Re: Overlap with Credentials/Web Payments CG (was Re: CfC to publish a FPWD of Credential Management; ending April 17th.)

On 13 April 2015 at 19:23, Brad Hill <hillbrad@gmail.com> wrote:

> Manu,
>
> Before you continue tossing around threats of Formal Objections, I'll
> suggest you refer the process document:
>
> http://www.w3.org/2014/Process-20140801/
>
> "An individual who registers a Formal Objection SHOULD cite technical
> arguments and propose changes that would remove the Formal Objection; these
> proposals MAY be vague or incomplete. Formal Objections that do not
> provide substantive arguments or rationale are unlikely to receive serious
> consideration by the Director."
>

May I just note that the document in question is incomplete.  Please refer
to section 1.3.2 which has a single word, "TODO".

By pure coincidence (or maybe not!), "the Director" quoted above is one of
the author's of the work on Web Identity.

Another note, that I reached out to Mike West as part of of the WebID
community, on March 3, so perhaps there is an opportunity to work together
on that section.

[1] http://www.w3.org/2005/Incubator/webid/spec/identity/
[2] https://lists.w3.org/Archives/Public/public-webid/2015Mar/0003.html


>
> I hope you will at least do this group the courtesy of the same: a
> substantive technical rationale for the objection and proposals for changes
> (within the chartered scope of this WG:
> http://www.w3.org/2015/03/webappsec-charter-2015.html)  that would remove
> the objection, and give us an opportunity to respond to those suggestions.
>
> Credential is a very overloaded term, as the CG's executive summary
> document makes abundantly clear.  The concrete problem of improving the
> reliability, functionality and security of management tools for
> username/password and federated credentials - tools that are in wide
> deployment today - is real and pressing, and that is what we put in the
> scope of our charter.
>
> As the Credentials CG summary seems to consider 'credentials' as
> potentially including payment instruments, identities, verifiable age
> claims, and more, and there is no technical report giving any technical
> details of how such would be represented, it seems impossible to judge at
> this time whether this specification would accommodate those concerns or
> not, or whether the use case scenarios even overlap (automatically applying
> a username/password for login is quite different than automatically
> applying a payment instrument!) without further clarification.
>
> thank you,
>
> Brad Hill
> Co-Chair, WebAppSec WG
>
> On Mon, Apr 13, 2015 at 6:01 AM Wendy Seltzer <wseltzer@w3.org> wrote:
>
>> On 04/13/2015 04:45 AM, Mike West wrote:
>> > (Forking the thread for clarity)
>> >
>> > Hi Manu!
>> >
>> > I've put forward this draft of the credential management spec in order
>> to
>> > seek exactly this sort of feedback from developers. If there are indeed
>> > technical deficiencies in the spec that make it unsuitable for use cases
>> > that we ought to support, then we certainly need to change it.
>> >
>> > Indeed, the API proposed in this document is intended to be fairly
>> generic
>> > (it has ~2 methods) and extensible (by subclassing `Credential`) so as
>> not
>> > to block future innovation. It would be helpful to understand how
>> exactly
>> > it blocks you from doing the work you'd like to be doing.
>> >
>> > On Mon, Apr 13, 2015 at 3:44 AM, Manu Sporny <msporny@digitalbazaar.com
>> >
>> > wrote:
>> >
>> >> On 04/10/2015 04:21 PM, Mike West wrote:
>> >>> Well, wait no longer! This is a real call for consensus to publish
>> >>> the following draft of "Credential Management" as a First Public
>> >>> Working Draft:
>> >>
>> >> -1, the spec completely ignores the very substantial work going on in
>> >> the Credentials CG and the Web Payments IG that is related to the API
>> >> you're proposing.
>> >>
>> >
>> > Perhaps the word "credentials" is causing problems; after skimming the
>> > documents you pointed to, I don't see significant overlap between this
>> spec
>> > and those groups. Is your concern that we're co-opting the term? Or is
>> > there something deeper?
>>
>> Apart from using a common term differently, I don't see much overlap and
>> hence potential conflict between the different pieces of work. Mike's
>> WebAppSec draft is certainly not asserting that it is the sole source of
>> meaning for the term "credential," nor is it saying that web users could
>> not request or express richer credentials.
>>
>> >
>> > I suggest the Web AppSec Chairs start coordinating w/ the Web Payments
>> >> IG and the Credentials CG before proposing the publication of this
>> FPWD.
>> >>
>> >
>> > +Brad, Dan, Wendy.
>>
>> I'll join this morning's Web Payments IG call and am happy to work to
>> help resolve the disagreement.
>>
>> --Wendy
>>
>> >
>> > --
>> > Mike West <mkwst@google.com>, @mikewest
>> >
>> > Google Germany GmbH, Dienerstrasse 12, 80331 München,
>> > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>> > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
>> > Flores
>> > (Sorry; I'm legally required to add this exciting detail to emails.
>> Bleh.)
>> >
>>
>>
>> --
>> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
>> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
>> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>>
>>

Received on Wednesday, 15 April 2015 15:57:11 UTC