W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: Splitting "Credential Management"?

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Wed, 5 Apr 2017 15:58:41 +0000
To: Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dominic Battre <battre@google.com>, Václav Brožek <vabr@google.com>, Angelo Liao <huliao@microsoft.com>, "pdolanjski@mozilla.com" <pdolanjski@mozilla.com>, Daniel Bates <dbates@webkit.org>
Message-ID: <9E79D9F5-66DB-406C-A0F2-4BCE4D64B511@paypal.com>
some thoughts wrt the original experiment of splitting credman up  (ie this thread up thru 17-Mar-2017):

>> On Thu, Mar 16, 2017 at 6:26 AM, Mike West <mkwst@google.com> wrote: 
>> Hey folks!
>> 
>> While re-reading through the Credential Management API, I realized
>> that the extension mechanisms aren't at all clear. As a thought
>> exercise, I'm mostly finished with splitting the document into a
>> generic API that defines the high-level architecture
>> <https://w3c.github.io/webappsec-credential-management/base.html>,
>> and a document that specifies `PasswordCredential` and
>> `FederatedCredental` as an extension
>> <https://w3c.github.io/webappsec-credential-management/sitebound.html>.
>>
>>  WDYT? Is this a sane division? Does it actually make the integration
>> points clearer by forcing us to use them, or is it more confusing
>> than not to have the pieces in distinct documents?


On 3/17/17, 7:40 PM, "Jeffrey Yasskin" <jyasskin@google.com> wrote:
>
> 3 thoughts here:
> 
> 1) I strongly approve of you using the extension points to define the
> initial credential types. Without doing this, it'd be hard for an
> extender to use the extension points as you intended, even if you
> managed to get them right. 

agreed.


> I think it's less important to put the
> initial extensions in a separate document, although doing so does
> force you to figure out how future extensions will be registered.

Although, if WebAuthn is adds credman as a dependency <https://github.com/w3c/webauthn/pull/384>,
then from a timeline perspective it may be more expeditious to have credman divided into "base" and "password+Fed" (nee 'sitebound'), as he proposed in his original msg above. Thus we (WebAppSec+WebAuthn) can concentrate on progressing credman base and webauthn, and hopefully any issues particular to the "password+Fed" spec will not slow down the former specs. 

HTH,

=JeffH




Received on Wednesday, 5 April 2017 15:59:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC