W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: WebAppSec Credentials Management API FPWD consensus plan

From: Mike West <mkwst@google.com>
Date: Fri, 17 Apr 2015 09:58:37 +0200
Message-ID: <CAKXHy=fZY6NkGSSeAJ=TdExKgwNmN90o1Ny8K+Sqb3rgV8T84g@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 17, 2015 at 6:30 AM, Manu Sporny <msporny@digitalbazaar.com>

> (bcc: Web Payments IG, Credentials CG)
> This is an attempt to propose a plan that will achieve consensus on the
> WebAppSec Credentials Management API FPWD publication. It is informed by
> the state of discussions[1][2][3] that have been occurring in the github
> issue tracker.
> Requests that, if fulfilled, will almost surely result in consensus:
> 1. Continue to work together to refine changes to the API and data
>    model via github issue 256[3].

Based on David's feedback, I think we're already pretty close. I rewrote a
good chunk of the spec yesterday based on the concerns raised here, and I'm
hopeful that we'll be able to hammer something out in the very near future.

> 2. Support fetching credentials from locations that are not the
>    browser (IdP websites, for example) and are not login
>    super-providers.

I don't think this is in the scope I've signed up for in v1. I do believe
we need to ensure that we don't box ourselves out of a nice API for this in
the future, but it doesn't seem to me to be a necessary component of the
initial iteration.

> 3. Come to consensus that the data model in the API will work for
>    both local credentials and Linked Data credentials served from
>    IdP websites without placing an undue burden on the API.

I know you note this at the bottom, but for clarity I'd like to be explicit
here: I don't believe that WebAppSec is chartered in such a way that this
is going to be a formal requirement for the spec. I will happily work with
the CG and IG to make sure that you have room to extend the API in Linked
Data directions (as discussed in #1), but I do not intend to add normative
language to the spec to that effect.

Requests that would most likely be a good idea as the spec progresses:
> 1. The Web Payments IG and Credentials CG should be ping'd from time to
>    time to do spec reviews.

This certainly seems reasonable.

> 2. An organization in the Credentials CG will do an experimental
>    polyfill implementation of the Credentials Management API to ensure
>    that it is workable from our standpoint.

Sounds great!

> 3. Briefly mention the Credentials CG work in the spec since you
>    mention Persona and WebID. I'd be happy to submit a PR for this.

I'm happy to review such a PR. :)


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 17 April 2015 07:59:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC