W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: Splitting "Credential Management"?

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Thu, 6 Apr 2017 14:25:36 +0000
To: Mike West <mkwst@google.com>, Mike West <mike@mikewest.org>
CC: Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dominic Battre <battre@google.com>, Václav Brožek <vabr@google.com>, Angelo Liao <huliao@microsoft.com>, "pdolanjski@mozilla.com" <pdolanjski@mozilla.com>, Daniel Bates <dbates@webkit.org>, W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <54A7AF1B-7DBE-4B30-B4D3-E95BBF4F3296@paypal.com>
biting the bullet and cross-posting to webauthn...

> On Wed, Apr 5, 2017 at 6:10 PM, Mike West <mike@mikewest.org> replied:
> 
> 
>> On Wed, Apr 5, 2017 at 5:58 PM, Hodges, Jeff <jeff.hodges@paypal.com> 
>> had scrawled:
> 
>> some thoughts wrt the original experiment of splitting credman up
>> (ie this thread up thru 17-Mar-2017):
>> 
>>>> On Thu, Mar 16, 2017 at 6:26 AM, Mike West <mkwst@google.com> wrote:
>>>> Hey folks!
>>>>
>>>> While re-reading through the Credential Management API, I realized
>>>> that the extension mechanisms aren't at all clear. As a thought
>>>> exercise, I'm mostly finished with splitting the document into a
>>>> generic API that defines the high-level architecture
>>>> <https://w3c.github.io/webappsec-credential-management/base.html>,
>>>> and a document that specifies `PasswordCredential` and
>>>> `FederatedCredental` as an extension
>>>> <https://w3c.github.io/webappsec-credential-management/sitebound.html>.
>>>>
>>>>  WDYT? Is this a sane division? Does it actually make the integration
>>>> points clearer by forcing us to use them, or is it more confusing
>>>> than not to have the pieces in distinct documents?
>> 
>> 
>> On 3/17/17, 7:40 PM, "Jeffrey Yasskin" <jyasskin@google.com> wrote
>> in part:
>>>
>>> 3 thoughts here:
>>>
>>> 1) I strongly approve of you using the extension points to define the
>>> initial credential types. Without doing this, it'd be hard for an
>>> extender to use the extension points as you intended, even if you
>>> managed to get them right.
>> 
>> agreed.
>> 
>> 
>>> I think it's less important to put the
>>> initial extensions in a separate document, although doing so does
>>> force you to figure out how future extensions will be registered.
>> 
>> Although, if WebAuthn is adds credman as a dependency
>> <https://github.com/w3c/webauthn/pull/384>,
>> then from a timeline perspective it may be more expeditious to 
>> have credman divided into "base" and "password+Fed" (nee
>> 'sitebound'), as he proposed in his original msg above. Thus we
>> (WebAppSec+WebAuthn) can concentrate on progressing credman base
>> and webauthn, and hopefully any issues particular to the
>> "password+Fed" spec will not slow down the former specs.
>
> 
> The rejoined document splits those out into distinct sections, with 
> no dependencies on each other. My hope is that this internal
> division exercises the extension points enough to ensure that
> completely external specs are equally well-supported. Your feedback
> there would be super-helpful.


On 4/5/17, 10:30 AM, "Mike West" <mkwst@google.com> wrote:
> 
> Or, were you concerned about getting the process question of getting
> the core CM API to CR in sync with WebAuthn moving to CR?


Both the latter (longer term) and the former (near term), I believe.


=JeffH




Received on Thursday, 6 April 2017 14:26:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC