- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 24 Apr 2015 09:49:40 +0200
- To: Adrian Hope-Bailie <adrian@hopebailie.com>, Mike West <mkwst@google.com>
- CC: Manu Sporny <msporny@digitalbazaar.com>, Dave Longley <dlongley@digitalbazaar.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-04-24 09:42, Adrian Hope-Bailie wrote: > Hi Mike, > > I want to echo Manu's sentiments. Thanks for your willingness to engage. > > I think that fundamentally (as was pointed out in the very first emails between Credentials CG and WebAppSec WG) we are trying to achieve two different things. The credentials API is about managing a pool of origin-mapped credentials to make login easier. The Credentials CG is looking for a system that operates at level above that and manages identities (the credentials that these identities hold being a part of that) and can use linked data to dynamically assemble these identities. The Credentials CG scope includes things like signing the credentials, verifying them, exchanging them and more so clearly a far larger scope and one that Brad pointed out the WebAppSec were not ready or willing to try and take on. > > Personally, I think that the Credentials CG work will result in a different API I hope you are wrong since the chance getting that implemented in browsers is likely to be = 0. Anders > but one that works in parallel with an expanded credentials API. i.e. You will have a identities with one or more credentials. You can either manage these via the credentials themselves or via the identities. > > I would like to see my pull-request included before the spec goes ahead to FPWD. If not then I'd be keen to understand why. > > Thanks again, > Adrian > > > On 23 April 2015 at 17:45, Mike West <mkwst@google.com <mailto:mkwst@google.com>> wrote: > > On Thu, Apr 23, 2015 at 5:25 PM, Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>> wrote: > > To be clear, we're skeptical that the current form of the API lends > > itself well to the type of extension we'd like to perform. We can do it, > but every approach we've tried thus far feels like a hack and we'd > probably end up defining a new API rather than extending the one > currently defined (clearly, that's not a good thing and we want to avoid > that). > > > That's disappointing to hear. We've made a number of compromises in the API in order to increase the flexibility for the kinds of extensions David (CC'd) has asked for in https://github.com/w3c/webappsec/issues/256. Since there hasn't been substantive discussion on that bug since Friday, I thought we were pretty close to being on the same page. > > I look forward to seeing the sorts of ideal data structures and APIs from your groups, but I'm wary of what sounds increasingly like a complete rewrite. > > and now that it's > clear that the WebAppSec group intends to coordinate with those two > other groups, I'm happy to support publication of the FPWD. > > > I agree that we should publish an FPWD to kick off the exclusion period regardless of the detail discussion about the exact words and shape of the API. > > -mike > > -- > Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > >
Received on Friday, 24 April 2015 07:50:23 UTC