W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

CredentialManagement

From: <henry.story@bblfish.net>
Date: Fri, 2 Oct 2015 15:41:27 +0100
Message-Id: <54E95DC3-EA2D-4A4A-B4B5-E073A0D52104@bblfish.net>
To: WebAppSec WG <public-webappsec@w3.org>
Hi,

 I read through the september thread on credential managements this morning ( that is a bit too quickly as it was a long thread ). I am now reading a bit more in detail the spec at
https://w3c.github.io/webappsec/specs/credentialmanagement/

So here are a few initial questions, just from reading the specification, which is always a bit of a difficult task. I hope the questions are not too wrong headed. I'll just ask them before the weekend gets going.

I am writing from the point of view of someone writing a single page JS Application (SPA) [1].

1) What browser can I use to try this out? Is there some help for programmers on this?
   That will help me play around, and hopefully answer other questions myself.

2) In my single page application I don't necessarily want the person coming to my site
to log in immediately. I would like them to be able to play around. Even better: it would be nice if my single page application did not have to rely on any tie into the server. That is it should be able to help authenticate the user with only HTTP mechanims. So I imagine the SPA 
fetches resources and some of these return HTTP headers requesting a number of authentication methods
 
 • Basic or Digest Authentication
   http://tools.ietf.org/html/rfc2617
 • Web Signatures 
   https://tools.ietf.org/html/draft-cavage-http-signatures-04
 • Does OpenID or Auth have similar 401 based WWW-Authenticate methods?

The SPA must be able to capture the 401s then call the CredentialsManagement API requesting
one of these options, and then retry the call.

  Is this possible?

3) As above, but now the SPA would like to go across origin, and also authenticate the user.
  Is there a way to ensure that a request can be made across origin without the SPA getting
  that information?

4) I have noticed that in the Federation protocol identity services are identified by origin. But what if a Identity Provider supports, OpenID, OAuth, BrowserID and other authentication mechanims? It seems to me that this means that identity services need more than an origin uri.

5) The examples for Federated Credential 
  https://w3c.github.io/webappsec/specs/credentialmanagement/#examples-federated-signin
  show how the Relying Party (SPA) list the providers. I suppose from reading the mails its possible that the relying party  be able to accept any OpenId provider, to enable people to host their own IDP. But it should perhaps be made clearer at that point. There should be
a case statement which just accepts any URL.

6) The previous document had a section of WebID. If there are any questions you have on this I'll be happy to help out, now that I have started getting an overview of what is going on here.

7) I mention the credentials management in the SOP wiki. 
Let me know if I got something wrong there concerning that
https://www.w3.org/Security/wiki/IG/a_view_on_SOP


Henry


[1] I have been studying maths over the past 3 months, so things have not move on, but I have actual code here https://github.com/read-write-web/rww-scala-js
Received on Friday, 2 October 2015 14:41:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC