W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: WebAppSec Credentials Management API FPWD consensus plan

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Fri, 24 Apr 2015 09:42:20 +0200
Message-ID: <CA+eFz_JPJXm=mV2oC6gVGD=K4dApGP2NSZP6jK+rF8EC2JXQOw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, Dave Longley <dlongley@digitalbazaar.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Mike,

I want to echo Manu's sentiments. Thanks for your willingness to engage.

I think that fundamentally (as was pointed out in the very first emails
between Credentials CG and WebAppSec WG) we are trying to achieve two
different things. The credentials API is about managing a pool of
origin-mapped credentials to make login easier. The Credentials CG is
looking for a system that operates at level above that and manages
identities (the credentials that these identities hold being a part of
that) and can use linked data to dynamically assemble these identities. The
Credentials CG scope includes things like signing the credentials,
verifying them, exchanging them and more so clearly a far larger scope and
one that Brad pointed out the WebAppSec were not ready or willing to try
and take on.

Personally, I think that the Credentials CG work will result in a different
API but one that works in parallel with an expanded credentials API. i.e.
You will have a identities with one or more credentials. You can either
manage these via the credentials themselves or via the identities.

I would like to see my pull-request included before the spec goes ahead to
FPWD. If not then I'd be keen to understand why.

Thanks again,

On 23 April 2015 at 17:45, Mike West <mkwst@google.com> wrote:

> On Thu, Apr 23, 2015 at 5:25 PM, Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>> To be clear, we're skeptical that the current form of the API lends
> itself well to the type of extension we'd like to perform. We can do it,
>> but every approach we've tried thus far feels like a hack and we'd
>> probably end up defining a new API rather than extending the one
>> currently defined (clearly, that's not a good thing and we want to avoid
>> that).
> That's disappointing to hear. We've made a number of compromises in the
> API in order to increase the flexibility for the kinds of extensions David
> (CC'd) has asked for in https://github.com/w3c/webappsec/issues/256.
> Since there hasn't been substantive discussion on that bug since Friday, I
> thought we were pretty close to being on the same page.
> I look forward to seeing the sorts of ideal data structures and APIs from
> your groups, but I'm wary of what sounds increasingly like a complete
> rewrite.
> and now that it's
>> clear that the WebAppSec group intends to coordinate with those two
>> other groups, I'm happy to support publication of the FPWD.
> I agree that we should publish an FPWD to kick off the exclusion period
> regardless of the detail discussion about the exact words and shape of the
> API.
> -mike
> --
> Mike West <mkwst@google.com>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 24 April 2015 07:43:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC