Re: Question to the FedID CG re: FPS from Sam Goto on 2022-06-01 (public-fed-id@w3.org from June 2022)

From: Sam Goto <goto@google.com>
Date: Wed, 1 Jun 2022 11:30:16 -0700
To: Nicole Roy <nroy@internet2.edu>
Cc: James Rosewell <james@51degrees.com>, Tim Cappalli <Tim.Cappalli@microsoft.com>, Brian May <bmay@dstillery.com>, Brian Campbell <bcampbell@pingidentity.com>, Heather Flanagan <hlf@sphericalcowconsulting.com>, "public-fed-id@w3.org" <public-fed-id@w3.org>
Message-ID: <CAMtUnc7YoW7Czr7V+0zfGbve=tNkXzCQ3MBHRPXcDMNyy2vtVA@mail.gmail.com>
The Same-Party vs Third-Party separation is a really important one, and one
that has been key to us too.

I do think that, however, even within Third-Party federations, FPS would
play a massive role. For example, I heard multiple times as I chatted with
you all, that there is a good amount of top-level navigation/redirects
within the same "party" as it enables Third-Party federations: Tim, didn't
I hear from you something along the lines of microsoftonline.com -> live.com
-> microsoft.com?






On Wed, Jun 1, 2022 at 11:23 AM Nicole Roy <nroy@internet2.edu> wrote:

> This is good to see. From reading your comment at the top of that PR, at
> face-value, it does seem to address “Third-Party Federation” use cases as
> termed by Tim. The devil is in the details.
>
> Best,
>
> Nicole
>
> On Jun 1, 2022, at 12:03 PM, James Rosewell <james@51degrees.com> wrote:
>
> FYI GDPR Validated Sets proposal uses data protection law to address both
> scenarios and would work well for FedID. PR to modify FPS to GVS is here
> <https://github.com/privacycg/first-party-sets/pull/86>.
>
> Google are bound by their CMA commitments to work in all matters privacy
> to GDPR so presumably support GVS even if they’re yet to say so.
>
> *From:* Tim Cappalli <Tim.Cappalli@microsoft.com>
> *Sent:* 01 June 2022 18:53
> *To:* Brian May <bmay@dstillery.com>; Brian Campbell <
> bcampbell@pingidentity.com>
> *Cc:* Nicole Roy <nroy@internet2.edu>; Heather Flanagan <
> hlf@sphericalcowconsulting.com>; public-fed-id@w3.org
> *Subject:* Re: Question to the FedID CG re: FPS
>
> At OSW, I proposed two new terms to help with these discussions:
> Same-Party Federation and Third-Party Federation (there is debate over
> these terms, but I stand by them in the context of these browser changes).
>
> Same Party Federation would be, for example, Google Maps, Gmail, YouTube,
> and Google Sign-In, or Disney, Hulu, ABC, and ESPN.
>
> FPS will solve many Same Party Federation issues. It will not help with
> Third-Party Federation (unless things like CNAMEs are used).
>
>
> <image001.png>
>
>
> tim
>
>
> *From: *Brian May <bmay@dstillery.com>
> *Date: *Wednesday, June 1, 2022 at 13:36
> *To: *Brian Campbell <bcampbell@pingidentity.com>
> *Cc: *Nicole Roy <nroy@internet2.edu>, Heather Flanagan <
> hlf@sphericalcowconsulting.com>, public-fed-id@w3.org<public-fed-id@w3.org
> >
> *Subject: *Re: Question to the FedID CG re: FPS
> For anyone not in the Slack channel, Tim Cappalli also posted this article
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ghacks.net%2F2022%2F05%2F23%2Fbrave-joins-mozilla-in-declaring-googles-first-party-sets-feature-harmful-to-privacy%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fk6p9biX6v86h1axYFwcm7Go1hHrNhIpXS3MTeUMLkY%3D&reserved=0> in
> which Brave describes FPS as harmful to privacy.
>
> My general sense from across the groups I participate in is that FSP, as
> currently conceived, won't be supported as a standard. Given that, I think
> the question is whether there would be sufficient availability for it to be
> a viable dependency and I think the answer is no.
>
> I also think, given my understanding of the Federated Identity use-case
> (which admittedly isn't deep) that FPS provides much more leeway than is
> necessary and that a specifically tailored solution would be more
> appropriate and easier to get accepted by browser vendors.
>
> On Wed, Jun 1, 2022 at 12:48 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Likewise, FPS does not help with any of my federation use cases.
>
> On Tue, May 31, 2022 at 12:29 PM Nicole Roy <nroy@internet2.edu> wrote:
>
>
>
>
>
> On May 30, 2022, at 7:00 AM, Heather Flanagan <
> hlf@sphericalcowconsulting.com> wrote:
>
> Hello FedID CG members,
>
> I’d like to bring your attention to a couple of discussions happening over
> in the PrivacyCG regarding the First Party Sets (FPS) proposal.
>
>    - Move FPS to different CG/WG (see Issue #88
>    <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprivacycg%2Ffirst-party-sets%2Fissues%2F88&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6fzGfkT6sGnDqqDSGSRYahXtTeldgPVZN7vHHpWMYwU%3D&reserved=0> and
>    26 May 2022 meeting notes)
>    - Apple WebKit's feedback on the First Party Sets proposal
>    <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-privacycg%2F2022May%2F0006..html&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Zvz7W7fCEjjC4gXEYqw43xrUyqq9t9FkNGFqcIwWvlk%3D&reserved=0>
>
> The focus of the PrivacyCG is entirely, as one would expect, on privacy
> principles whereas the FedID CG focuses on maintaining the functionality of
> federation in a privacy-focused world. Somewhat different priorities that
> allow for different directions as ideas are incubated.
>
> My question to the FedID CG is whether anyone thinks that FPS has
> sufficient utility that it helps solve for their federation use cases? I
> know some people/orgs have said no, because their orgs have too many
> domains to fit into a FPS. I also know that the FedCM API, which is our
> CG’s work product, assumes the existence of FPS and expects to serve as the
> fallback mechanism if FPS doesn’t apply.
>
>
> As is somewhat acknowledged toward the end of the email linked above re:
> WebKit’s take on FPS, FPS is a completely unworkable and inapplicable
> solution for doing federated single sign-on in the multilateral federation
> space. From that perspective, FPS does not help with any of my federation
> use cases.
>
> Best,
>
> Nicole
>
>
>
>
> All feedback is welcome!
>
> *Error! Filename not specified.*
> *Heather Flanagan*
> Spherical Cow Consulting
> *Error! Filename not specified.*
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fhlflanagan%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bJws5leI3gFwRSQA4YnBtzDJaWl2eNq8pITnAudYybI%3D&reserved=0>
> *Error! Filename not specified.*
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Fsphcow&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ihj95YEWCwqdYkxLdLzPnA%2BN4Cj8h5MoN4ixn%2BZbDQ4%3D&reserved=0>
>
>
>
> Error! Filename not specified.
>
> Translator of Geek to Human
> Error! Filename not specified.
>
> hlf@sphericalcowconsulting.com
>
>
>
>
> ‌
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
>
> --
>
>
> *Brian May*
>
> *Principal Engineer*P: (848) 272-1164
> This email and any attachments are confidential and may also be
> privileged. If you are not the named recipient, please notify the sender
> immediately and do not disclose, use, store or copy the information
> contained herein. This is an email from 51Degrees.mobi Limited, Davidson
> House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152
> <+44%20118%20328%207152>; E: info@51degrees.com; 51Degrees.mobi Limited
> t/as 51Degrees.
>
>
>
Received on Wednesday, 1 June 2022 18:30:41 UTC