W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: Coming back to CREDENTIAL.

From: Mike West <mkwst@google.com>
Date: Mon, 10 Aug 2015 14:24:02 +0200
Message-ID: <CAKXHy=cMJVsOcfTJjTqcpW3QpixLNgqg_VGbUbrHXbmZxUoMjg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Adrian Hope-Bailie <adrian@hopebailie.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dave Longley <dlongley@digitalbazaar.com>, Manu Sporny <msporny@digitalbazaar.com>, Brad Hill <hillbrad@gmail.com>, timeless <timeless@gmail.com>
On Mon, Aug 10, 2015 at 2:13 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> GitHub is on both sides here I think. They also have some places, as
> does Google I'm sure, where the only account you can use is GitHub.
> However, without going through the server they can't really
> communicate about their respective states.

Sure. If you only have one provider, then this API does nothing for you at
the moment. I think I can grant that and still claim that it solves a
different problem. :)

Basically, getting token generation into the browser is going to be a ton
of work. I think it's work that we should do. I don't think it's work
that's necessary to start providing value.

> > I don't have any concrete feedback to share, but I can share the general
> > comment that folks who support more than one federation see a real
> problem
> > with users forgetting which service they've used, creating multiple
> > accounts, and then generating support requests to merge them after the
> fact.
> > Addressing that problem seems valuable.
> But the only tangible bit you're offering them is storing this bit of
> information together with credentials, rather than elsewhere, so it
> won't be cleared. Is users clearing their data but not credentials a
> really common problem? It seems somewhat unlikely.

According to the (internal, sorry!) `ClearBrowsingData_Cookies` counter,
~11.1% of Chrome users who opted into sharing statistics cleared their
cookies in the past 7 days. I imagine (with no data to back me up) that the
percentage is higher for users who chose not to opt in.

That's a pretty large chunk of the userbase of any particular website who
could have a better experience if the API (or something like it) was

Received on Monday, 10 August 2015 12:24:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC