W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: Coming back to CREDENTIAL.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 10 Aug 2015 15:01:17 +0200
Message-ID: <CADnb78himr4kF2Sc9Y8KXO5Q4gA91UP9_Ro8By8OJrx69L9_Qw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Adrian Hope-Bailie <adrian@hopebailie.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dave Longley <dlongley@digitalbazaar.com>, Manu Sporny <msporny@digitalbazaar.com>, Brad Hill <hillbrad@gmail.com>, timeless <timeless@gmail.com>
On Mon, Aug 10, 2015 at 2:31 PM, Mike West <mkwst@google.com> wrote:
> 2. No, we don't. Which is somewhat the point: the user agent has zero
> understanding of federations today, so this isn't something we can reason
> about at all. I think the (reasonable!) argument you and Adrian are making
> is that the API doesn't provide full understanding of federations. My
> (hopefully reasonable?) response is that I think it provides enough of a
> hook to be valuable in itself, and lays the groundwork for additions in the
> future.

That is one concern, and whether this is solving it is the right way.
Another concern I have is whether federation is the only thing a site
may wish to store in the credentials store. The API is focused around
credentials, but the real use case seems to be storing something in
the credentials storage area to survive cookies.

(It seems if desired some smuggling of such data can already be done
through the FederatedCredential object.)

Received on Monday, 10 August 2015 13:01:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC