- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Wed, 15 Apr 2015 12:01:18 -0400
- To: Mike West <mkwst@google.com>, Adrian Hope-Bailie <adrian@hopebailie.com>
- CC: Janusz Majnert <jmajnert@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <552E8B4E.8050001@digitalbazaar.com>
On 04/15/2015 11:23 AM, Mike West wrote: > On Wed, Apr 15, 2015 at 3:08 PM, Adrian Hope-Bailie > <adrian@hopebailie.com <mailto:adrian@hopebailie.com>> wrote: > > But we need to concentrate on showing what the specific issues are and > how they can be addressed. It would be great if concerned members of > Credential and Web Payments CGs could raise issues on github instead > of reiterating the same points in lengthy emails :-) > > +1 again, however the call for consensus closes in 2 days. > As far as I know there are a number of people working on providing > just that feedback but they simply require some more time. > As I asked in a previous email; would it help for a member/members > of these groups to join the WebAppSec WG in order to provide a > voice from that corner? > I am happy to do so if required but have not had feedback on this yet. > > My original email on this thread was a proposal that the groups be > given time to pull down the latest polyfill code and demos and > actually attempt to run through some use cases as a basis for > logging issues in GitHub. > That email has had no response... > > > I haven't responded because I want to make sure I understand the > documents Credentials CG has produced before extending the thread > further. :) > > I've read through both http://opencreds.org/specs/source/use-cases/ > (where username/password login is explicitly excluded from the flow > under consideration in section 4.3 > <http://opencreds.org/specs/source/use-cases/#legacy-support>), and > http://opencreds.org/specs/source/identity-credentials/. I haven't > found reference to the `navigator.credentials.get` API that David > referenced in an earlier message on this thread. Could you point me at > that document so I can get a feel for the way you've structured things? We don't have a document for that API yet, we've just been implementing demos that include it. Some very rough source for an older version of it is here as `navigator.identity.getCredentials`: https://github.com/digitalbazaar/opencred-idp/blob/master/sites/credentials.dev/navigator.identity.js It's a very simple shim that forwards a credentials query to another site that essentially implements what the browser would implement in the future (referred to as the "LoginHub" or "login-hub.com"). This can be seen in a demo from last year. This blog post will guide you through that demo: http://manu.sporny.org/2014/identity-credentials/ You'll also want to look at a more up-to-date version of the use cases document here: https://docs.google.com/document/d/1GySrTXAYpwa4vDPsGE3BMA42FwIAqAyLGigKuKUTGks/edit?pli=1 We've been using Google Docs to do more rapid iteration on the use cases document until we're ready to move it back into ReSpec format. There should be a bit more on login use cases in there. > > My impression is that we might indeed be able to find some abstraction > that doesn't stomp on anyone's use cases. I'm a little worried that > doing so will make both sets of use cases more difficult to actually > use, and developer ergonomics are important. I'm also worried that the > credentials CG's work on both a new protocol and delivery mechanism is > a bit too "boil the ocean"; my hope was to slowly move towards a > better world by leveraging the things that currently exist today. The > use cases in section 1.1 of the credential spec I proposed lay out the > baby steps that I think start us down the road. Critically, they have > very small hurdles to developer adoption, as they can be trivially > layered on top of an existing sign-in flow. > > I recognize that the world the credentials CG is envisioning is (in > broad strokes) "better" than usernames and passwords. I hope you can > likewise recognize that supporting usernames and passwords, and > existing federations (which, together constitute the entirety of > status-quo sign-in) is something that has real value for both users > and web developers in the short- to medium-term. Yes, and we definitely value the work you're putting in. We just want to make all of this work together so we can make things better both in the short term and in the long. Thanks! -- Dave Longley CTO Digital Bazaar, Inc. http://digitalbazaar.com
Received on Wednesday, 15 April 2015 16:01:45 UTC