Re: Question to the FedID CG re: FPS

On Wed, Jun 1, 2022 at 11:44 AM Tim Cappalli <Tim.Cappalli@microsoft.com>
wrote:

> Sam – those examples would be considered Same-Party Federation.
>

Ah, yeah, fair, that would fit in the definition of Same-Party Federation.

I guess what I was trying to outline / ask was that, Same-Party Federation
is often part-of / important-for Third-Party Federation.


>
>
> *From: *Sam Goto <goto@google.com>
> *Date: *Wednesday, June 1, 2022 at 14:30
> *To: *Nicole Roy <nroy@internet2.edu>
> *Cc: *James Rosewell <james@51degrees.com>, Tim Cappalli <
> Tim.Cappalli@microsoft.com>, Brian May <bmay@dstillery.com>, Brian
> Campbell <bcampbell@pingidentity.com>, Heather Flanagan <
> hlf@sphericalcowconsulting.com>, public-fed-id@w3.org <
> public-fed-id@w3.org>
> *Subject: *Re: Question to the FedID CG re: FPS
>
> The Same-Party vs Third-Party separation is a really important one, and
> one that has been key to us too.
>
>
>
> I do think that, however, even within Third-Party federations, FPS would
> play a massive role. For example, I heard multiple times as I chatted with
> you all, that there is a good amount of top-level navigation/redirects
> within the same "party" as it enables Third-Party federations: Tim, didn't
> I hear from you something along the lines of microsoftonline.com
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmicrosoftonline.com%2F&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341588701%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2rb9vjxrcaBvMW9PU1TaZvQX%2Fl4xBiKsiJgQ%2F6Ao5Nk%3D&reserved=0>
> -> live.com
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flive.com%2F&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341588701%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=A9dinHl0gmsj5cdcHK2vOH4vLbVHCSSLAhZfrZOOi2Y%3D&reserved=0>
> -> microsoft.com
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmicrosoft.com%2F&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341588701%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YJEjK6M9vbDAP9VuqBw545j0fvHJbl9rCoTo%2BSd4eZA%3D&reserved=0>
> ?
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Jun 1, 2022 at 11:23 AM Nicole Roy <nroy@internet2.edu> wrote:
>
> This is good to see. From reading your comment at the top of that PR, at
> face-value, it does seem to address “Third-Party Federation” use cases as
> termed by Tim. The devil is in the details.
>
>
>
> Best,
>
>
>
> Nicole
>
>
>
> On Jun 1, 2022, at 12:03 PM, James Rosewell <james@51degrees.com> wrote:
>
>
>
> FYI GDPR Validated Sets proposal uses data protection law to address both
> scenarios and would work well for FedID. PR to modify FPS to GVS is here
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprivacycg%2Ffirst-party-sets%2Fpull%2F86&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341588701%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cGnHQluYzX9PXpG7oTtOZJwq%2B%2BcRiPNj2kj9G59Gdqs%3D&reserved=0>
> .
>
>
>
> Google are bound by their CMA commitments to work in all matters privacy
> to GDPR so presumably support GVS even if they’re yet to say so.
>
>
>
> *From:* Tim Cappalli <Tim.Cappalli@microsoft.com>
> *Sent:* 01 June 2022 18:53
> *To:* Brian May <bmay@dstillery.com>; Brian Campbell <
> bcampbell@pingidentity.com>
> *Cc:* Nicole Roy <nroy@internet2.edu>; Heather Flanagan <
> hlf@sphericalcowconsulting.com>; public-fed-id@w3.org
> *Subject:* Re: Question to the FedID CG re: FPS
>
>
>
> At OSW, I proposed two new terms to help with these discussions:
> Same-Party Federation and Third-Party Federation (there is debate over
> these terms, but I stand by them in the context of these browser changes).
>
>
>
> Same Party Federation would be, for example, Google Maps, Gmail, YouTube,
> and Google Sign-In, or Disney, Hulu, ABC, and ESPN.
>
>
>
> FPS will solve many Same Party Federation issues. It will not help with
> Third-Party Federation (unless things like CNAMEs are used).
>
>
>
>
>
> <image001.png>
>
>
>
>
>
> tim
>
>
>
> *From: *Brian May <bmay@dstillery.com>
> *Date: *Wednesday, June 1, 2022 at 13:36
> *To: *Brian Campbell <bcampbell@pingidentity.com>
> *Cc: *Nicole Roy <nroy@internet2.edu>, Heather Flanagan <
> hlf@sphericalcowconsulting.com>, public-fed-id@w3.org<public-fed-id@w3.org
> >
> *Subject: *Re: Question to the FedID CG re: FPS
>
> For anyone not in the Slack channel, Tim Cappalli also posted this article
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ghacks.net%2F2022%2F05%2F23%2Fbrave-joins-mozilla-in-declaring-googles-first-party-sets-feature-harmful-to-privacy%2F&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341588701%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=a%2BNMUGzuUg%2BWczbQSGYSEoc41TxPWByfrwjXwlemt7M%3D&reserved=0> in
