Re: Proposal:

On 4/3/18 5:27 PM, John Wilander wrote:
> Hi WebAppSec!
> We’re thinking of proposing a well-known URL location where users can change their password or other credentials. Since this working group owns the Credential Management spec, we’d like to get your feedback before we email
> # The problem
> When a password/credential manager wants to facilitate a user updating their credentials, there isn't a good way to determine which part of the relevant website to send the user to or to signal to the website that the user's intent is to modify their credentials.
> # The proposal
> as a well-known URL endpoint that signals user intent to modify their credentials. The web server can serve a page at this location or do an HTTP or client-side redirect. The location should be restricted to HTTPS, including any redirects. RFC5785 doesn’t mention scheme restrictions but hopefully we can work that out with the reviewers.

Given the extensive list discussion, it's not fully clear to me what the
proposal is at this point. John, would you mind creating a strawman
document (at GitHub or wherever) so it's easier to track?



Received on Thursday, 12 April 2018 21:49:13 UTC