- From: Mike West <mkwst@google.com>
- Date: Tue, 20 Feb 2018 18:05:27 +0100
- To: Jochen Eisinger <eisinger@google.com>, Daniel Bates <dbates@webkit.org>
- Cc: John Wilander <wilander@apple.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=fcYxyceM2n+iK1f6ASoNiQmM5YyFg_mbQwhBY9jKaHhA@mail.gmail.com>
I recall it being more of an open question. I believe we decided that I'd split the credential management spec into an API framework on the one hand, and PasswordCredential/FederatedCredential on the other (that's currently blocked on finishing https://github.com/w3c/webappsec-credential-management/pull/100). There seemed to be some interest in iterating on the latter, and I recall Daniel Bates being interested in exploring more esoteric mechanisms (zero-knowledge proofs, etc). I'll add it to the agenda for tomorrow's call. I do think it's worth talking about in more detail if folks are interested in doing so. -mike On Tue, Feb 20, 2018 at 5:33 PM, Jochen Eisinger <eisinger@google.com> wrote: > I left TPAC with the impression that there was no implementor interest. > Has this changed? > > John Wilander <wilander@apple.com> schrieb am Mi., 14. Feb. 2018, 01:02: > >> On Feb 13, 2018, at 2:21 AM, Craig Francis <craig.francis@gmail.com> >> wrote: >> >> I believe Mike West has done some work related to this: >> >> http://mikewest.github.io/credentialmanagement/writeonly/ >> >> Personally I'd love to use the @writeonly attribute on other fields as >> well - e.g. hidden input for a CSRF token; or applying it to to all fields >> when JavaScript does not need to touch the data. >> >> >> Thanks, Craig! >> >> Mike, do you intend to incorporate write-only elements in CM? Would they >> be required for CM to work or would they be opt-in? >> >> Any other thoughts on this issue? >> >> Regards, John >> >> >> >> On 13 Feb 2018, at 05:21, John Wilander <wilander@apple.com> wrote: >> >> Hi again WebAppSec! >> >> Not exposing credentials under Credential Management to JavaScript was >> discussed briefly at TPAC. Both Apple and Mozilla raised concerns. >> https://www.w3.org/2017/11/06-webappsec-minutes.html#item06 >> >> Since then we’ve learnt more about trackers exfiltrating credentials in >> the wild: >> https://freedom-to-tinker.com/2017/12/27/no-boundaries-for- >> user-identities-web-trackers-exploit-browser-login-managers/ >> >> … and web analytics accidentally exfiltrating passwords: >> https://techcrunch.com/2018/02/05/mixpanel-passwords/ >> >> In addition, several of us are debating the dangers of non-SRI 3rd-party >> scripts on the Twitters. >> >> In light of these things, I would like to revisit the decision to expose >> credentials under Credential Management to JavaScript. If we could block >> them we could offer safer and more convenient logins than today. How do we >> get there? >> >> Regards, John >> >> >> >>
Received on Tuesday, 20 February 2018 17:06:18 UTC