- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Wed, 15 Apr 2015 17:56:41 +0200
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Wendy Seltzer <wseltzer@w3.org>, Mike West <mkwst@google.com>, Manu Sporny <msporny@digitalbazaar.com>, Dan Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Credentials Community Group <public-credentials@w3.org>, Web Payments IG <public-webpayments-ig@w3.org>
- Message-ID: <CAKaEYh+UmtL7P9G5K+_P4tiwhThGwD-XbYbRNRELW2yoE2ZUcQ@mail.gmail.com>
On 13 April 2015 at 19:23, Brad Hill <hillbrad@gmail.com> wrote: > Manu, > > Before you continue tossing around threats of Formal Objections, I'll > suggest you refer the process document: > > http://www.w3.org/2014/Process-20140801/ > > "An individual who registers a Formal Objection SHOULD cite technical > arguments and propose changes that would remove the Formal Objection; these > proposals MAY be vague or incomplete. Formal Objections that do not > provide substantive arguments or rationale are unlikely to receive serious > consideration by the Director." > May I just note that the document in question is incomplete. Please refer to section 1.3.2 which has a single word, "TODO". By pure coincidence (or maybe not!), "the Director" quoted above is one of the author's of the work on Web Identity. Another note, that I reached out to Mike West as part of of the WebID community, on March 3, so perhaps there is an opportunity to work together on that section. [1] http://www.w3.org/2005/Incubator/webid/spec/identity/ [2] https://lists.w3.org/Archives/Public/public-webid/2015Mar/0003.html > > I hope you will at least do this group the courtesy of the same: a > substantive technical rationale for the objection and proposals for changes > (within the chartered scope of this WG: > http://www.w3.org/2015/03/webappsec-charter-2015.html) that would remove > the objection, and give us an opportunity to respond to those suggestions. > > Credential is a very overloaded term, as the CG's executive summary > document makes abundantly clear. The concrete problem of improving the > reliability, functionality and security of management tools for > username/password and federated credentials - tools that are in wide > deployment today - is real and pressing, and that is what we put in the > scope of our charter. > > As the Credentials CG summary seems to consider 'credentials' as > potentially including payment instruments, identities, verifiable age > claims, and more, and there is no technical report giving any technical > details of how such would be represented, it seems impossible to judge at > this time whether this specification would accommodate those concerns or > not, or whether the use case scenarios even overlap (automatically applying > a username/password for login is quite different than automatically > applying a payment instrument!) without further clarification. > > thank you, > > Brad Hill > Co-Chair, WebAppSec WG > > On Mon, Apr 13, 2015 at 6:01 AM Wendy Seltzer <wseltzer@w3.org> wrote: > >> On 04/13/2015 04:45 AM, Mike West wrote: >> > (Forking the thread for clarity) >> > >> > Hi Manu! >> > >> > I've put forward this draft of the credential management spec in order >> to >> > seek exactly this sort of feedback from developers. If there are indeed >> > technical deficiencies in the spec that make it unsuitable for use cases >> > that we ought to support, then we certainly need to change it. >> > >> > Indeed, the API proposed in this document is intended to be fairly >> generic >> > (it has ~2 methods) and extensible (by subclassing `Credential`) so as >> not >> > to block future innovation. It would be helpful to understand how >> exactly >> > it blocks you from doing the work you'd like to be doing. >> > >> > On Mon, Apr 13, 2015 at 3:44 AM, Manu Sporny <msporny@digitalbazaar.com >> > >> > wrote: >> > >> >> On 04/10/2015 04:21 PM, Mike West wrote: >> >>> Well, wait no longer! This is a real call for consensus to publish >> >>> the following draft of "Credential Management" as a First Public >> >>> Working Draft: >> >> >> >> -1, the spec completely ignores the very substantial work going on in >> >> the Credentials CG and the Web Payments IG that is related to the API >> >> you're proposing. >> >> >> > >> > Perhaps the word "credentials" is causing problems; after skimming the >> > documents you pointed to, I don't see significant overlap between this >> spec >> > and those groups. Is your concern that we're co-opting the term? Or is >> > there something deeper? >> >> Apart from using a common term differently, I don't see much overlap and >> hence potential conflict between the different pieces of work. Mike's >> WebAppSec draft is certainly not asserting that it is the sole source of >> meaning for the term "credential," nor is it saying that web users could >> not request or express richer credentials. >> >> > >> > I suggest the Web AppSec Chairs start coordinating w/ the Web Payments >> >> IG and the Credentials CG before proposing the publication of this >> FPWD. >> >> >> > >> > +Brad, Dan, Wendy. >> >> I'll join this morning's Web Payments IG call and am happy to work to >> help resolve the disagreement. >> >> --Wendy >> >> > >> > -- >> > Mike West <mkwst@google.com>, @mikewest >> > >> > Google Germany GmbH, Dienerstrasse 12, 80331 München, >> > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der >> > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth >> > Flores >> > (Sorry; I'm legally required to add this exciting detail to emails. >> Bleh.) >> > >> >> >> -- >> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) >> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) >> http://wendy.seltzer.org/ +1.617.863.0613 (mobile) >> >>
Received on Wednesday, 15 April 2015 15:57:11 UTC