RE: Question to the FedID CG re: FPS

FYI GDPR Validated Sets proposal uses data protection law to address both scenarios and would work well for FedID. PR to modify FPS to GVS is here<https://github.com/privacycg/first-party-sets/pull/86>.

Google are bound by their CMA commitments to work in all matters privacy to GDPR so presumably support GVS even if theyre yet to say so.

From: Tim Cappalli <Tim.Cappalli@microsoft.com>
Sent: 01 June 2022 18:53
To: Brian May <bmay@dstillery.com>; Brian Campbell <bcampbell@pingidentity.com>
Cc: Nicole Roy <nroy@internet2.edu>; Heather Flanagan <hlf@sphericalcowconsulting.com>; public-fed-id@w3.org
Subject: Re: Question to the FedID CG re: FPS

At OSW, I proposed two new terms to help with these discussions: Same-Party Federation and Third-Party Federation (there is debate over these terms, but I stand by them in the context of these browser changes).

Same Party Federation would be, for example, Google Maps, Gmail, YouTube, and Google Sign-In, or Disney, Hulu, ABC, and ESPN.

FPS will solve many Same Party Federation issues. It will not help with Third-Party Federation (unless things like CNAMEs are used).


[Diagram  Description automatically generated]


tim

From: Brian May <bmay@dstillery.com<mailto:bmay@dstillery.com>>
Date: Wednesday, June 1, 2022 at 13:36
To: Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>
Cc: Nicole Roy <nroy@internet2.edu<mailto:nroy@internet2.edu>>, Heather Flanagan <hlf@sphericalcowconsulting.com<mailto:hlf@sphericalcowconsulting.com>>, public-fed-id@w3.org<mailto:public-fed-id@w3.org> <public-fed-id@w3.org<mailto:public-fed-id@w3.org>>
Subject: Re: Question to the FedID CG re: FPS
For anyone not in the Slack channel, Tim Cappalli also posted this article<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ghacks.net%2F2022%2F05%2F23%2Fbrave-joins-mozilla-in-declaring-googles-first-party-sets-feature-harmful-to-privacy%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fk6p9biX6v86h1axYFwcm7Go1hHrNhIpXS3MTeUMLkY%3D&reserved=0> in which Brave describes FPS as harmful to privacy.

My general sense from across the groups I participate in is that FSP, as currently conceived, won't be supported as a standard. Given that, I think the question is whether there would be sufficient availability for it to be a viable dependency and I think the answer is no.

I also think, given my understanding of the Federated Identity use-case (which admittedly isn't deep) that FPS provides much more leeway than is necessary and that a specifically tailored solution would be more appropriate and easier to get accepted by browser vendors.

On Wed, Jun 1, 2022 at 12:48 PM Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
Likewise, FPS does not help with any of my federation use cases.

On Tue, May 31, 2022 at 12:29 PM Nicole Roy <nroy@internet2.edu<mailto:nroy@internet2.edu>> wrote:


On May 30, 2022, at 7:00 AM, Heather Flanagan <hlf@sphericalcowconsulting.com<mailto:hlf@sphericalcowconsulting.com>> wrote:

Hello FedID CG members,

Id like to bring your attention to a couple of discussions happening over in the PrivacyCG regarding the First Party Sets (FPS) proposal.

  *   Move FPS to different CG/WG (see Issue #88<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprivacycg%2Ffirst-party-sets%2Fissues%2F88&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6fzGfkT6sGnDqqDSGSRYahXtTeldgPVZN7vHHpWMYwU%3D&reserved=0> and 26 May 2022 meeting notes)
  *   Apple WebKit's feedback on the First Party Sets proposal<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-privacycg%2F2022May%2F0006..html&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Zvz7W7fCEjjC4gXEYqw43xrUyqq9t9FkNGFqcIwWvlk%3D&reserved=0>
The focus of the PrivacyCG is entirely, as one would expect, on privacy principles whereas the FedID CG focuses on maintaining the functionality of federation in a privacy-focused world. Somewhat different priorities that allow for different directions as ideas are incubated.

My question to the FedID CG is whether anyone thinks that FPS has sufficient utility that it helps solve for their federation use cases? I know some people/orgs have said no, because their orgs have too many domains to fit into a FPS. I also know that the FedCM API, which is our CGs work product, assumes the existence of FPS and expects to serve as the fallback mechanism if FPS doesnt apply.

As is somewhat acknowledged toward the end of the email linked above re: WebKits take on FPS, FPS is a completely unworkable and inapplicable solution for doing federated single sign-on in the multilateral federation space. From that perspective, FPS does not help with any of my federation use cases.

Best,

Nicole


All feedback is welcome!

Error! Filename not specified.
Heather Flanagan
Spherical Cow Consulting
Error! Filename not specified.<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fhlflanagan%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bJws5leI3gFwRSQA4YnBtzDJaWl2eNq8pITnAudYybI%3D&reserved=0>
Error! Filename not specified.<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Fsphcow&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ihj95YEWCwqdYkxLdLzPnA%2BN4Cj8h5MoN4ixn%2BZbDQ4%3D&reserved=0>



Error! Filename not specified.

Translator of Geek to Human
Error! Filename not specified.

hlf@sphericalcowconsulting.com<mailto:hlf@sphericalcowconsulting.com>








CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.


--



Brian May
Principal Engineer
P: (848) 272-1164
This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, Davidson House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E: info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.

Received on Wednesday, 1 June 2022 18:03:43 UTC