- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Thu, 6 Apr 2017 14:25:36 +0000
- To: Mike West <mkwst@google.com>, Mike West <mike@mikewest.org>
- CC: Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dominic Battre <battre@google.com>, Václav Brožek <vabr@google.com>, Angelo Liao <huliao@microsoft.com>, "pdolanjski@mozilla.com" <pdolanjski@mozilla.com>, Daniel Bates <dbates@webkit.org>, W3C WebAuthn WG <public-webauthn@w3.org>
biting the bullet and cross-posting to webauthn... > On Wed, Apr 5, 2017 at 6:10 PM, Mike West <mike@mikewest.org> replied: > > >> On Wed, Apr 5, 2017 at 5:58 PM, Hodges, Jeff <jeff.hodges@paypal.com> >> had scrawled: > >> some thoughts wrt the original experiment of splitting credman up >> (ie this thread up thru 17-Mar-2017): >> >>>> On Thu, Mar 16, 2017 at 6:26 AM, Mike West <mkwst@google.com> wrote: >>>> Hey folks! >>>> >>>> While re-reading through the Credential Management API, I realized >>>> that the extension mechanisms aren't at all clear. As a thought >>>> exercise, I'm mostly finished with splitting the document into a >>>> generic API that defines the high-level architecture >>>> <https://w3c.github.io/webappsec-credential-management/base.html>, >>>> and a document that specifies `PasswordCredential` and >>>> `FederatedCredental` as an extension >>>> <https://w3c.github.io/webappsec-credential-management/sitebound.html>. >>>> >>>> WDYT? Is this a sane division? Does it actually make the integration >>>> points clearer by forcing us to use them, or is it more confusing >>>> than not to have the pieces in distinct documents? >> >> >> On 3/17/17, 7:40 PM, "Jeffrey Yasskin" <jyasskin@google.com> wrote >> in part: >>> >>> 3 thoughts here: >>> >>> 1) I strongly approve of you using the extension points to define the >>> initial credential types. Without doing this, it'd be hard for an >>> extender to use the extension points as you intended, even if you >>> managed to get them right. >> >> agreed. >> >> >>> I think it's less important to put the >>> initial extensions in a separate document, although doing so does >>> force you to figure out how future extensions will be registered. >> >> Although, if WebAuthn is adds credman as a dependency >> <https://github.com/w3c/webauthn/pull/384>, >> then from a timeline perspective it may be more expeditious to >> have credman divided into "base" and "password+Fed" (nee >> 'sitebound'), as he proposed in his original msg above. Thus we >> (WebAppSec+WebAuthn) can concentrate on progressing credman base >> and webauthn, and hopefully any issues particular to the >> "password+Fed" spec will not slow down the former specs. > > > The rejoined document splits those out into distinct sections, with > no dependencies on each other. My hope is that this internal > division exercises the extension points enough to ensure that > completely external specs are equally well-supported. Your feedback > there would be super-helpful. On 4/5/17, 10:30 AM, "Mike West" <mkwst@google.com> wrote: > > Or, were you concerned about getting the process question of getting > the core CM API to CR in sync with WebAuthn moving to CR? Both the latter (longer term) and the former (near term), I believe. =JeffH
Received on Thursday, 6 April 2017 14:26:14 UTC