W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

From: Jonathan Kingston <jonathan@jooped.com>
Date: Tue, 14 Apr 2015 17:50:11 +0100
Message-ID: <CAKrjaaVTFFm3y3ukdkN-rjqEKu+gcCPQ6J3jP=8XAmJJS2BKMQ@mail.gmail.com>
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
@Jeffery - I know some breaking cases will create a demo test and update

On 14 April 2015 at 16:21, Jeffrey Yasskin <jyasskin@google.com> wrote:

> On Mon, Apr 13, 2015 at 10:20 PM, Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>>
>> > * Not having the ability to sync credentials between different
>> > browsers removes features that people depend on from today's
>> > managers (like LastPass) that allow you to do this. This makes the
>> > proposed solution worse than the current solution.
>>
>> Applications like LastPass use a server-side component to enable you to
>> sync credentials between different browser brands. I don't see anything
>> like this in the current spec. Worse, it looks like the current spec is
>> going to put companies like LastPass out of business (if the spec
>> doesn't allow them to inject navigator.credentials).
>>
>> Does the spec provide a suggestion on allowing browser extensions to
>> override navigator.credentials? If it does, are the security
>> ramifications of doing so detailed anywhere? If it doesn't, isn't it
>> making the state of the art worse by removing the ability to share
>> credentials across multiple browser brands?
>>
>
> Are you familiar with the way LastPass currently integrates with Chrome to
> act as a password manager? I believe the technique it currently uses will
> work at least as well when there's just one Javascript API through which
> all passwords pass. If you think it doesn't work, can you point out the
> exact place it breaks down?
>
> Jeffrey
>
Received on Tuesday, 14 April 2015 16:50:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC