W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [credential management] Cross-origin credentials (was: Identity Credentials API Extension)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 30 May 2015 06:13:50 +0200
Message-ID: <556938FE.2080808@gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>
CC: Adrian Hope-Bailie <adrian@hopebailie.com>, Manu Sporny <msporny@digitalbazaar.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-05-30 04:40, Anne van Kesteren wrote:
> On Sat, May 30, 2015 at 8:57 AM, Brad Hill <hillbrad@gmail.com> wrote:
>> The scope of what we are chartered to do in WebAppSec is to work on security
>> and usability affordances for common systems already deployed, not to invent
>> new protocols.
>
> The FederatedCredential object is a new protocol of sorts though. I
> think I somewhat agree with Adrian that this does not go far enough in
> making federated login a part of the platform. It's not flushed out
> enough and fairly experimental whereas we have plenty of experience
> with password-based credentials (at least declarative, and making it
> easier for people to do that <form>-less seems worthwhile).
>

Agreed.  Unfortunately some experimentation is probably needed and there are
many quite different federation schemes in use which (IMO) makes the Credential
Management API concept less useful as a standard.  At least at this stage.

Since meaningful experimentation is out of scope for all but a very small set of
browser vendors, I have proposed another approach for enabling a wider audience to
roll out new schemes for Credential Management, Authentication, Payments, etc. etc.:
https://lists.w3.org/Archives/Public/www-tag/2015Apr/0053.html

Anders
Received on Saturday, 30 May 2015 04:14:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC