On 12 Mar 2016 7:28 PM, "Anne van Kesteren" <ann...@annevk.nl> wrote: > It should be identical to password manager integration.
But it is not, though I suppose that a password manager might be exploited to store state. I hope that isn't possible... (note to self, attempt this attack) > > In that case, credentials stored by a site should last no longer than > > cookies. Credentials created by a user maybe can live longer. > > How do you distinguish the two if the access is through a UI-mediated API? If credentials created in response to a `get()` call are stored at the point they are created, you could treat calls to `store()` very differently. Maybe. If the intent is to use a password manager, see Richard's earlier mail. > If we think this API should have no more power than storage/cookies, > there's not much point in having this API. Yes, the source of my concerns, right there. Sure, the fig leaf might allow us to convince ourselves that we aren't creating a tracker that trumps the rest. If we are creating something that is somehow greater out of the framework this provides (FIDO), then that is useful. But the stepping stone we are being offered on that path looks suspicious. Why not go straight for the real prize? _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform