Re: WebAppSec Credentials Management API FPWD consensus plan from Mike West on 2015-04-17 (public-webappsec@w3.org from April 2015)

From: Mike West <mkwst@google.com>
Date: Fri, 17 Apr 2015 09:58:37 +0200
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=fZY6NkGSSeAJ=TdExKgwNmN90o1Ny8K+Sqb3rgV8T84g@mail.gmail.com>

On Fri, Apr 17, 2015 at 6:30 AM, Manu Sporny <msporny@digitalbazaar.com>
wrote:

> (bcc: Web Payments IG, Credentials CG)
>
> This is an attempt to propose a plan that will achieve consensus on the
> WebAppSec Credentials Management API FPWD publication. It is informed by
> the state of discussions[1][2][3] that have been occurring in the github
> issue tracker.
>
> Requests that, if fulfilled, will almost surely result in consensus:
>
> 1. Continue to work together to refine changes to the API and data
>    model via github issue 256[3].
>

Based on David's feedback, I think we're already pretty close. I rewrote a
good chunk of the spec yesterday based on the concerns raised here, and I'm
hopeful that we'll be able to hammer something out in the very near future.

> 2. Support fetching credentials from locations that are not the
>    browser (IdP websites, for example) and are not login
>    super-providers.
>

I don't think this is in the scope I've signed up for in v1. I do believe
we need to ensure that we don't box ourselves out of a nice API for this in
the future, but it doesn't seem to me to be a necessary component of the
initial iteration.

> 3. Come to consensus that the data model in the API will work for
>    both local credentials and Linked Data credentials served from
>    IdP websites without placing an undue burden on the API.
>

I know you note this at the bottom, but for clarity I'd like to be explicit
here: I don't believe that WebAppSec is chartered in such a way that this
is going to be a formal requirement for the spec. I will happily work with
the CG and IG to make sure that you have room to extend the API in Linked
Data directions (as discussed in #1), but I do not intend to add normative
language to the spec to that effect.

Requests that would most likely be a good idea as the spec progresses:
>
> 1. The Web Payments IG and Credentials CG should be ping'd from time to
>    time to do spec reviews.
>

This certainly seems reasonable.

> 2. An organization in the Credentials CG will do an experimental
>    polyfill implementation of the Credentials Management API to ensure
>    that it is workable from our standpoint.
>

Sounds great!

> 3. Briefly mention the Credentials CG work in the spec since you
>    mention Persona and WebID. I'd be happy to submit a PR for this.
>

I'm happy to review such a PR. :)

Thanks!

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 17 April 2015 07:59:27 UTC