Re: Looking for a home for a proposed Credential Management API.
On 09/24/2014 09:57 AM, Mike West wrote: There's a credentials community group that has nothing to do with the proposal There's more in common than you might think. Fundamentally, the Credentials CG would like to ensure that the Credentials API that you're proposing supports the type of high-stakes, digitally signed credentials (like government-issued passports, professional licenses, background checks, etc.) that we need for the Web Payments work. I suggest reading up on what we'd like to see here: http://manu.sporny.org/2014/credential-based-login/ http://manu.sporny.org/2014/identity-credentials/ I'll do a review of your spec and use cases from a Credentials CG viewpoint. I'm happy to get on the phone w/ you and discuss things in more technical depth when you become available. That said, the right place to discuss the API is most likely Web Apps with input from WebCrypto WG, Security IG, Web Payments IG, FIDO Alliance, and the Credentials CG. I don't think you can do a good job on the API you're proposing without all of their involvement. and given the weak IPR protections of a CG, I'd prefer to avoid them in the long run (though they might be the right place for short-term incubation). I agree that the Credentials CG (or any CG) isn't the right place for the work in the long run. Keep in mind that the Web Payments work will most likely be starting soon, and they'll be in charge of recommending new WGs to be chartered to support the work. Transmitting credentials is a big part of the problem and a few modifications to your API could address that issue. Another option would be to create a new a new CG (although I suppose there could be some confusion with Manu's Credentials CG http://www.w3.org/community/credentials/). The Credentials CG can provide input, but most of the right people to talk about the API (and all of the potential security issues) probably exist in WebApps. As Robin said earlier in the thread, I wouldn't focus too much on the process and the right group too much. Get documents published, get implementations and polyfills done, then ping all of the groups listed above to get their feedback. The Credentials CG would be happy to provide input on the API as it relates to our use cases. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: High-Stakes Credentials and Web Login http://manu.sporny.org/2014/identity-credentials/
RE: Looking for a home for a proposed Credential Management API.
Dear Mike, and all, What kind of skills do you think this API should benefit ? Good web app dev and architects, security nerds, or crypto people. This may also ease the specification deployment, if it lands in a WG with the right skilled people. My 2 cents, Virginie -Original Message- From: Harry Halpin [mailto:hhal...@w3.org] Sent: mercredi 24 septembre 2014 16:01 To: Mike West; Brad Hill; Dan Veditz; cha...@yandex-team.ru; GALINDO Virginie; Webapps WG Cc: Jonas Sicking; p...@w3.org; yla...@w3.org; xiaoq...@w3.org; Wendy Seltzer Subject: Re: Looking for a home for a proposed Credential Management API. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/24/2014 03:57 PM, Mike West wrote: (I'd originally sent this just to the folks on to: and cc:. Art reminded me that public is better, so I'm resending to public-webapps@, and BCCing public-webappsec@ for visibility). Hello, chairs of the WebApps, WebAppSec, and WebCrypto WGs! On Friday, I had an encouraging discussion with Jonas Sicking (CC'd) about the Credential Management API proposed a month or so ago on WebApps ( http://mikewest.github.io/credentialmanagement/spec/). Chrome has started experimenting with an implementation, and though we're nowhere near even considering shipping it, I'd like to make sure that our implementation doesn't get too far out ahead of the spec process. I think it's fair to say that Mozilla is interested in continuing the discussion around the short-term and long-term goals of such an API in an appropriate venue. I'd like your collective opinion about what that venue might be. WebApps seems like the right place just in terms of having the right people involved. It would require a recharter, however, and it's not clear to me that that would be a worthwhile use of folks' time. Both WebCrypto and WebAppSec are in the process of rechartering, which resolves that potential issue, but neither really seems to be appropriate, as they're concerned with aspects other than credentials and authentication. There's a credentials community group that has nothing to do with the proposal, and given the weak IPR protections of a CG, I'd prefer to avoid them in the long run (though they might be the right place for short-term incubation). Brad suggested that an authentication WG might be spun up out of the conversations in the recent WebCrypto workshop. Are there concrete plans for such a group? We've just started those discussions. A high-level authentication API was brought up as a possible deliverable and this looks on the right level. Whether or not it goes in WebAppSec or WebCrypto or a new WG is up in the air - the discussion *just* started. The Google folks there also wanted to make sure this dovetailed with their work on U2F in FIDO and of course later work in UAF, so we were kinda waiting for them to make that public. Thanks! -mike -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJUIs6BAAoJEPgwUoSfMzqcmLsQALcM8k3KX+eB04aHTBH+7+UY jjDYIxs8mVEJIHj3CYRyz+n4s5w9Zck2FaPbrR37Qanb8Cx+rInOqh25U3n7Hnaq cV9h81yJM9W6XG/HpeF7iBpmpIIfvBcmOXFRTklOwgrdQE8Lg5UmdesKJ5fkjZBh LIL6tKM3j5Plze8ThJEO6cisSF1uu+x143Ue8e1SCyeB8PgYnUCrfNZoiHbTkXvN d7s0oAjLqU1kvHXP6u5HNCUkNB9TlbBTXS8+Szswy3pfLf22+YPy6eotODyEqvRn lPbQ4nrr/sYz6k5r9/vGDp3wX3tkPfWLEPFf1o/ljvXASYT0xiy3FVub/9862fT7 Hoff/Kzp8Gq6Urh9rJaJ6azmxwpUcur1LmASxBsJ8It5sBHk5FoxdAbJ8Keic/wt 7QFYnUQlPShyyfSZz43MWuRyl41TBxwZdhlZztGr8QppuaiH+AyWj5RCuwblBvaq rt6sNOpOONKD5z2tWJkFQrKm6FEgob3jCECEulNdVr8smmIEVqJquLOqYayLIqvn Sw2QTkhxEht5gMg+Udgfl+jb+/bSq6YYo13zDNVVVmiD/ldcKMvzxVeaxBXf28rs jy0Yde0PCybMxSZ3RHLs8j8r7zV3PkW0icLHPS4YPt0U+eJ7lNjUzCG9YaItcqtI rcIEnvSLfuMJBaczdJc0 =iM70 -END PGP SIGNATURE- This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Re: Looking for a home for a proposed Credential Management API.
