Re: WebAppSec Credentials Management API FPWD consensus plan

Two days without controversy seems like a good-enough signal to me.

Brad, Dan, Wendy: Do you think it's reasonable to kick off the transition
process for
https://w3c.github.io/webappsec/specs/credentialmanagement/published/2015-04-FPWD.html
?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Apr 21, 2015 at 8:37 AM, Mike West <mkwst@google.com> wrote:

> Based on the discussion in https://github.com/w3c/webappsec/pull/277 and
> https://github.com/w3c/webappsec/issues/256, it sounds like we've worked
> things out in the current draft (
> https://w3c.github.io/webappsec/specs/credentialmanagement/) in enough
> detail to proceed with the FPWD. Is that your take on things as well, Manu?
>
> If so, I'll spin out a pubrules-compliant document for Wendy to take
> through the transition process.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Fri, Apr 17, 2015 at 2:51 PM, Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
>> On 04/17/2015 03:58 AM, Mike West wrote:
>> > 2. Support fetching credentials from locations that are not the
>> > browser (IdP websites, for example) and are not login
>> > super-providers.
>> >
>> > I don't think this is in the scope I've signed up for in v1. I do
>> > believe we need to ensure that we don't box ourselves out of a nice
>> > API for this in the future, but it doesn't seem to me to be a
>> > necessary component of the initial iteration.
>>
>> To be clear, I meant "support" in a "don't box ourselves out of a nice
>> API for this in the future" way. I want us to have a clear plan for how
>> this is going to be polyfilled for LinkedDataCredentials this year and
>> what the implementation plan for that is going to be in the future. A
>> potential future Credentials WG would like to extend the API by doing a
>> minimum amount of modification to the CM API to accomplish fetching
>> LinkedDataCredentials. We want to make sure that we won't have to do
>> anything awkward with the API to get there. I think you want the same
>> thing (don't make developers jump through hoops to support other types
>> of Credentials).
>>
>> > 3. Come to consensus that the data model in the API will work for
>> > both local credentials and Linked Data credentials served from IdP
>> > websites without placing an undue burden on the API.
>> >
>> > I know you note this at the bottom, but for clarity I'd like to be
>> > explicit here: I don't believe that WebAppSec is chartered in such a
>> >  way that this is going to be a formal requirement for the spec. I
>> > will happily work with the CG and IG to make sure that you have room
>> >  to extend the API in Linked Data directions (as discussed in #1),
>> > but I do not intend to add normative language to the spec to that
>> > effect.
>>
>> +1, we're not asking for normative language wrt.
>> LinkedDataCredentials... just that the design of the API supports this
>> sort of extension in the future in a clean way.
>>
>> Correct me if I'm wrong, but it sounds like we have general agreement on
>> a concrete path forward. Now all we need to do is hammer out the details.
>>
>> -- manu
>>
>> --
>> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
>> Founder/CEO - Digital Bazaar, Inc.
>> blog: The Marathonic Dawn of Web Payments
>> http://manu.sporny.org/2014/dawn-of-web-payments/
>>
>>
>

Received on Thursday, 23 April 2015 08:23:27 UTC