W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Identity providers as first parties

From: イアンフェッティ <ifette@google.com>
Date: Wed, 13 Jun 2012 07:28:41 -0700
Message-ID: <CAF4kx8e4NTR=ZU+feWAovMLe29w=-1nEqNMH7C0RGN9B0WYEOA@mail.gmail.com>
To: Tamir Israel <tisrael@cippic.ca>
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>

three questions.

1. Would you at least agree that during the sign-in flow, the identity
provider is a first party.
2. Is the part you disagree with the issue of whether the identity provider
remains a first party _after_ the login flow is completed?
3. When the user comes back to the site, if the site redirects the user
through the identity provider for re-authentication, do you agree that the
identity provider is a first party for the authentication flow again on
subsequent visits?

On Wed, Jun 13, 2012 at 7:24 AM, Tamir Israel <tisrael@cippic.ca> wrote:

> Hi Ian,
> I'm not certain this is as clear as you imply. The entire concept of a
> federated identity system, for example, is to segregate the identity
> provider from any processing tasks beyond identity authentication. I would
> not expect an OpenID identity provider, for example, to suddenly become a
> 1st party simply because I used it to sign in). The role of that provider
> should be completed once my identity has been authenticated.
> Best,
> Tamir
> On 6/13/2012 10:13 AM, Ian Fette (イアンフェッティ) wrote:
>> This email is intended to satisfy ACTION-187 and ISSUE-99
>> I propose adding to the compliance spec the following:
>> "If a site offers users the choice to log in with an identity provider,
>> via means such as OpenID, OAuth, or other conceptually similar mechanisms,
>> the identity provider is considered a first party for the current
>> transactions and subsequent transactions for which the user remains
>> authenticated to the site via the identity provider."
>> Clearly when the user is logging in, there is a meaningful interaction
>> with what was previously a third party widget, thus promoting it to a first
>> party. If all that's being provided is a userid, then the interaction is
>> basically over at that point. If more info is being provided from the
>> user's account (such as a friend list, a chat widget, or whatever), I think
>> one could still assume that the user made a meaningful interaction with
>> that party and thus the party is still a first party.
>> -Ian
Received on Wednesday, 13 June 2012 14:29:10 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:50 UTC