Re: Question to the FedID CG re: FPS

I just thought of a problem with the GVS proposal. EV certificates are notoriously hard to procure, especially when compared to something like ACME. Many research communities are *not* legally-official entities, and therefore cannot meet the requirements imposed by the CA/Browser Forum for the issuance of EV certs, and even if they could, most likely wouldn’t pursue EV certificates because they are so difficult to obtain and keep renewed. That entire mechanism is also needlessly duplicative of trust practices which are articulated by well-established and enormous trust communities like the R&E federation space (see: https://met.refeds.org/ <https://met.refeds.org/>)

Nicole

> On Jun 1, 2022, at 12:22 PM, Nicole Roy <nroy@internet2.edu> wrote:
> 
> This is good to see. From reading your comment at the top of that PR, at face-value, it does seem to address “Third-Party Federation” use cases as termed by Tim. The devil is in the details.
> 
> Best,
> 
> Nicole
> 
>> On Jun 1, 2022, at 12:03 PM, James Rosewell <james@51degrees.com <mailto:james@51degrees.com>> wrote:
>> 
>> FYI GDPR Validated Sets proposal uses data protection law to address both scenarios and would work well for FedID. PR to modify FPS to GVS is here <https://github.com/privacycg/first-party-sets/pull/86>.
>> 
>> Google are bound by their CMA commitments to work in all matters privacy to GDPR so presumably support GVS even if they’re yet to say so.
>> 
>> From: Tim Cappalli <Tim.Cappalli@microsoft.com <mailto:Tim.Cappalli@microsoft.com>>
>> Sent: 01 June 2022 18:53
>> To: Brian May <bmay@dstillery.com <mailto:bmay@dstillery.com>>; Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
>> Cc: Nicole Roy <nroy@internet2.edu <mailto:nroy@internet2.edu>>; Heather Flanagan <hlf@sphericalcowconsulting.com <mailto:hlf@sphericalcowconsulting.com>>; public-fed-id@w3.org <mailto:public-fed-id@w3.org>
>> Subject: Re: Question to the FedID CG re: FPS
>> 
>> At OSW, I proposed two new terms to help with these discussions: Same-Party Federation and Third-Party Federation (there is debate over these terms, but I stand by them in the context of these browser changes).
>> 
>> Same Party Federation would be, for example, Google Maps, Gmail, YouTube, and Google Sign-In, or Disney, Hulu, ABC, and ESPN.
>> 
>> FPS will solve many Same Party Federation issues. It will not help with Third-Party Federation (unless things like CNAMEs are used).
>> 
>> 
>> <image001.png>
>> 
>> 
>> tim
>> 
>> From: Brian May <bmay@dstillery.com <mailto:bmay@dstillery.com>>
>> Date: Wednesday, June 1, 2022 at 13:36
>> To: Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
>> Cc: Nicole Roy <nroy@internet2.edu <mailto:nroy@internet2.edu>>, Heather Flanagan <hlf@sphericalcowconsulting.com <mailto:hlf@sphericalcowconsulting.com>>, public-fed-id@w3.org <mailto:public-fed-id@w3.org><public-fed-id@w3.org <mailto:public-fed-id@w3.org>>
>> Subject: Re: Question to the FedID CG re: FPS
>> 
>> For anyone not in the Slack channel, Tim Cappalli also posted this article <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ghacks.net%2F2022%2F05%2F23%2Fbrave-joins-mozilla-in-declaring-googles-first-party-sets-feature-harmful-to-privacy%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fk6p9biX6v86h1axYFwcm7Go1hHrNhIpXS3MTeUMLkY%3D&reserved=0> in which Brave describes FPS as harmful to privacy.
>> 
>> My general sense from across the groups I participate in is that FSP, as currently conceived, won't be supported as a standard. Given that, I think the question is whether there would be sufficient availability for it to be a viable dependency and I think the answer is no.
>> 
>> I also think, given my understanding of the Federated Identity use-case (which admittedly isn't deep) that FPS provides much more leeway than is necessary and that a specifically tailored solution would be more appropriate and easier to get accepted by browser vendors.
>> 
>> On Wed, Jun 1, 2022 at 12:48 PM Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>> Likewise, FPS does not help with any of my federation use cases.
>> 
>> On Tue, May 31, 2022 at 12:29 PM Nicole Roy <nroy@internet2.edu <mailto:nroy@internet2.edu>> wrote:
>> 
>> 
>> 
>> On May 30, 2022, at 7:00 AM, Heather Flanagan <hlf@sphericalcowconsulting.com <mailto:hlf@sphericalcowconsulting.com>> wrote:
>> 
>> Hello FedID CG members,
>> 
>> I’d like to bring your attention to a couple of discussions happening over in the PrivacyCG regarding the First Party Sets (FPS) proposal.
>> Move FPS to different CG/WG (see Issue #88 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprivacycg%2Ffirst-party-sets%2Fissues%2F88&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6fzGfkT6sGnDqqDSGSRYahXtTeldgPVZN7vHHpWMYwU%3D&reserved=0> and 26 May 2022 meeting notes)
>> Apple WebKit's feedback on the First Party Sets proposal <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-privacycg%2F2022May%2F0006..html&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Zvz7W7fCEjjC4gXEYqw43xrUyqq9t9FkNGFqcIwWvlk%3D&reserved=0>
>> The focus of the PrivacyCG is entirely, as one would expect, on privacy principles whereas the FedID CG focuses on maintaining the functionality of federation in a privacy-focused world. Somewhat different priorities that allow for different directions as ideas are incubated.
>> 
>> My question to the FedID CG is whether anyone thinks that FPS has sufficient utility that it helps solve for their federation use cases? I know some people/orgs have said no, because their orgs have too many domains to fit into a FPS. I also know that the FedCM API, which is our CG’s work product, assumes the existence of FPS and expects to serve as the fallback mechanism if FPS doesn’t apply.
>> 
>> As is somewhat acknowledged toward the end of the email linked above re: WebKit’s take on FPS, FPS is a completely unworkable and inapplicable solution for doing federated single sign-on in the multilateral federation space. From that perspective, FPS does not help with any of my federation use cases.
>> 
>> Best,
>> 
>> Nicole
>> 
>> 
>> 
>> All feedback is welcome!
>> 
>> Error! Filename not specified.
>> Heather Flanagan
>> Spherical Cow Consulting
>> Error! Filename not specified. <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fhlflanagan%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bJws5leI3gFwRSQA4YnBtzDJaWl2eNq8pITnAudYybI%3D&reserved=0>
>> Error! Filename not specified. <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Fsphcow&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cff98ac5eeea14faa8f9608da43f546e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897018009093866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ihj95YEWCwqdYkxLdLzPnA%2BN4Cj8h5MoN4ixn%2BZbDQ4%3D&reserved=0>
>> 
>> 
>> 
>> Error! Filename not specified.
>> 
>> Translator of Geek to Human
>> Error! Filename not specified.
>> 
>> hlf@sphericalcowconsulting.com <mailto:hlf@sphericalcowconsulting.com>
>> 
>> 
>> 
>> ‌
>> 
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
>> 
>> 
>> --
>> 
>> 
>> Brian May
>> Principal Engineer
>> P: (848) 272-1164
>> This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, Davidson House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E: info@51degrees.com <mailto:info@51degrees.com>; 51Degrees.mobi Limited t/as 51Degrees.
>