W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

The Credential Management API - Another approach

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 23 Apr 2015 09:39:45 +0200
Message-ID: <5538A1C1.6040606@gmail.com>
To: W3C Credentials Community Group <public-credentials@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Regardless if the Credential Management API matches the envisioned needs of the Credentials CG or not, I doubt that this is the right path for the industry.

There are several problems with the approach taken and one of the more obvious is that "Apps" like Skype, Facebook, e-banking, etc. also rely on credentials which makes the idea building such functionality into the browser layer somewhat futile; credentials rather belong to the platform.  Yeah, this is an implementation issue but this is probably not what's on the menu today: "The types of credentials defined in this document are stored locally in a user agent’s credential store".

Due to the fact above, the unknown buy-in from other browser vendors and last but not least the inherent inflexibility of the browser infrastructure with respect to updates, I'm convinced that credential management would be more suited as applications based on "The Extended Web":
https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0220.html

I did indeed wrote applications with an 's' for the simple reason that there unlikely ever will be "the" credential management system, there will rather be a bunch of such.  Here is a pointer to a credential management system that has virtually nothing in common with the Credential Management draft:
https://cyberphone.github.io/openkeystore/resources/docs/keygen2.html
Note: The KeyGen2 invocation interface will be revised to use "The Extended Web".

Anders
Received on Thursday, 23 April 2015 07:40:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC