W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2020

Re: Migrating "A Well-Known URL for Changing Passwords" to WebAppSec from WICG

From: Mike West <mkwst@google.com>
Date: Mon, 15 Jun 2020 11:17:53 +0200
Message-ID: <CAKXHy=fghkBukrL19ipyLyFEWHv9b-nf7LCg_QWCVafZnvqBmw@mail.gmail.com>
To: "Theresa O'Connor" <hober@apple.com>
Cc: Web Application Security Working Group <public-webappsec@w3.org>, Ricky Mondello <rmondello@apple.com>
Hey Tess!

On Fri, Jun 12, 2020 at 7:41 PM Theresa O'Connor <hober@apple.com> wrote:

> Hi all,
> Mike wrote:
> > This seems reasonable to me, and is consistent with our conversation
> > on the topic at TPAC last year
> > (
> https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#well-knownchange-password
> ).
> >
> > I'd be comfortable adopting this specification, and publishing it as a
> > FPWD. Let's give the working group's members a week to object. If no
> > objections come in by May 12th, I think we could comfortably declare
> > consensus.
> It's been a month, and there haven't been objections.

Indeed, we resolved in the 2020-05-19 call to move this document to FPWD:
didn't follow up on this thread however; thank you for pinging it!

> Before we move it
> over, though, I wanted to additionally propose that we also move over a
> companion document in the same repo, "Detecting the reliability of HTTP
> status codes":
> https://wicg.github.io/change-password-url/response-code-reliability.html
> In order to most effectively make use of Change Password URLs,
> implementers need to know if the web server is configured to correctly
> serve 404 responses for resources that aren't there. They can use the
> technique described in this document to do that. Safari and Chrome are
> both pursuing this approach; see Dominic Battre's comment here:
> https://github.com/WICG/change-password-url/issues/16#issuecomment-643314820
> While distinct from each other, I think these two specs will sink or
> swim together, so I'd like to keep them together in the same CG or WG.

It seems reasonable to me to adopt this as well, and I think it fits in our
existing scope. If there are no objections by the 29th, I think it's quite
reasonable to publish it as an FPWD as well.

Received on Monday, 15 June 2020 09:18:19 UTC

This archive was generated by hypermail 2.4.0 : Monday, 15 June 2020 09:18:20 UTC