Re: WebAppSec Credentials Management API FPWD consensus plan

On Thu, Apr 23, 2015 at 6:17 PM, Manu Sporny <>
> The thought right now is to propose a complete API that we believe would
> work for all three affected groups at W3C and see if it could be
> workable.

I'm looking forward to your proposals. Are there any strawman docs floating

For example, you stated that you weren't interested in working
> on cross-origin credentials. That, however, is exactly what we need for
> the work we're doing.

I think we agreed at the top of this thread that the goal for this document
is "don't box ourselves out of a nice API for this in the future". My
trepidations at the security and privacy properties of cross-origin
credentials aside, that seems like what we ought to be aiming for.

So, W3C needs to figure out if they're going to think about/support
> cross-origin credentials

I don't think resolution on that conversation is a requirement for progress
on this spec.

that conversation isn't going to play out in a weeks time.

What's the timeframe you're aiming for?


Mike West <>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 24 April 2015 08:49:33 UTC