Re: [credential management] Cross-origin credentials (was: Identity Credentials API Extension)

On 2015-05-30 04:40, Anne van Kesteren wrote:
> On Sat, May 30, 2015 at 8:57 AM, Brad Hill <> wrote:
>> The scope of what we are chartered to do in WebAppSec is to work on security
>> and usability affordances for common systems already deployed, not to invent
>> new protocols.
> The FederatedCredential object is a new protocol of sorts though. I
> think I somewhat agree with Adrian that this does not go far enough in
> making federated login a part of the platform. It's not flushed out
> enough and fairly experimental whereas we have plenty of experience
> with password-based credentials (at least declarative, and making it
> easier for people to do that <form>-less seems worthwhile).

Agreed.  Unfortunately some experimentation is probably needed and there are
many quite different federation schemes in use which (IMO) makes the Credential
Management API concept less useful as a standard.  At least at this stage.

Since meaningful experimentation is out of scope for all but a very small set of
browser vendors, I have proposed another approach for enabling a wider audience to
roll out new schemes for Credential Management, Authentication, Payments, etc. etc.:


Received on Saturday, 30 May 2015 04:14:22 UTC