On Fri, Sep 26, 2014 at 10:39 AM, Arthur Barstow art.bars...@gmail.com wrote: While some of these longer term options Harry mentioned are sorted out, are you looking for a more immediate place to discuss your proposal? I'm looking for a path that leads to cross-browser agreement and publication. *shrug* There's no particular rush, but since it sounds like there's at least partial agreement on the general shape and direction of the API, it would be nice to get a draft published in the relatively near future in the hopes of raising visibility and focusing discussion (as well as the general IPR excitement that published drafts tend to cover). If so, although I am currently mostly indifferent as to which existing list to use, I don't object to using p-webapps. That said, perhaps the Security IG list would be more appropriate (since I think it has an implicit `coordination` function). Virginie, Adam - any feedback on the IG being a temporary home for Mike's proposal? Whichever group ends up being the right one for eventual publication, public-webapps@ seems like a good place for discussion; the right folks are probably already here. :) Another option would be to create a new a new CG (although I suppose there could be some confusion with Manu's Credentials CG http://www.w3.org/community/credentials/). I guess that's an option. -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Re: Looking for a home for a proposed Credential Management API.
On 9/24/14 10:00 AM, Harry Halpin wrote: On 09/24/2014 03:57 PM, Mike West wrote: (I'd originally sent this just to the folks on to: and cc:. Art reminded me that public is better, so I'm resending to public-webapps@, and BCCing public-webappsec@ for visibility). Hello, chairs of the WebApps, WebAppSec, and WebCrypto WGs! On Friday, I had an encouraging discussion with Jonas Sicking (CC'd) about the Credential Management API proposed a month or so ago on WebApps ( http://mikewest.github.io/credentialmanagement/spec/). Chrome has started experimenting with an implementation, and though we're nowhere near even considering shipping it, I'd like to make sure that our implementation doesn't get too far out ahead of the spec process. I think it's fair to say that Mozilla is interested in continuing the discussion around the short-term and long-term goals of such an API in an appropriate venue. I'd like your collective opinion about what that venue might be. WebApps seems like the right place just in terms of having the right people involved. It would require a recharter, however, and it's not clear to me that that would be a worthwhile use of folks' time. Both WebCrypto and WebAppSec are in the process of rechartering, which resolves that potential issue, but neither really seems to be appropriate, as they're concerned with aspects other than credentials and authentication. There's a credentials community group that has nothing to do with the proposal, and given the weak IPR protections of a CG, I'd prefer to avoid them in the long run (though they might be the right place for short-term incubation). Brad suggested that an authentication WG might be spun up out of the conversations in the recent WebCrypto workshop. Are there concrete plans for such a group? We've just started those discussions. A high-level authentication API was brought up as a possible deliverable and this looks on the right level. Whether or not it goes in WebAppSec or WebCrypto or a new WG is up in the air - the discussion *just* started. The Google folks there also wanted to make sure this dovetailed with their work on U2F in FIDO and of course later work in UAF, so we were kinda waiting for them to make that public. Hi Mike, While some of these longer term options Harry mentioned are sorted out, are you looking for a more immediate place to discuss your proposal? If so, although I am currently mostly indifferent as to which existing list to use, I don't object to using p-webapps. That said, perhaps the Security IG list would be more appropriate (since I think it has an implicit `coordination` function). Virginie, Adam - any feedback on the IG being a temporary home for Mike's proposal? Another option would be to create a new a new CG (although I suppose there could be some confusion with Manu's Credentials CG http://www.w3.org/community/credentials/). -AB
Looking for a home for a proposed Credential Management API.
