting. Waiting.
> Waiting.
>
> Well, wait no longer! This is a real call for consensus to publish the
> following draft of "Credential Management" as a First Public Working Draft:
>
>
> https://w3c.github.io/webappsec/specs/credentialmanagement/published/2015-04-FPWD.html
>
> The document describes an imperative API enabling a website to request a
> user’s credentials from a user agent, and to help the user agent correctly
> store user credentials for future use.
>
> This CfC will end in a week (on the 17th of April). Feedback, positive and
> negative, to public-webappsec@ is welcome, as are bugs (which you are
> cordially invited to file at
> https://github.com/w3c/webappsec/issues/new?title=CREDENTIAL:%20).
>
> Thanks!
>
> [1]:
> https://lists.w3.org/Archives/Public/public-webappsec/2015Jan/0204.html
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>

Received on Monday, 13 April 2015 18:32:26 UTC