Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG) from Nate Otto on 2015-04-15 (public-webappsec@w3.org from April 2015)

From: Nate Otto <nate@ottonomy.net>
Date: Wed, 15 Apr 2015 11:56:22 -0700
To: Credentials Community Group <public-credentials@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Mike West <mkwst@google.com>, Web Payments IG <public-webpayments-ig@w3.org>, Gregg Kellogg <gregg@greggkellogg.net>
Message-ID: <CAPk0ugnP=t4m_bJDHxsanFAO5odDVB+EKahfwYx2C31_rUBv5g@mail.gmail.com>

Thanks all for spending time discussing this issue

Hi, I'm a developer working on building software that issues and
understands Open Badges, as well as working on developing the Open Badges
specification, which is one particular type of credential that fits under
the Credentials CG's definition and can operate smoothly with that group's
sketched-out technical direction.

Open Badges are defined levels of achievement, essentially descriptions of
skills, experience, participation or could describe many other types of
relationships between an issuer and a recipient.

I would like to see a future where services can easily ask for rich
credentials of many types in order to decide whether to authenticate a
user, but also whether to authorize them to access protected resources.
While authentication that a user is indeed the recipient/subject of the
provided credentials is essential to this process, I don't see a strong
distinction between credentials a user supplies to prove their own identity
and verifiable credentials issued by other parties that make claims about
the user.

In effect, if a service could ask, "401 Permission Denied; Do you have a
valid staff credential from one of these three partners?", I think the
possible ecosystem of credential issuers and relying parties could be quite
exciting. I'm largely agnostic to exactly how this might be implemented,
though I see promise to some of the methods devised by the Credentials CG
using signed linked data in JSON-LD format.

I would like to see services use both of these types together to determine
how to respond to requests that require authenticated and privileged
access. I'm not steeped in browser APIs thoroughly enough to have an
educated opinion on how requests for credentials of different types should
be made, but I see being able to request and accept a composition of
various credentials from a user agent as a useful part of this process.

+1 to starting with login credentials, but please take the Web Payments IG
and the young Credentials CG's desire to incorporate other credential types
in the future into account.


Thanks,

*Nate Otto, Developer*
concentricsky.com

Received on Wednesday, 15 April 2015 18:57:24 UTC