Re: Splitting "Credential Management"? from Mike West on 2017-04-05 (public-webappsec@w3.org from April 2017)

From: Mike West <mike@mikewest.org>
Date: Wed, 5 Apr 2017 18:10:19 +0200
To: "Hodges, Jeff" <jeff.hodges@paypal.com>
Cc: Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dominic Battre <battre@google.com>, Václav Brožek <vabr@google.com>, Angelo Liao <huliao@microsoft.com>, "pdolanjski@mozilla.com" <pdolanjski@mozilla.com>, Daniel Bates <dbates@webkit.org>
Message-ID: <CAJToGzPVJSzBqUoMKPFBLG9B9eu8V3MC3ZT2upnu2g+CiV9faQ@mail.gmail.com>

On Wed, Apr 5, 2017 at 5:58 PM, Hodges, Jeff <jeff.hodges@paypal.com> wrote:

> some thoughts wrt the original experiment of splitting credman up  (ie
> this thread up thru 17-Mar-2017):
>
> >> On Thu, Mar 16, 2017 at 6:26 AM, Mike West <mkwst@google.com> wrote:
> >> Hey folks!
> >>
> >> While re-reading through the Credential Management API, I realized
> >> that the extension mechanisms aren't at all clear. As a thought
> >> exercise, I'm mostly finished with splitting the document into a
> >> generic API that defines the high-level architecture
> >> <https://w3c.github.io/webappsec-credential-management/base.html>,
> >> and a document that specifies `PasswordCredential` and
> >> `FederatedCredental` as an extension
> >> <https://w3c.github.io/webappsec-credential-management/sitebound.html>.
> >>
> >>  WDYT? Is this a sane division? Does it actually make the integration
> >> points clearer by forcing us to use them, or is it more confusing
> >> than not to have the pieces in distinct documents?
>
>
> On 3/17/17, 7:40 PM, "Jeffrey Yasskin" <jyasskin@google.com> wrote:
> >
> > 3 thoughts here:
> >
> > 1) I strongly approve of you using the extension points to define the
> > initial credential types. Without doing this, it'd be hard for an
> > extender to use the extension points as you intended, even if you
> > managed to get them right.
>
> agreed.
>
>
> > I think it's less important to put the
> > initial extensions in a separate document, although doing so does
> > force you to figure out how future extensions will be registered.
>
> Although, if WebAuthn is adds credman as a dependency <
> https://github.com/w3c/webauthn/pull/384>,
> then from a timeline perspective it may be more expeditious to have
> credman divided into "base" and "password+Fed" (nee 'sitebound'), as he
> proposed in his original msg above. Thus we (WebAppSec+WebAuthn) can
> concentrate on progressing credman base and webauthn, and hopefully any
> issues particular to the "password+Fed" spec will not slow down the former
> specs.
>

The rejoined document splits those out into distinct sections, with no
dependencies on each other. My hope is that this internal division
exercises the extension points enough to ensure that completely external
specs are equally well-supported. Your feedback there would be
super-helpful.

-mike

Received on Wednesday, 5 April 2017 16:11:24 UTC