Re: [webappsec] Tomorrow's call CANCELLED

On Wed, Mar 15, 2017 at 5:48 AM, Brad Hill <hillbrad@gmail.com> wrote:

> We've had very light list traffic the last 3 weeks.  Let's cancel
> tomorrow's call and resume on April 19.
>

SGTM. I can give some quick updates inline, in the hopes of having
something more useful to say in a month.


> Upgrade Insecure Requests
>

I think the next step here is to flesh out the test suite and send out a
CfC to move to PR. Perhaps Mozilla and Apple folks would be interested in
upstreaming tests to
https://github.com/w3c/web-platform-tests/tree/master/upgrade-insecure-requests
with
me?


> Credential Management
>

There's a little bit of movement here, actually, which is nice to see.
WebKit folks sent out an intent to implement
<https://lists.webkit.org/pipermail/webkit-dev/2017-January/028684.html> a
little while ago, and private conversations with other vendors are mildly
encouraging.

Dominic (CC'd) and I have made a vague proposal to the WebAuthn folks with
the goal of aligning their API with the CM API. I sketched that out in
https://docs.google.com/presentation/d/1fqlBb_pyXvPRYYwDy1-PT0gX9mB7biB67mKZN834ya4/edit?usp=sharing,
and the minutes are up at
https://www.w3.org/2017/03/08-webauthn-minutes.html. We're fleshing out a
more concrete PR against their spec in the hopes of sparking more detailed
discussion.

As part of that work, we're also thinking about splitting the existing CM
API document into a high-level generic API on the one hand, and a
Password/Federated extension on the other, with the goal of making the
extension points super-clear, and keeping passwords and tokes and etc. on
the same level. There's a _lot_ in the existing document that really only
relates to the two credential types we've defined, and we might be able to
greatly simplify things at the top level by splitting them out. Worth
exploring, in any event.

Hopefully things will have shaken out a little bit more in a month, and
we'll have a little more clarity around next steps.

-mike