W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: Coming back to CREDENTIAL.

From: Mike West <mkwst@google.com>
Date: Mon, 31 Aug 2015 11:31:36 +0200
Message-ID: <CAKXHy=doAK=BsxKDeGwHW+sy5D6HOJdUeqoy55UeV+_z1dagxA@mail.gmail.com>
To: Dave Longley <dlongley@digitalbazaar.com>
Cc: Adrian Hope-Bailie <adrian@hopebailie.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Manu Sporny <msporny@digitalbazaar.com>, Brad Hill <hillbrad@gmail.com>, timeless <timeless@gmail.com>, Axel Nennker <Axel.Nennker@telekom.de>, Richard Barnes <rbarnes@mozilla.com>, Crispin Cowan <crispin@microsoft.com>, berlin@apple.com, "Edward O'Connor" <eoconnor@apple.com>, Tanvi Vyas <tanvi@mozilla.com>, Philip Jägenstedt <philipj@opera.com>
As it turns out, it's a bad idea to start a thread before going on
vacation. :)

I'd like to pull back a bit and try to tease out the concrete things that
need to be done to ship a minimum viable API that solves the broad problems
I noted in
https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0201.html. In
this thread, I see some convergence on the following topics:

1. I see very little debate about password management use cases. Could we
agree that the API as defined (perhaps modulo naming) is a reasonable first
stab at solving that particular problem? Coincidentally, This is the piece
I'm most interested in shipping quickly.

2. I see agreement that the current `get()` API is robust enough to support
extension in another WG with (something like) an IdentityCredential object
which could "assert certain properties and values about an identity".

3. I didn't see any discussion about future protocols like FIDO, so I'll
simply assume that everyone agrees that the current model is extensible
enough. :)

Is that a fair summary?

There's less convergence on Federations. I see concern from Adrian and Dave
about the baby step proposed for federated credentials. In particular, the
suggestion is that the currently defined step would lock in "super
providers"'s dominance, and that we could fix that by simply tweaking the
API to focus on protocols rather than origins.

To this point:

1. Does anyone else care? :) Specifically, I'd like to get some feedback
from folks who might at some point implement the API. CCing people from
Opera, Microsoft, Mozilla, and Apple.

2. I sincerely doubt that I can find resource inside Google to implement a
reasonable UI on top of a variety of protocols in anything like the near
future. That worries me, because the "NASCAR" picker is something that I'd
like to be able to deal with in the short term, and it seems like the
current proposal does that simply, without requiring changes for either the
RP or IDP.

3. Do you have a proposal for discovery? That is, how do I know what
protocols a particular origin supports? Do all the protocols you care about
support something like `
https://accounts.google.com/.well-known/openid-configuration`? Would we
need to request X files from a server every time we save a password? (Note:
I'm a bit concerned about proposals that require the IDP to do some work,
as it doesn't appear that there's significant incentive for the IDP to do


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Aug 21, 2015 at 7:11 PM, Dave Longley <dlongley@digitalbazaar.com>

> On 08/21/2015 03:25 AM, Adrian Hope-Bailie wrote:
>> Dave, you are conflating support for super-provider login with support
>> for existing open protocols.
>> I am advocating for support of existing open protocols, not a system
>> that allows super-providers to continue running their own proprietary
>> federation protocols.
> I understand what you are advocating. Both at a high-level and the API
> change you've requested. I'm trying to make sure we take note that a "baby
> steps" approach has dangers -- and this isn't a message that is strictly
> for you, it's for the list in general.
> I'm saying that how we go about creating the first step or two of a login
> standard can have negative effects on the success of the subsequent steps.
> If we're going to take a long approach and build out a whole federated
> login standard that supports existing open protocols and has a mechanism
> for easily experimenting with new ones, that's great. If, to get there, we
> take "baby steps" that involve effectively supporting "all the existing
> providers really need today", then we may end up making it more difficult
> to actually ever get the other steps into the standard.
> I don't think it's that hard to imagine creating a "baby step" where we
> just synthesize credentials for existing providers. Then, sites just place
> the providers that people are likely to use in a list when they request
> credentials. Then, boom! It works for the super providers and the user
> experience is great. Do we really need to do anything else?
> You may say "Of course!" (and you have). But a company that is behind both
> a popular browser and a popular super provider may have a different
> position. Now the politics of getting a better standard done have been made
> more complicated.
> It *doesn't matter* if the goal is supporting open protocols, if the
> chosen steps to get there throw tar on the road or stop progress entirely.
> This is the danger of "just making incremental improvements to the status
> quo". We must reject certain "baby steps".
>> We have the same goals; not allowing this API to entrench the status quo
>> of super-providers leveraging their positions as providers of other
>> services to capture the market for identity. I also think we have the
>> same motivations; protecting the privacy and private data of users by
>> affording them other options from IdPs who do not make their money out
>> of harvesting personal information.
>> My approach to this is to push that this API is open and supports open
>> protocols so that any IdP who wishes to implement these protocols get's
>> an equal chance of being used as the IdP at a RP site as any of the
>> super-providers.
> +1
>> I recognize your concern that if is this is done in steps that future
>> integration of new privacy-enhancing protocols may never happen. I think
>> you have two options in resolving this: 1) try to ensure that the
>> protocol support is flexible enough to accommodate future protocols OR
>> 2) advocate that support for federation is not a part of the API at all
>> until more privacy enhancing protocols are standardised.
> +1
>> To be clear, what I am asking for is a simple change to the existing API
>> that favours indexing federation options by protocol as opposed to
>> provider.
> I understand. Your change is simple at the API level, but it's unclear how
> complex it is at the implementation level. Some might argue that it could
> considerably push out a delivery date on the first implementations of this
> API. I'd argue that it's worth it for the reasons listed above.
>> I.e. As an RP site I should be asking the browser "Does this user have
>> federated credentials that can be used under the following protocols?"
>> not "Does this user have federated credentials issued by the following
>> providers?"
> +1
> --
> Dave Longley
> Digital Bazaar, Inc.
> http://digitalbazaar.com
Received on Monday, 31 August 2015 09:32:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC