W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: WebAppSec Credentials Management API FPWD consensus plan

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 23 Apr 2015 18:44:14 +0200
Message-ID: <5539215E.2060403@gmail.com>
To: Mike West <mkwst@google.com>, Manu Sporny <msporny@digitalbazaar.com>, Dave Longley <dlongley@digitalbazaar.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-04-23 17:45, Mike West wrote:
> On Thu, Apr 23, 2015 at 5:25 PM, Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>> wrote:
>     To be clear, we're skeptical that the current form of the API lends
>     itself well to the type of extension we'd like to perform. We can do it,
>     but every approach we've tried thus far feels like a hack and we'd
>     probably end up defining a new API rather than extending the one
>     currently defined (clearly, that's not a good thing and we want to avoid
>     that).
> That's disappointing to hear. We've made a number of compromises
 > in the API in order to increase the flexibility for the kinds of
 > extensions David (CC'd) has asked for in https://github.com/w3c/webappsec/issues/256.
 > Since there hasn't been substantive discussion on that bug since Friday,
 > I thought we were pretty close to being on the same page.
> I look forward to seeing the sorts of ideal data structures and APIs from
 > your groups, but I'm wary of what sounds increasingly like a complete rewrite.

It rather reflects the state of affairs for anything called "Credential Management".

This is similar to the situation for Android where hardly anybody uses the built-in
certificate enrollment interface ("keygen") dated 1995, but rather "roll their own".

A problem with the Web is that you can't "roll your own" which is why most people turn
to "Apps" if they want to do something beyond what browsers currently offer, which is
particularly common for security-related applications like payments and authentication.


>     and now that it's
>     clear that the WebAppSec group intends to coordinate with those two
>     other groups, I'm happy to support publication of the FPWD.
> I agree that we should publish an FPWD to kick off the exclusion period regardless of the detail discussion about the exact words and shape of the API.
> -mike
> --
> Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 23 April 2015 16:45:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC