Consider extracting PasswordCredential and FederatedCredential to separate specs?

[lukewarlow]

This has somewhat come up before in #221 but I think it's worth raising again.

With this specification being the core base to many other specifications, (e.g. FedCM) with at least WebAuthn being a W3C recommendation, it would be better if this specification was just the core API surface required by other specifications. This would probably allow it to proceed through the W3C standardisation process and become a Recommendation itself rather than being stuck as a working draft.

Moving PasswordCredential and FederatedCredential to a Credential Management Level 2 could allow for level 1 to be progressed? But they seem unlikely to get traction any time soon (only Chromium ever implemented them and FederatedCredentials are superseeded by FedCM iirc?) and splitting the core specification doesn't feel like the best approach here.

Moving both into their own specifications seems like the best path forwards. Something like https://specs.lukewarlow.dev/password-credentials/ and https://specs.lukewarlow.dev/federated-credentials/ with those sections removed from the core spec and the registry table updated to the new standalone specs follows the patttern that other Credential types follow.

The main questions are is this something the working group want to do? And if so where would be best to put these new specs, WebAppSec, WICG or for Federated maybe w3c-fedid if a non-confusing name for it can be thought of?

[marcoscaceres]

I tend to agree this would be a good idea. The PasswordCredential and FederatedCredential are fairly stable so it should be easy to extract them. A the same time, we should work out if we want to keep them on the REC track... I think PasswordCredential only has a single implementation (and no commitment from anyone else right now), right? If that's the case, we should consider transitioning PasswordCredential to a W3C Note (we can always switch it back to WD if we get a second implementation).

and I'm bit confused what the relationship is between FedCM and FederatedCredential? Is there any?

[lukewarlow]

...so it should be easy to extract them

Yeah I managed to do it quite easily.

only has a single implementation (and no commitment from anyone else right now), right?

PasswordCredential as you say only has 1 implementation (Chromium). I raised https://github.com/mozilla/standards-positions/issues/842 and https://github.com/WebKit/standards-positions/issues/220 to try and get positions on that part of the API. Fwiw I think it's a good API and should be implemented across the board. But potentially as you say it would need to move to a note or maybe move back to WICG to be further incubated?

and I'm bit confused what the relationship is between FedCM and FederatedCredential? Is there any?

My understanding is that FedCM is designed to address a superset of what FederatedCredential did. FederatedCredential should probably be deprecated but from what I've read that's harder from a webcompat point of view than expected.