Re: WebAppSec Credentials Management API FPWD consensus plan

On 04/23/2015 11:45 AM, Mike West wrote:
> To be clear, we're skeptical that the current form of the API lends 
> itself well to the type of extension we'd like to perform. We can do 
> it, but every approach we've tried thus far feels like a hack and 
> we'd probably end up defining a new API rather than extending the one
> currently defined (clearly, that's not a good thing and we want to
> avoid that).
> That's disappointing to hear.

Turn that frown upside down, buddy. :)

I'm not disappointed in that we're talking and as long as we keep
talking we'll be able to figure out if what we'd like to see happen is
possible, or if it's too much of a stretch for the WebAppSec group given
their current (limited) charter on the topic.

It's going to take time to work through the issue. I don't think we can
expect to spend a week on it and figure it out. We were hopeful based on
our discussion last week that we would be able to use what was put
forward in the compromise, but having taken a further look into it, we'd
like to propose some alternatives.

> We've made a number of compromises in the API in order to increase 
> the flexibility for the kinds of extensions David (CC'd) has asked 
> for in Since there 
> hasn't been substantive discussion on that bug since Friday, I 
> thought we were pretty close to being on the same page.

Keep in mind that we're very busy and spread across the Web Payments IG,
Credentials CG, and now this group. Conference season is also upon us
and we travel extensively to promote the work going on at W3C.

You haven't heard from us in two days because we're currently trying to
figure out the most effective way of engaging the WebAppSec group as we
continue to deliberate.

The thought right now is to propose a complete API that we believe would
work for all three affected groups at W3C and see if it could be
workable. We don't believe we can make progress in the github issue
because there are some core philosophy issues that need to get sorted
out. For example, you stated that you weren't interested in working on
cross-origin credentials. That, however, is exactly what we need for the
work we're doing. So, W3C needs to figure out if they're going to think
about/support cross-origin credentials and that conversation isn't going
to play out in a weeks time.

If what we're proposing is not workable via this group, then so be it,
but we'd like to try to put together a full proposal and see where it
goes. I don't think we're that far away from what we'd need.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: High-Stakes Credentials and Web Login

Received on Thursday, 23 April 2015 16:17:54 UTC