Re: Question to the FedID CG re: FPS from Tim Cappalli on 2022-06-01 (public-fed-id@w3.org from June 2022)

From: Tim Cappalli <Tim.Cappalli@microsoft.com>
Date: Wed, 1 Jun 2022 17:53:19 +0000
To: Brian May <bmay@dstillery.com>, Brian Campbell <bcampbell@pingidentity.com>
CC: Nicole Roy <nroy@internet2.edu>, Heather Flanagan <hlf@sphericalcowconsulting.com>, "public-fed-id@w3.org" <public-fed-id@w3.org>
Message-ID: <DM6PR00MB047346A74FDFDF112C43864395DF9@DM6PR00MB0473.namprd00.prod.outlook.com>
At OSW, I proposed two new terms to help with these discussions: Same-Party Federation and Third-Party Federation (there is debate over these terms, but I stand by them in the context of these browser changes).

Same Party Federation would be, for example, Google Maps, Gmail, YouTube, and Google Sign-In, or Disney, Hulu, ABC, and ESPN.

FPS will solve many Same Party Federation issues. It will not help with Third-Party Federation (unless things like CNAMEs are used).


[Diagram  Description automatically generated]


tim

From: Brian May <bmay@dstillery.com>
Date: Wednesday, June 1, 2022 at 13:36
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Nicole Roy <nroy@internet2.edu>, Heather Flanagan <hlf@sphericalcowconsulting.com>, public-fed-id@w3.org <public-fed-id@w3.org>
Subject: Re: Question to the FedID CG re: FPS
For anyone not in the Slack channel, Tim Cappalli also posted this article<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ghacks.net%2F2022%2F05%2F23%2Fbrave-joins-mozilla-in-declaring-googles-first-party-sets-feature-harmful-to-privacy%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fk6p9biX6v86h1axYFwcm7Go1hHrNhIpXS3MTeUMLkY%3D&reserved=0> in which Brave describes FPS as harmful to privacy.

My general sense from across the groups I participate in is that FSP, as currently conceived, won't be supported as a standard. Given that, I think the question is whether there would be sufficient availability for it to be a viable dependency and I think the answer is no.

I also think, given my understanding of the Federated Identity use-case (which admittedly isn't deep) that FPS provides much more leeway than is necessary and that a specifically tailored solution would be more appropriate and easier to get accepted by browser vendors.

On Wed, Jun 1, 2022 at 12:48 PM Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
Likewise, FPS does not help with any of my federation use cases.

On Tue, May 31, 2022 at 12:29 PM Nicole Roy <nroy@internet2.edu<mailto:nroy@internet2.edu>> wrote:



On May 30, 2022, at 7:00 AM, Heather Flanagan <hlf@sphericalcowconsulting.com<mailto:hlf@sphericalcowconsulting.com>> wrote:

Hello FedID CG members,

I’d like to bring your attention to a couple of discussions happening over in the PrivacyCG regarding the First Party Sets (FPS) proposal.

  *   Move FPS to different CG/WG (see Issue #88<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprivacycg%2Ffirst-party-sets%2Fissues%2F88&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6fzGfkT6sGnDqqDSGSRYahXtTeldgPVZN7vHHpWMYwU%3D&reserved=0> and 26 May 2022 meeting notes)
  *   Apple WebKit's feedback on the First Party Sets proposal<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-privacycg%2F2022May%2F0006..html&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Zvz7W7fCEjjC4gXEYqw43xrUyqq9t9FkNGFqcIwWvlk%3D&reserved=0>
The focus of the PrivacyCG is entirely, as one would expect, on privacy principles whereas the FedID CG focuses on maintaining the functionality of federation in a privacy-focused world. Somewhat different priorities that allow for different directions as ideas are incubated.

My question to the FedID CG is whether anyone thinks that FPS has sufficient utility that it helps solve for their federation use cases? I know some people/orgs have said no, because their orgs have too many domains to fit into a FPS. I also know that the FedCM API, which is our CG’s work product, assumes the existence of FPS and expects to serve as the fallback mechanism if FPS doesn’t apply.

As is somewhat acknowledged toward the end of the email linked above re: WebKit’s take on FPS, FPS is a completely unworkable and inapplicable solution for doing federated single sign-on in the multilateral federation space. From that perspective, FPS does not help with any of my federation use cases.

Best,

Nicole



All feedback is welcome!

Error! Filename not specified.
Heather Flanagan
Spherical Cow Consulting
Error! Filename not specified.<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fhlflanagan%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bJws5leI3gFwRSQA4YnBtzDJaWl2eNq8pITnAudYybI%3D&reserved=0>
Error! Filename not specified.<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Fsphcow&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ihj95YEWCwqdYkxLdLzPnA%2BN4Cj8h5MoN4ixn%2BZbDQ4%3D&reserved=0>



Error! Filename not specified.

Translator of Geek to Human
Error! Filename not specified.

hlf@sphericalcowconsulting.com<mailto:hlf@sphericalcowconsulting.com>





‌


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.


--



Brian May
Principal Engineer
P: (848) 272-1164
Attachments

image/png attachment: image001.png
Received on Wednesday, 1 June 2022 17:53:39 UTC