Re: PR #384 CredMan Integration from Hodges, Jeff on 2017-04-10 (public-webauthn@w3.org from April 2017)

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Mon, 10 Apr 2017 23:18:17 +0000
To: "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <7C41E730-6E8A-4F7B-9D30-D3FC5CD78B03@paypal.com>

On 4/10/17, 2:29 PM, "Anthony Nadalin" <tonynad@microsoft.com> wrote:

> So based upon the discussions that have been going on there 
> seems to be some issues raised on what happens 
> when we merge. I have not heard and real outright objections to the merge,

Dirk made such an outright objection -- but perhaps he said it too nicely [0]:

  ..I'm arguing against accepting https://github.com/w3c/webauthn/pull/384 as 
  is, because I believe it will create a lot of future work for us that will 
  slow us down.

> so in favor of progress I suggest we accept #384 
> and deal with the questions as they comes up with Mike West, 
> as we see to be just going around and around w/o making a decision. 

A more productive approach may be to consider our options in light of the desire to have an implementable and nominally usable draft webauthn level 1 API in the near term.

To me the decision context appears to be: 

  What's more important, 

    (1) near-term implementable & adoptable/deployable webauthn draft with or 
        without credman incorporation, or,

    (2) adding credman dependency now (because it seems we will do it at some 
        point regardless), i.e., merge PR#384 as-is, and hope the resultant 
        fixing/polishing does not take "too long" ?

Tony is suggesting (2).  

in [0] Dirk is arguing that (2) will result in taking "too long", and implies we should do option B plus some renaming.

Though, an option (3) is that we could think things through more thoroughly, convince ourselves option C (below) is the correct thing to do in light of the other below options, and if it is, revise the PR#384 appropriately, then merge. One could argue this will take less time that just merging #384 as-is.  

@mikewest replied to Dirk's points in detail in [3], so we've embarked on option (3) if we hold off on merging. This is what I'd vote for. 

HTH,

=JeffH

details:

Again, the webauthn||credman options [1][2] are:

A. Just Rename (slides 8, 9)
(as noted in the F2F minutes, this is to just "'rename' scopedCredential" such that webauthn (WA) does not use the term 'cedential' in its API)

B. Join credman class hierarchy, keep webauthn methods  (slides 10..14)

C. Join credman (CM) class hierarchy, use CM methods (slides 15..18)

Plus, there is also the status-quo:

D.  Leave credman and webauthn entirely separate for their "level 1" (ie initial version) incarnations (leaves door open to address some sort of merger in level 2 incarnations).

[0] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0138.html

[1] WebAuthn vs Credential Management (@balfanz)
<https://docs.google.com/presentation/d/1RyfQS3f-Dk7xU8S6pCSBzWl3jGGGrkF1zWkUypVUnik>

[2] https://github.com/w3c/webauthn/pull/384#issuecomment-292734633

[3] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0147.html

Received on Monday, 10 April 2017 23:19:09 UTC