Re: Proposal for a credential management API.

2014-08-19 Thread Mike West
On Mon, Aug 18, 2014 at 7:07 PM, Hill, Brad bh...@paypal.com wrote: I think the broader goals Jonas has articulated probably belong in their own group, perhaps chartered along with some of what comes out of the upcoming Web Crypto Next Steps workshop. I'm certainly interested in seeing what

Re: Proposal for a credential management API.

2014-08-18 Thread Mike West
On Tue, Aug 12, 2014 at 10:19 PM, Jonas Sicking jo...@sicking.cc wrote: One- or two-click sign _up_, on the other hand, will likely be more difficult given the complexities of authorization (scopes, etc). I'm not sure what you count as sign-up? Today, if I visit a new website that I've

Re: Proposal for a credential management API.

2014-08-18 Thread Hill, Brad
I think the broader goals Jonas has articulated probably belong in their own group, perhaps chartered along with some of what comes out of the upcoming Web Crypto Next Steps workshop. http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers.html I'll say by way of indicating possible

Re: Proposal for a credential management API.

2014-08-12 Thread Jonas Sicking
Hi Mike, I'm very interested in improving the login experience on websites. In particular I'd like to create a better flow when federated logins are used, with at least the following goals: * Make it easier for websites to use federated login as to discourage passwords. * Ensure that the

Re: Proposal for a credential management API.

2014-08-12 Thread Mike West
Hi Jonas, thanks for this feedback! On Tue, Aug 12, 2014 at 11:51 AM, Jonas Sicking jo...@sicking.cc wrote: I'm very interested in improving the login experience on websites. In particular I'd like to create a better flow when federated logins are used, with at least the following goals: I

Re: Proposal for a credential management API.

2014-08-12 Thread Jonas Sicking
On Tue, Aug 12, 2014 at 9:33 AM, Mike West mk...@google.com wrote: * Enable a login flow which is less jarring UX-wise than today's redirects. * Don't increase the number of clicks needed to log in. Today two clicks are usually enough, we shouldn't be worse than that since then websites won't

Write-only form fields (was Re: Proposal for a credential management API.)

2014-08-01 Thread Mike West
Forking this out into a separate thread, as I think it's a great idea, but tangential to the original proposal. :) TL;DR: I put together a strawman based on these suggestions which defines a 'writeonly' attribute on HTMLInputElement: http://projects.mikewest.org/credentialmanagement/writeonly/,

Re: Proposal for a credential management API.

2014-08-01 Thread Robin Berjon
Hi Mike, On 31/07/2014 09:48 , Mike West wrote: It's not clear to me that WebApps is the right venue from a process perspective, but this is almost certainly the right group of people to evaluate the proposal. Thanks in advance for your feedback, suggestions, and time. :) As you know I think

Re: Write-only form fields (was Re: Proposal for a credential management API.)

2014-08-01 Thread Brian Smith
On Fri, Aug 1, 2014 at 5:37 AM, Mike West mk...@google.com wrote: On Thu, Jul 31, 2014 at 6:37 PM, Brian Smith br...@briansmith.org wrote: particular, if we are worried about XSS stealing passwords then we have to consider the possibility that XSS has inserted a form without any httponly

Re: Write-only form fields (was Re: Proposal for a credential management API.)

2014-08-01 Thread Mike West
On Fri, Aug 1, 2014 at 3:31 PM, Brian Smith br...@briansmith.org wrote: There is some tension here between making things password-specific and simple vs. making them general and harder to understand. Defining this as a mechanism to protect only passwords keeps it simple. But, it seems wrong

Re: Write-only form fields (was Re: Proposal for a credential management API.)

2014-08-01 Thread Jacob S Hoffman-Andrews
Your proposal decouples spec from implementation more than the placeholder approach does, which is good. I think the CSP directive is unnecessary and makes things more fragile. The 'protect this credential from XSS' attribute should be a property of a stored credential, not a web site. If the

Re: Write-only form fields (was Re: Proposal for a credential management API.)

2014-08-01 Thread Mike West
Thanks Jacob! On Fri, Aug 1, 2014 at 6:48 PM, Jacob S Hoffman-Andrews j...@eff.org wrote: I think the CSP directive is unnecessary and makes things more fragile. The 'protect this credential from XSS' attribute should be a property of a stored credential, not a web site. If the site has the

Proposal for a credential management API.

2014-07-31 Thread Mike West
TL;DR: Strawman spec and usecases at https://github.com/mikewest/credentialmanagement # Use Cases User agents' password managers are a fragile and proprietary hodgepodge of heuristics meant to detect and fill sign-in forms, password change forms, etc. We can do significantly better if we invite

Re: Proposal for a credential management API.

2014-07-31 Thread Jacob S Hoffman-Andrews
I like the idea of standardizing some of the interactions between password managers and web sites. I think we should strongly consider ways to integrate XSS mitigation. Hopefully before too long most people will be using a password manager. With most password managers, if there is a

Re: Proposal for a credential management API.

2014-07-31 Thread Brian Smith
On Thu, Jul 31, 2014 at 8:19 AM, Jacob S Hoffman-Andrews j...@eff.org wrote: I'd say there are approximately three styles for login form submission: A) No JS. A form with some input type=text's that gets submitted when you click an input type=submit. B) Some JS. A form that gets submitted by

Re: Proposal for a credential management API.

2014-07-31 Thread Brian Smith
On Thu, Jul 31, 2014 at 9:37 AM, Brian Smith br...@briansmith.org wrote: Web browsers with sandboxed child processes have the networking logic in the more-privileged parent process. The purpose of sandboxing is to protect against exploits in the child process. It would be useful for the

Re: Proposal for a credential management API.

2014-07-31 Thread Anne van Kesteren
On Thu, Jul 31, 2014 at 6:40 PM, Brian Smith br...@briansmith.org wrote: On Thu, Jul 31, 2014 at 9:37 AM, Brian Smith br...@briansmith.org wrote: Web browsers with sandboxed child processes have the networking logic in the more-privileged parent process. The purpose of sandboxing is to protect