- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 14 Apr 2015 17:19:59 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8hCs+swe=T=PW2UZyjSheHawzcShWL9Ek4vig4rp5ZMnA@mail.gmail.com>
I think the subject of this thread is an excellent summary of the core issue here, and the more I read, the more I'm convinced that the only overlap is in the name of this spec and the CG. The Credentials CG is working on a very ambitious project to reinvent how authentication, identity, federations and attested attributes are exchanged on the web. The Credential Management API is attempting to make incremental improvements to existing browser (and plugin) technology for ease-of-use affordances around saving what might accurately be termed legacy username/password and username/realm pairs. These differences are also in-keeping with the style and charter obligations of the different types of groups. A Community Group has much looser patent commitments and a broader scope to explore and invent. A Working Group is chartered with a specific scope, strong patent commitments within that scope, and member organizations *very* carefully review that scope before choosing to participate. Given that WebAppSec has just completed a rechartering, and the scope in that charter, I don't think that we _can_ work on something with much more detail than the abstractly extensible model that Mike has specified. The overall construction might be arranged differently, but getting into the details of things going on in the Credentials CG, which involves technology around payment instruments, claims, blinding, signatures, credential brokering, linked data formats, etc. is seriously beyond our charter and risks the ability for many of our participating organizations to continue to do so, were we to put it into the charter. (and I don't think there is any energy or enthusiasm for another rechartering process at this time) Really, I see the goals and use cases targeted here as different enough that neither one is a threat to the other - even if they were to continue to share the term "credentials". But, unfortunately, as a point of order within this group, I'd like to ask that we confine discussion to the shape of the abstract API. If we can improve it to make it more future-proof, we should of course do so, but providing a direct implementation for the Credential CG and Payment IG's use cases is not what we are chartered to do, members of those groups have not joined the WG or executed contributor's agreements, and we cannot take potentially encumbered technology into our specifications, especially that which is beyond our charter scope. Sincerely, Brad Hill Co-Chair WebAppSec WG
Received on Tuesday, 14 April 2015 17:20:52 UTC