Re: Question to the FedID CG re: FPS from Brian May on 2022-06-01 (public-fed-id@w3.org from June 2022)

From: Brian May <bmay@dstillery.com>
Date: Wed, 1 Jun 2022 13:35:12 -0400
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Nicole Roy <nroy@internet2.edu>, Heather Flanagan <hlf@sphericalcowconsulting.com>, "public-fed-id@w3.org" <public-fed-id@w3.org>
Message-ID: <CAMpQz1ZW5dYHHwes0qD5Z+niodHEZgJv2Qxuj7BYe7==9=zidQ@mail.gmail.com>

For anyone not in the Slack channel, Tim Cappalli also posted this article
<https://www.ghacks.net/2022/05/23/brave-joins-mozilla-in-declaring-googles-first-party-sets-feature-harmful-to-privacy/>
in
which Brave describes FPS as harmful to privacy.

My general sense from across the groups I participate in is that FSP, as
currently conceived, won't be supported as a standard. Given that, I think
the question is whether there would be sufficient availability for it to be
a viable dependency and I think the answer is no.

I also think, given my understanding of the Federated Identity use-case
(which admittedly isn't deep) that FPS provides much more leeway than is
necessary and that a specifically tailored solution would be more
appropriate and easier to get accepted by browser vendors.

On Wed, Jun 1, 2022 at 12:48 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Likewise, FPS does not help with any of my federation use cases.
>
> On Tue, May 31, 2022 at 12:29 PM Nicole Roy <nroy@internet2.edu> wrote:
>
>>
>>
>> On May 30, 2022, at 7:00 AM, Heather Flanagan <
>> hlf@sphericalcowconsulting.com> wrote:
>>
>> Hello FedID CG members,
>>
>> I’d like to bring your attention to a couple of discussions happening
>> over in the PrivacyCG regarding the First Party Sets (FPS) proposal.
>>
>>    - Move FPS to different CG/WG (see Issue #88
>>    <https://github.com/privacycg/first-party-sets/issues/88> and 26 May
>>    2022 meeting notes)
>>    - Apple WebKit's feedback on the First Party Sets proposal
>>    <https://lists.w3.org/Archives/Public/public-privacycg/2022May/0006..html>
>>
>> The focus of the PrivacyCG is entirely, as one would expect, on privacy
>> principles whereas the FedID CG focuses on maintaining the functionality of
>> federation in a privacy-focused world. Somewhat different priorities that
>> allow for different directions as ideas are incubated.
>>
>> My question to the FedID CG is whether anyone thinks that FPS has
>> sufficient utility that it helps solve for their federation use cases? I
>> know some people/orgs have said no, because their orgs have too many
>> domains to fit into a FPS. I also know that the FedCM API, which is our
>> CG’s work product, assumes the existence of FPS and expects to serve as the
>> fallback mechanism if FPS doesn’t apply.
>>
>>
>> As is somewhat acknowledged toward the end of the email linked above re:
>> WebKit’s take on FPS, FPS is a completely unworkable and inapplicable
>> solution for doing federated single sign-on in the multilateral federation
>> space. From that perspective, FPS does not help with any of my federation
>> use cases.
>>
>> Best,
>>
>> Nicole
>>
>>
>> All feedback is welcome!
>>
>> Heather Flanagan
>> Spherical Cow Consulting
>> <http://linkedin.com/in/hlflanagan/> <http://twitter.com/sphcow>
>>
>>
>>
>>   Translator of Geek to Human
>>   hlf@sphericalcowconsulting.com
>>
>>
>>
>> ‌
>>
>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*



-- 


Brian May
Principal Engineer
P: (848) 272-1164

Received on Wednesday, 1 June 2022 17:35:45 UTC