W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: Coming back to CREDENTIAL.

From: Mike West <mkwst@google.com>
Date: Mon, 10 Aug 2015 13:48:33 +0200
Message-ID: <CAKXHy=dbY+re7R4SVH7tTssM5OYK-dOjvtA6pX6R33iOywr7Qw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Adrian Hope-Bailie <adrian@hopebailie.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dave Longley <dlongley@digitalbazaar.com>, Manu Sporny <msporny@digitalbazaar.com>, Brad Hill <hillbrad@gmail.com>, timeless <timeless@gmail.com>
On Mon, Aug 10, 2015 at 12:35 PM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> I have also become suspect of the federation bits. Have we discussed
> with sites that provide federated identity what kind of requirements
> they have? E.g., GitHub seems very eager to experiment here and make
> credentials work as well as they possibly can, but when I talked to
> one of the GitHub engineers they did not really see how this would fit
> in their flow.
>

I love GitHubbians, but it's not clear to me why the federation is the
entity we should be talking to to gather requirements. Instead, we'd want
to talk to sites that rely on federations, as those are the folks targeted
by the API.

You're totally correct to say that we should be talking to those relying
parties, however. I know that folks on Google's identity team have been
chatting with Android developers regarding the links between Chrome's
password manager and Android's version of this API. Those developers will
also be our first targets for the web side of things, and many of them do
use Google/Facebook/etc (and usually more than one).

I don't have any concrete feedback to share, but I can share the general
comment that folks who support more than one federation see a real problem
with users forgetting which service they've used, creating multiple
accounts, and then generating support requests to merge them after the
fact. Addressing that problem seems valuable.


> Furthermore, https://github.com/w3c/webappsec/issues/445 suggests that
> even the password API might not be worth it given
> requestAutocomplete().
>

Responded on the bug. It's an interesting suggestion, but I think we'd
either have to drop some of the nice features of the API proposed here, or
tweak rAc in strange ways. Certainly worth talking about either way!

-mike
Received on Monday, 10 August 2015 11:49:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC