W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Identity providers as first parties

From: イアンフェッティ <ifette@google.com>
Date: Wed, 13 Jun 2012 07:34:34 -0700
Message-ID: <CAF4kx8edZqQqUAJKSOc8m3MjNYPbE2w5-QhYFLFs=n3p7mUEiw@mail.gmail.com>
To: JC Cannon <jccannon@microsoft.com>
Cc: Tamir Israel <tisrael@cippic.ca>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Indeed, in the case of signing into Mashable with Facebook, it gets all
sorts of info from Facebook (and can post to your timeline on your behalf)
if you accept the defaults. Maybe that is an out-of-band consent, but it
seems that either the identity provider gets out of the picture after
authentication, in which point it doesn't matter, or it continues to
provide services, which given that the user signed in with that services'
account, are certainly more obvious than a case where a user hadn't signed
in with that service's account...

On Wed, Jun 13, 2012 at 7:29 AM, JC Cannon <jccannon@microsoft.com> wrote:

> There may be cases where the identity provider supplies ongoing profile or
> configuration information on behalf of the user.
>
> JC
>
> -----Original Message-----
> From: Tamir Israel [mailto:tisrael@cippic.ca]
> Sent: Wednesday, June 13, 2012 7:25 AM
> To: ifette@google.com
> Cc: public-tracking@w3.org Group WG
> Subject: Re: Identity providers as first parties
>
> Hi Ian,
>
> I'm not certain this is as clear as you imply. The entire concept of a
> federated identity system, for example, is to segregate the identity
> provider from any processing tasks beyond identity authentication. I would
> not expect an OpenID identity provider, for example, to suddenly become a
> 1st party simply because I used it to sign in). The role of that provider
> should be completed once my identity has been authenticated.
>
> Best,
> Tamir
>
> On 6/13/2012 10:13 AM, Ian Fette (イアンフェッティ) wrote:
> > This email is intended to satisfy ACTION-187 and ISSUE-99
> >
> > I propose adding to the compliance spec the following:
> >
> > "If a site offers users the choice to log in with an identity
> > provider, via means such as OpenID, OAuth, or other conceptually
> > similar mechanisms, the identity provider is considered a first party
> > for the current transactions and subsequent transactions for which the
> > user remains authenticated to the site via the identity provider."
> >
> > Clearly when the user is logging in, there is a meaningful interaction
> > with what was previously a third party widget, thus promoting it to a
> > first party. If all that's being provided is a userid, then the
> > interaction is basically over at that point. If more info is being
> > provided from the user's account (such as a friend list, a chat
> > widget, or whatever), I think one could still assume that the user
> > made a meaningful interaction with that party and thus the party is
> > still a first party.
> >
> > -Ian
>
>
>
Received on Wednesday, 13 June 2012 14:35:04 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC