- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 31 May 2015 23:32:27 -0400
- To: public-webappsec@w3.org
On 05/28/2015 03:09 PM, Brad Hill wrote: > I am simply saying, after taking a considerable amount of time and > effort to explore the possibilities desired at the beginning of this > conversation, namely that "these APIs are trying to do substantially > similar things" and "the Credential Management Level 1 API could > also accommodate the Credential CG use cases with some tweaks to the > extension model", I think that both premises are looking false at a > very large and rising probability. You are making that assertion. It's not shared by at least Adrian, Dave, and myself. The extension proposal makes it fairly clear, at least in our minds, that there /are/ a few small tweaks that could be made to accommodate the programmatic execution of what we're describing as cross-origin credentials. Your counter argument seems to be that you think it's a bad idea for a variety of reasons that don't have much to do with the WebIDL interfaces. The main push-back, as far as I can tell, is "this sounds like a bad idea because it 'breaks' the Web security model and it seems like other people have tried to do it and failed" (which is a premature statement because the proposed extension is being actively developed as we speak). There are multiple discussions going on here, let me try and summarize them (with responses): * Examining cross-origin credentials and the Credentials CG use cases are out of scope wrt. the WebAppSec WG's charter. Yes, that's true. No one is asking this group to take on that work. The Credentials CG took on that work and produced an extension proposal to the Credential Management API to see if it could be extended. We found that it could not for our needs without some minor changes. * The extension mechanism provided by the Credentials Management API fails at addressing a known proposed extension. This is undeniably true if the group decides to ignore the proposal we put forward as "too different to fit into our model for credentials". It's effectively a "No true Scotsman" response. We've demonstrated that the WebIDL would only need to go through a few changes to support our extension only to find out that our extension isn't the sort of extension that the CM API was designed for. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Web Payments: The Architect, the Sage, and the Moral Voice https://manu.sporny.org/2015/payments-collaboration/
Received on Monday, 1 June 2015 03:32:52 UTC