Fwd: Re: WebAppSec Credentials Management API FPWD consensus plan

Just keeping these groups in the loop... bcc Web Payments IG.

-------- Original Message --------
Subject:  Re: WebAppSec Credentials Management API FPWD consensus plan
Date:  Fri, 17 Apr 2015 09:58:37 +0200
From:  Mike West <mkwst@google.com>
To:  Manu Sporny <msporny@digitalbazaar.com>
CC:  public-webappsec@w3.org <public-webappsec@w3.org>

On Fri, Apr 17, 2015 at 6:30 AM, Manu Sporny <msporny@digitalbazaar.com
<mailto:msporny@digitalbazaar.com>> wrote:

    (bcc: Web Payments IG, Credentials CG)

    This is an attempt to propose a plan that will achieve consensus on the
    WebAppSec Credentials Management API FPWD publication. It is informed by
    the state of discussions[1][2][3] that have been occurring in the github
    issue tracker.

    Requests that, if fulfilled, will almost surely result in consensus:

    1. Continue to work together to refine changes to the API and data
       model via github issue 256[3].

Based on David's feedback, I think we're already pretty close. I rewrote
a good chunk of the spec yesterday based on the concerns raised here,
and I'm hopeful that we'll be able to hammer something out in the very
near future.

    2. Support fetching credentials from locations that are not the
       browser (IdP websites, for example) and are not login

I don't think this is in the scope I've signed up for in v1. I do
believe we need to ensure that we don't box ourselves out of a nice API
for this in the future, but it doesn't seem to me to be a necessary
component of the initial iteration.

    3. Come to consensus that the data model in the API will work for
       both local credentials and Linked Data credentials served from
       IdP websites without placing an undue burden on the API.

I know you note this at the bottom, but for clarity I'd like to be
explicit here: I don't believe that WebAppSec is chartered in such a way
that this is going to be a formal requirement for the spec. I will
happily work with the CG and IG to make sure that you have room to
extend the API in Linked Data directions (as discussed in #1), but I do
not intend to add normative language to the spec to that effect.

    Requests that would most likely be a good idea as the spec progresses:

    1. The Web Payments IG and Credentials CG should be ping'd from time to
       time to do spec reviews.

This certainly seems reasonable.

    2. An organization in the Credentials CG will do an experimental
       polyfill implementation of the Credentials Management API to ensure
       that it is workable from our standpoint.

Sounds great!

    3. Briefly mention the Credentials CG work in the spec since you
       mention Persona and WebID. I'd be happy to submit a PR for this.

I'm happy to review such a PR. :)


Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 17 April 2015 12:51:25 UTC