- From: Mike West <mkwst@google.com>
- Date: Sun, 17 May 2015 11:05:49 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=eShg_bndygOU1-Wh4stzt+4fNpM617B3g=B38QUveA-A@mail.gmail.com>
Hi Manu, thanks for your response!
On Thu, May 14, 2015 at 5:50 AM, Manu Sporny <msporny@digitalbazaar.com>
wrote:
>
> We've been tracking the latest changes in the spec, and are upbeat about
> the direction. If you feel you've got the spec in a state that we can do
> a thorough analysis, we can do that next week to see if the new
> extension points work for our use cases.
>
I thought you were already doing this. If you're not, please do start. :)
> * Does the current charter of WebAppSec allow us to discuss cross-origin
> credentials, or is the discussion limited to same-origin credentials?
>
As I noted in our conversation a few weeks back, I personally am not
particularly interested in supporting mechanisms that do not map well to
the same-origin policy. Other folks in this group might have different
opinions. *shrug* Discussion never hurts.
> * Does the W3C want to support cross-origin credentials in the future,
> and if we don't know the answer to that, do we need to elevate this
> question to the TAG or W3M? We're going to hit the question head-on
> if/when the Credentials WG is chartered.
>
That doesn't sound like a question we can address in this group. I'd
suggest that the TAG is a more appropriate venue for an opinion on what the
W3C is interested in supporting/chartering.
1. Use the telecon to touch base on the progress you've made on the spec
> and solidify the sort of proposal that you'd like to see from us.
>
I don't think there have been substantial changes with regard to
https://github.com/w3c/webappsec/issues/256 since publishing the FPWD.
There's some (stalled) discussion in
https://github.com/w3c/webappsec/pull/292#discussion_r29045379 about some
superficial changes to the matching algorithm that I'd like to resolve this
week, but that's about it.
I'm more or less ok with the API as it stands, and I believe that it's
generic and flexible enough to support a number of use cases beyond what's
specified in the document. Based on comments in
https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0232.html, my
impression is that you don't think it supports your use cases. If I'm
misinterpreting, brilliant!
If you do continue to have issues with the shape of the API, I'd like to
get a concrete understanding of what you'd like to see change. This is what
I thought you were offering to do in the thread I referenced above ("we'd
like to try to put together a full proposal and see where it
goes", etc.).
> 2. Produce an expected extension for the cross-origin credential use
> cases we have for the Credentials CG/WG work.
>
It's not clear that this needs to happen in WebAppSec.
> 3. Set aside time to discuss the extension in depth with you, and the
> changes we expect would need to be made to make local, federated, and
> remotely stored cross-origin credentials work seamlessly with the
> credential management API.
>
Happy to make time to chat about specifics.
Does that plan work for you, Mike? Brad and Dan?
>
Looking forward to chatting on Monday.
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Sunday, 17 May 2015 09:06:39 UTC