Re: WebAppSec Credentials Management API FPWD consensus plan

Based on the discussion in https://github.com/w3c/webappsec/pull/277 and
https://github.com/w3c/webappsec/issues/256, it sounds like we've worked
things out in the current draft (
https://w3c.github.io/webappsec/specs/credentialmanagement/) in enough
detail to proceed with the FPWD. Is that your take on things as well, Manu?

If so, I'll spin out a pubrules-compliant document for Wendy to take
through the transition process.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Apr 17, 2015 at 2:51 PM, Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 04/17/2015 03:58 AM, Mike West wrote:
> > 2. Support fetching credentials from locations that are not the
> > browser (IdP websites, for example) and are not login
> > super-providers.
> >
> > I don't think this is in the scope I've signed up for in v1. I do
> > believe we need to ensure that we don't box ourselves out of a nice
> > API for this in the future, but it doesn't seem to me to be a
> > necessary component of the initial iteration.
>
> To be clear, I meant "support" in a "don't box ourselves out of a nice
> API for this in the future" way. I want us to have a clear plan for how
> this is going to be polyfilled for LinkedDataCredentials this year and
> what the implementation plan for that is going to be in the future. A
> potential future Credentials WG would like to extend the API by doing a
> minimum amount of modification to the CM API to accomplish fetching
> LinkedDataCredentials. We want to make sure that we won't have to do
> anything awkward with the API to get there. I think you want the same
> thing (don't make developers jump through hoops to support other types
> of Credentials).
>
> > 3. Come to consensus that the data model in the API will work for
> > both local credentials and Linked Data credentials served from IdP
> > websites without placing an undue burden on the API.
> >
> > I know you note this at the bottom, but for clarity I'd like to be
> > explicit here: I don't believe that WebAppSec is chartered in such a
> >  way that this is going to be a formal requirement for the spec. I
> > will happily work with the CG and IG to make sure that you have room
> >  to extend the API in Linked Data directions (as discussed in #1),
> > but I do not intend to add normative language to the spec to that
> > effect.
>
> +1, we're not asking for normative language wrt.
> LinkedDataCredentials... just that the design of the API supports this
> sort of extension in the future in a clean way.
>
> Correct me if I'm wrong, but it sounds like we have general agreement on
> a concrete path forward. Now all we need to do is hammer out the details.
>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: The Marathonic Dawn of Web Payments
> http://manu.sporny.org/2014/dawn-of-web-payments/
>
>

Received on Tuesday, 21 April 2015 06:38:03 UTC