W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: CfC to publish a FPWD of Credential Management; ending April 17th.

From: Mike West <mkwst@google.com>
Date: Mon, 13 Apr 2015 20:42:06 +0200
Message-ID: <CAKXHy=cQ14xWjsdJjVmX7Lt_R_dWJwq=OEgEpteDRt-_kBUaRg@mail.gmail.com>
To: Jonathan Kingston <jonathan@jooped.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
On Mon, Apr 13, 2015 at 8:31 PM, Jonathan Kingston <jonathan@jooped.com>
wrote:

> Is there any motivation to add in hooks to other credential management
> systems outside the browser at all? It seems as if credential management
> systems like LastPass would benefit from all the advantages you are setting
> out here.
> It seems like extensions could hook into a standard API much like they
> currently do for geolocation etc.
>

I don't think we can reasonably specify that (as extension systems are by
their nature specific to each browser, and not really part of the web
platform). That said, I think it would be totally reasonable for browser
vendors to support password management extensions (in fact, if there's much
interest in this API, I somewhat expect LassPass and others to start
injecting this API).

Also I started the following test site the other day for this exact reason
> to improve the usability of password generators:
> password-generation-test-cases.herokuapp.com
> The AJAX form submission and saving of passwords would be resolved with
> this specification (Assuming the API is used. - I can add a test case there
> when the API solidifies).
>

Looks interesting, thanks!

However the other remaining item is supporting password generation
> restrictions like 25+ chars minimum, is this something that would belong in
> this specification?
>

This question is
https://w3c.github.io/webappsec/specs/credentialmanagement/#issue-1a314ee6
in the spec. I do think it's something worth supporting, but I'd like to
get the general shape of the API hammered out in this forum before moving
to that kind of "nice to have" detail.


> It could hang odd the pattern attribute of form fields.
>

For everyone's sanity, I'd hope we can find more declarative rules than
that. Parsing a regex (or, worse, just generating random passwords until
one matches!) is complicated.

Thanks for submitting this.
>

Thanks for your feedback!

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 13 April 2015 18:42:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC