Re: Migrating "A Well-Known URL for Changing Passwords" to WebAppSec from WICG

Hey Tess!

On Fri, Jun 12, 2020 at 7:41 PM Theresa O'Connor <hober@apple.com> wrote:

> Hi all,
>
> Mike wrote:
>
> > This seems reasonable to me, and is consistent with our conversation
> > on the topic at TPAC last year
> > (
> https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#well-knownchange-password
> ).
> >
> > I'd be comfortable adopting this specification, and publishing it as a
> > FPWD. Let's give the working group's members a week to object. If no
> > objections come in by May 12th, I think we could comfortably declare
> > consensus.
>
> It's been a month, and there haven't been objections.


Indeed, we resolved in the 2020-05-19 call to move this document to FPWD:
https://github.com/w3c/webappsec/blob/master/meetings/2020/2020-05-19-minutes.md#adopting-well-knownchange-password-url.
I
didn't follow up on this thread however; thank you for pinging it!


> Before we move it
> over, though, I wanted to additionally propose that we also move over a
> companion document in the same repo, "Detecting the reliability of HTTP
> status codes":
>
> https://wicg.github.io/change-password-url/response-code-reliability.html
>
> In order to most effectively make use of Change Password URLs,
> implementers need to know if the web server is configured to correctly
> serve 404 responses for resources that aren't there. They can use the
> technique described in this document to do that. Safari and Chrome are
> both pursuing this approach; see Dominic Battre's comment here:
>
>
> https://github.com/WICG/change-password-url/issues/16#issuecomment-643314820
>
> While distinct from each other, I think these two specs will sink or
> swim together, so I'd like to keep them together in the same CG or WG.
>

It seems reasonable to me to adopt this as well, and I think it fits in our
existing scope. If there are no objections by the 29th, I think it's quite
reasonable to publish it as an FPWD as well.

-mike