Re: Splitting "Credential Management"?

biting the bullet and cross-posting to webauthn...

> On Wed, Apr 5, 2017 at 6:10 PM, Mike West <mike@mikewest.org> replied:
> 
> 
>> On Wed, Apr 5, 2017 at 5:58 PM, Hodges, Jeff <jeff.hodges@paypal.com> 
>> had scrawled:
> 
>> some thoughts wrt the original experiment of splitting credman up
>> (ie this thread up thru 17-Mar-2017):
>> 
>>>> On Thu, Mar 16, 2017 at 6:26 AM, Mike West <mkwst@google.com> wrote:
>>>> Hey folks!
>>>>
>>>> While re-reading through the Credential Management API, I realized
>>>> that the extension mechanisms aren't at all clear. As a thought
>>>> exercise, I'm mostly finished with splitting the document into a
>>>> generic API that defines the high-level architecture
>>>> <https://w3c.github.io/webappsec-credential-management/base.html>,
>>>> and a document that specifies `PasswordCredential` and
>>>> `FederatedCredental` as an extension
>>>> <https://w3c.github.io/webappsec-credential-management/sitebound.html>.
>>>>
>>>>  WDYT? Is this a sane division? Does it actually make the integration
>>>> points clearer by forcing us to use them, or is it more confusing
>>>> than not to have the pieces in distinct documents?
>> 
>> 
>> On 3/17/17, 7:40 PM, "Jeffrey Yasskin" <jyasskin@google.com> wrote
>> in part:
>>>
>>> 3 thoughts here:
>>>
>>> 1) I strongly approve of you using the extension points to define the
>>> initial credential types. Without doing this, it'd be hard for an
>>> extender to use the extension points as you intended, even if you
>>> managed to get them right.
>> 
>> agreed.
>> 
>> 
>>> I think it's less important to put the
>>> initial extensions in a separate document, although doing so does
>>> force you to figure out how future extensions will be registered.
>> 
>> Although, if WebAuthn is adds credman as a dependency
>> <https://github.com/w3c/webauthn/pull/384>,
>> then from a timeline perspective it may be more expeditious to 
>> have credman divided into "base" and "password+Fed" (nee
>> 'sitebound'), as he proposed in his original msg above. Thus we
>> (WebAppSec+WebAuthn) can concentrate on progressing credman base
>> and webauthn, and hopefully any issues particular to the
>> "password+Fed" spec will not slow down the former specs.
>
> 
> The rejoined document splits those out into distinct sections, with 
> no dependencies on each other. My hope is that this internal
> division exercises the extension points enough to ensure that
> completely external specs are equally well-supported. Your feedback
> there would be super-helpful.


On 4/5/17, 10:30 AM, "Mike West" <mkwst@google.com> wrote:
> 
> Or, were you concerned about getting the process question of getting
> the core CM API to CR in sync with WebAuthn moving to CR?


Both the latter (longer term) and the former (near term), I believe.


=JeffH

Received on Thursday, 6 April 2017 14:26:14 UTC