Re: [credential management] Cross-origin credentials

Yes, but who are the callers who will be best-served by managing these
different models through a single abstract API shape?

Abstraction comes at a cost.   It may make sense to have an abstract API
like GSS or SASL if you expect the same essential sets of claims and
information but don't care about the mechanism by which they are conveyed
in a heterogeneous system.  And if there is great economy in the API
surface of the mechanisms themselves. You could write an abstract API that
treated XML digital signatures, JWS and CMS as substantially identical, but
it would be almost certainly be either vulnerable to peculiarities possible
with each or require they only act within the strict intersectionality of
their design models.

At the layer of a JS API, you have an interactive application that can do
feature detection to find and select the exact mechanism it wants.  If
applications must expect substantially different results and mechanisms,
that some mechanisms may have very different characteristics in terms of
the number of round-trips, remote+async operations, and that user
interaction patterns will have to be tailored to the protocol and even
specific instances of the protocol, why is it even desirable to try to have
a single API?


On Sun, May 31, 2015 at 8:09 PM Manu Sporny <>

> On 05/29/2015 04:37 PM, Brad Hill wrote:
> > What kind of cross-origin do you mean?
> This kind:
> > The cross-origin system you describe in the abstract sounds
> > architecturally similar to Mozilla's Persona.
> It's all the best parts of Persona and WebID with a number of changes to
> ensure that the mistakes made with Persona and WebID+TLS (and OpenID
> Connect) are not repeated again.
> -- manu
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Web Payments: The Architect, the Sage, and the Moral Voice

Received on Monday, 1 June 2015 15:36:16 UTC