(I'd originally sent this just to the folks on to: and cc:. Art reminded me that public is better, so I'm resending to public-webapps@, and BCCing public-webappsec@ for visibility). Hello, chairs of the WebApps, WebAppSec, and WebCrypto WGs! On Friday, I had an encouraging discussion with Jonas Sicking (CC'd) about the Credential Management API proposed a month or so ago on WebApps ( http://mikewest.github.io/credentialmanagement/spec/). Chrome has started experimenting with an implementation, and though we're nowhere near even considering shipping it, I'd like to make sure that our implementation doesn't get too far out ahead of the spec process. I think it's fair to say that Mozilla is interested in continuing the discussion around the short-term and long-term goals of such an API in an appropriate venue. I'd like your collective opinion about what that venue might be. WebApps seems like the right place just in terms of having the right people involved. It would require a recharter, however, and it's not clear to me that that would be a worthwhile use of folks' time. Both WebCrypto and WebAppSec are in the process of rechartering, which resolves that potential issue, but neither really seems to be appropriate, as they're concerned with aspects other than credentials and authentication. There's a credentials community group that has nothing to do with the proposal, and given the weak IPR protections of a CG, I'd prefer to avoid them in the long run (though they might be the right place for short-term incubation). Brad suggested that an authentication WG might be spun up out of the conversations in the recent WebCrypto workshop. Are there concrete plans for such a group? Thanks! -mike -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Re: Looking for a home for a proposed Credential Management API.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/24/2014 03:57 PM, Mike West wrote: (I'd originally sent this just to the folks on to: and cc:. Art reminded me that public is better, so I'm resending to public-webapps@, and BCCing public-webappsec@ for visibility). Hello, chairs of the WebApps, WebAppSec, and WebCrypto WGs! On Friday, I had an encouraging discussion with Jonas Sicking (CC'd) about the Credential Management API proposed a month or so ago on WebApps ( http://mikewest.github.io/credentialmanagement/spec/). Chrome has started experimenting with an implementation, and though we're nowhere near even considering shipping it, I'd like to make sure that our implementation doesn't get too far out ahead of the spec process. I think it's fair to say that Mozilla is interested in continuing the discussion around the short-term and long-term goals of such an API in an appropriate venue. I'd like your collective opinion about what that venue might be. WebApps seems like the right place just in terms of having the right people involved. It would require a recharter, however, and it's not clear to me that that would be a worthwhile use of folks' time. Both WebCrypto and WebAppSec are in the process of rechartering, which resolves that potential issue, but neither really seems to be appropriate, as they're concerned with aspects other than credentials and authentication. There's a credentials community group that has nothing to do with the proposal, and given the weak IPR protections of a CG, I'd prefer to avoid them in the long run (though they might be the right place for short-term incubation). Brad suggested that an authentication WG might be spun up out of the conversations in the recent WebCrypto workshop. Are there concrete plans for such a group? We've just started those discussions. A high-level authentication API was brought up as a possible deliverable and this looks on the right level. Whether or not it goes in WebAppSec or WebCrypto or a new WG is up in the air - the discussion *just* started. The Google folks there also wanted to make sure this dovetailed with their work on U2F in FIDO and of course later work in UAF, so we were kinda waiting for them to make that public. Thanks! -mike -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJUIs6BAAoJEPgwUoSfMzqcmLsQALcM8k3KX+eB04aHTBH+7+UY jjDYIxs8mVEJIHj3CYRyz+n4s5w9Zck2FaPbrR37Qanb8Cx+rInOqh25U3n7Hnaq cV9h81yJM9W6XG/HpeF7iBpmpIIfvBcmOXFRTklOwgrdQE8Lg5UmdesKJ5fkjZBh LIL6tKM3j5Plze8ThJEO6cisSF1uu+x143Ue8e1SCyeB8PgYnUCrfNZoiHbTkXvN d7s0oAjLqU1kvHXP6u5HNCUkNB9TlbBTXS8+Szswy3pfLf22+YPy6eotODyEqvRn lPbQ4nrr/sYz6k5r9/vGDp3wX3tkPfWLEPFf1o/ljvXASYT0xiy3FVub/9862fT7 Hoff/Kzp8Gq6Urh9rJaJ6azmxwpUcur1LmASxBsJ8It5sBHk5FoxdAbJ8Keic/wt 7QFYnUQlPShyyfSZz43MWuRyl41TBxwZdhlZztGr8QppuaiH+AyWj5RCuwblBvaq rt6sNOpOONKD5z2tWJkFQrKm6FEgob3jCECEulNdVr8smmIEVqJquLOqYayLIqvn Sw2QTkhxEht5gMg+Udgfl+jb+/bSq6YYo13zDNVVVmiD/ldcKMvzxVeaxBXf28rs jy0Yde0PCybMxSZ3RHLs8j8r7zV3PkW0icLHPS4YPt0U+eJ7lNjUzCG9YaItcqtI rcIEnvSLfuMJBaczdJc0 =iM70 -END PGP SIGNATURE-