> which Brave describes FPS as harmful to privacy.
>
>
>
> My general sense from across the groups I participate in is that FSP, as
> currently conceived, won't be supported as a standard. Given that, I think
> the question is whether there would be sufficient availability for it to be
> a viable dependency and I think the answer is no.
>
>
>
> I also think, given my understanding of the Federated Identity use-case
> (which admittedly isn't deep) that FPS provides much more leeway than is
> necessary and that a specifically tailored solution would be more
> appropriate and easier to get accepted by browser vendors.
>
>
>
> On Wed, Jun 1, 2022 at 12:48 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Likewise, FPS does not help with any of my federation use cases.
>
>
>
> On Tue, May 31, 2022 at 12:29 PM Nicole Roy <nroy@internet2.edu> wrote:
>
>
>
>
>
> On May 30, 2022, at 7:00 AM, Heather Flanagan <
> hlf@sphericalcowconsulting.com> wrote:
>
>
>
> Hello FedID CG members,
>
> I’d like to bring your attention to a couple of discussions happening over
> in the PrivacyCG regarding the First Party Sets (FPS) proposal.
>
>    - Move FPS to different CG/WG (see Issue #88
>    <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprivacycg%2Ffirst-party-sets%2Fissues%2F88&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341744944%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ENM0eYXEn7LNCbSaDyOzMVjHHbk2lB3fOZXDIdNO7H8%3D&reserved=0> and
>    26 May 2022 meeting notes)
>    - Apple WebKit's feedback on the First Party Sets proposal
>    <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-privacycg%2F2022May%2F0006..html&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341744944%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=l26CvzHx48MD3mF1Oj3c8VondI14CICK5C5MqDMukkk%3D&reserved=0>
>
> The focus of the PrivacyCG is entirely, as one would expect, on privacy
> principles whereas the FedID CG focuses on maintaining the functionality of
> federation in a privacy-focused world. Somewhat different priorities that
> allow for different directions as ideas are incubated.
>
> My question to the FedID CG is whether anyone thinks that FPS has
> sufficient utility that it helps solve for their federation use cases? I
> know some people/orgs have said no, because their orgs have too many
> domains to fit into a FPS. I also know that the FedCM API, which is our
> CG’s work product, assumes the existence of FPS and expects to serve as the
> fallback mechanism if FPS doesn’t apply.
>
>
>
> As is somewhat acknowledged toward the end of the email linked above re:
> WebKit’s take on FPS, FPS is a completely unworkable and inapplicable
> solution for doing federated single sign-on in the multilateral federation
> space. From that perspective, FPS does not help with any of my federation
> use cases.
>
>
>
> Best,
>
>
>
> Nicole
>
>
>
>
> All feedback is welcome!
>
>
>
> *Error! Filename not specified.*
>
> *Heather Flanagan*
> Spherical Cow Consulting
>
> *Error! Filename not specified.*
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fhlflanagan%2F&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341744944%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gLOPo8k7RXrEgHxAS9ljTDfkD2Px4y%2FqtyJVQV72YHs%3D&reserved=0>
>
> *Error! Filename not specified.*
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Fsphcow&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cb4d56f853b1147915eaf08da43fccdd3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897050341744944%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AT%2F%2F2E5NH%2Bhq60WFlnnpibfexcVeLi4gHKgCpBenYbU%3D&reserved=0>
>
>
>
>
>
>
>
> Error! Filename not specified.
>
>
>
> Translator of Geek to Human
>
> Error! Filename not specified.
>
>
>
> hlf@sphericalcowconsulting.com
>
>
>
>
>
>
>
>
>
>
>
> ‌
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
>
>
> --
>
>
>
> *Brian May*
>
>
> *Principal Engineer *P: (848) 272-1164
>
> This email and any attachments are confidential and may also be
> privileged. If you are not the named recipient, please notify the sender
> immediately and do not disclose, use, store or copy the information
> contained herein. This is an email from 51Degrees.mobi Limited, Davidson
> House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152
> <+44%20118%20328%207152>; E: info@51degrees.com; 51Degrees.mobi Limited
> t/as 51Degrees.
>
>
>
>