- From: Mike West <mkwst@google.com>
- Date: Tue, 21 Apr 2015 08:37:14 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>, Brad Hill <hillbrad@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=c4MKDZpXHMVW0Ry4oD0p0ajgPSSo=i=eLnQZL8yT6QuQ@mail.gmail.com>
Based on the discussion in https://github.com/w3c/webappsec/pull/277 and https://github.com/w3c/webappsec/issues/256, it sounds like we've worked things out in the current draft ( https://w3c.github.io/webappsec/specs/credentialmanagement/) in enough detail to proceed with the FPWD. Is that your take on things as well, Manu? If so, I'll spin out a pubrules-compliant document for Wendy to take through the transition process. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Fri, Apr 17, 2015 at 2:51 PM, Manu Sporny <msporny@digitalbazaar.com> wrote: > On 04/17/2015 03:58 AM, Mike West wrote: > > 2. Support fetching credentials from locations that are not the > > browser (IdP websites, for example) and are not login > > super-providers. > > > > I don't think this is in the scope I've signed up for in v1. I do > > believe we need to ensure that we don't box ourselves out of a nice > > API for this in the future, but it doesn't seem to me to be a > > necessary component of the initial iteration. > > To be clear, I meant "support" in a "don't box ourselves out of a nice > API for this in the future" way. I want us to have a clear plan for how > this is going to be polyfilled for LinkedDataCredentials this year and > what the implementation plan for that is going to be in the future. A > potential future Credentials WG would like to extend the API by doing a > minimum amount of modification to the CM API to accomplish fetching > LinkedDataCredentials. We want to make sure that we won't have to do > anything awkward with the API to get there. I think you want the same > thing (don't make developers jump through hoops to support other types > of Credentials). > > > 3. Come to consensus that the data model in the API will work for > > both local credentials and Linked Data credentials served from IdP > > websites without placing an undue burden on the API. > > > > I know you note this at the bottom, but for clarity I'd like to be > > explicit here: I don't believe that WebAppSec is chartered in such a > > way that this is going to be a formal requirement for the spec. I > > will happily work with the CG and IG to make sure that you have room > > to extend the API in Linked Data directions (as discussed in #1), > > but I do not intend to add normative language to the spec to that > > effect. > > +1, we're not asking for normative language wrt. > LinkedDataCredentials... just that the design of the API supports this > sort of extension in the future in a clean way. > > Correct me if I'm wrong, but it sounds like we have general agreement on > a concrete path forward. Now all we need to do is hammer out the details. > > -- manu > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: The Marathonic Dawn of Web Payments > http://manu.sporny.org/2014/dawn-of-web-payments/ > >
Received on Tuesday, 21 April 2015 06:38:03 UTC