W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

From: Jonathan Kingston <jonathan@jooped.com>
Date: Wed, 15 Apr 2015 01:13:24 +0100
Message-ID: <CAKrjaaUYMMCFGBKNk3YResHXhDA4FVHNOguYtBccd0-80_Msqw@mail.gmail.com>
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
@jeffery Tests 8 and 9 here fail with LastPass:
password-generation-test-cases.herokuapp.com

These are visible in a fair few apps that use AJAX for auth, in fact
LastPass integration advises against using AJAX for this reason I suspect.
Allowing apps like LastPass to extend or override the store requests will
allow this to be seamless to login rather than sometimes delayed or a
little jankier than native experiences.

On 14 April 2015 at 16:21, Jeffrey Yasskin <jyasskin@google.com> wrote:

> On Mon, Apr 13, 2015 at 10:20 PM, Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>>
>> > * Not having the ability to sync credentials between different
>> > browsers removes features that people depend on from today's
>> > managers (like LastPass) that allow you to do this. This makes the
>> > proposed solution worse than the current solution.
>>
>> Applications like LastPass use a server-side component to enable you to
>> sync credentials between different browser brands. I don't see anything
>> like this in the current spec. Worse, it looks like the current spec is
>> going to put companies like LastPass out of business (if the spec
>> doesn't allow them to inject navigator.credentials).
>>
>> Does the spec provide a suggestion on allowing browser extensions to
>> override navigator.credentials? If it does, are the security
>> ramifications of doing so detailed anywhere? If it doesn't, isn't it
>> making the state of the art worse by removing the ability to share
>> credentials across multiple browser brands?
>>
>
> Are you familiar with the way LastPass currently integrates with Chrome to
> act as a password manager? I believe the technique it currently uses will
> work at least as well when there's just one Javascript API through which
> all passwords pass. If you think it doesn't work, can you point out the
> exact place it breaks down?
>
> Jeffrey
>
Received on Wednesday, 15 April 2015 00:13:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC