W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Tue, 14 Apr 2015 08:21:59 -0700
Message-ID: <CANh-dX=NMcKX1OEoaS0vgJGWn_L=fm+bro+ihmjHRcJCdbO6iw@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Apr 13, 2015 at 10:20 PM, Manu Sporny <msporny@digitalbazaar.com>
wrote:
>
> > * Not having the ability to sync credentials between different
> > browsers removes features that people depend on from today's
> > managers (like LastPass) that allow you to do this. This makes the
> > proposed solution worse than the current solution.
>
> Applications like LastPass use a server-side component to enable you to
> sync credentials between different browser brands. I don't see anything
> like this in the current spec. Worse, it looks like the current spec is
> going to put companies like LastPass out of business (if the spec
> doesn't allow them to inject navigator.credentials).
>
> Does the spec provide a suggestion on allowing browser extensions to
> override navigator.credentials? If it does, are the security
> ramifications of doing so detailed anywhere? If it doesn't, isn't it
> making the state of the art worse by removing the ability to share
> credentials across multiple browser brands?
>

Are you familiar with the way LastPass currently integrates with Chrome to
act as a password manager? I believe the technique it currently uses will
work at least as well when there's just one Javascript API through which
all passwords pass. If you think it doesn't work, can you point out the
exact place it breaks down?

Jeffrey
Received on Tuesday, 14 April 2015 15:22:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC