W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: [credential management] Identity Credentials API Extension

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 31 May 2015 23:32:27 -0400
Message-ID: <556BD24B.6000303@digitalbazaar.com>
To: public-webappsec@w3.org
On 05/28/2015 03:09 PM, Brad Hill wrote:
> I am simply saying, after taking a considerable amount of time and 
> effort to explore the possibilities desired at the beginning of this 
> conversation, namely that "these APIs are trying to do substantially 
> similar things" and "the Credential Management Level 1 API could
> also accommodate the Credential CG use cases with some tweaks to the 
> extension model", I think that both premises are looking false at a
> very large and rising probability.

You are making that assertion. It's not shared by at least Adrian, Dave,
and myself. The extension proposal makes it fairly clear, at least in
our minds, that there /are/ a few small tweaks that could be made to
accommodate the programmatic execution of what we're describing as
cross-origin credentials. Your counter argument seems to be that you
think it's a bad idea for a variety of reasons that don't have much to
do with the WebIDL interfaces.

The main push-back, as far as I can tell, is "this sounds like a bad
idea because it 'breaks' the Web security model and it seems like other
people have tried to do it and failed" (which is a premature statement
because the proposed extension is being actively developed as we speak).

There are multiple discussions going on here, let me try and summarize
them (with responses):

* Examining cross-origin credentials and the Credentials CG use cases
  are out of scope wrt. the WebAppSec WG's charter.

Yes, that's true. No one is asking this group to take on that work. The
Credentials CG took on that work and produced an extension proposal to
the Credential Management API to see if it could be extended. We found
that it could not for our needs without some minor changes.

* The extension mechanism provided by the Credentials Management API
fails at addressing a known proposed extension.

This is undeniably true if the group decides to ignore the proposal we
put forward as "too different to fit into our model for credentials".
It's effectively a "No true Scotsman" response. We've demonstrated that
the WebIDL would only need to go through a few changes to support our
extension only to find out that our extension isn't the sort of
extension that the CM API was designed for.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Web Payments: The Architect, the Sage, and the Moral Voice
Received on Monday, 1 June 2015 03:32:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC