- From: Heather Flanagan <hlf@sphericalcowconsulting.com>
- Date: Mon, 6 Mar 2023 08:59:30 -0800
- To: Martin Thomson <mt@mozilla.com>
- Cc: public-fed-id@w3.org
- Message-ID: <7d2543f9-6bcb-4c89-a28a-ec25e4f66fc8@Spark>
Hi Martin, Thanks for requesting clarification! This group was inspired to meet so they could come up with proposals that would both resolve the initial problem statement, that hidden tracking on the web needs to be addressed and prevented, while still allow existing protocols (OIDC and SAML) to function without interruption. Day one of the meeting mostly focused on how federation works in the research and education space, where multilateral federation (as opposed to bilateral or one-to-one federation) is most common. The resulting proposals allow the browser to classify an exchange between an RP and an IdP as a legitimate federated login flow without interrupting the protocols and without requiring any one party to a federated authentication flow be fully trusted. That’s the idea, at least; whether the idea will survive broader discussion is the open question. Not sure if that helps? If not, will you be available of the Pacific fed id cg call next week so we can figure out what needs to be added to the issues for clarification? Heather Flanagan Principal, Spherical Cow Consulting hlf@sphericalcowconsulting.com sphericalcowconsulting.com the-writers-comfort-zone.community hlflanagan sphericalcowconsulting twcz_community On Mar 2, 2023 at 3:40 PM -0800, Martin Thomson <mt@mozilla.com>, wrote: > Hi Heather, > > Thanks for floating these ideas. After first seeing these proposals, I had a very hard time understanding what it was that browsers were being requested to do and (more importantly) why. I've since spoken with Cameron about them and now have a slightly better idea, but I still think that the issues could be improved. Could I request that someone take another attempt to lay out the problems these proposals aim to solve and what is being asked of the browser? > > Note that details of DOM APIs tend not to be helpful here, as the precise spelling can be a distraction. It would be better to lay out what information the browser would hold, how it would be protected, who can access it, etc.... > > > On Fri, Mar 3, 2023 at 4:52 AM Heather Flanagan <hlf@sphericalcowconsulting.com> wrote: > > > Hello all, > > > > > > For those of you on the #federation slack channel, you’ll have seen a couple of additions to the Proposals repository in GitHub. These have come out of the two-day face-to-face meeting of research and education (R&E) community members as well as members from the Google Chrome team and the Mozilla Firefox team. > > > > > > There’s a lot to absorb in those proposals. Which brings me to your homework. Please review both proposals, holding comments until you’ve read through them both, as concerns you have with one may be addressed in the other. I am canceling the March 6th call so you have time to review the proposals and think about them. Our next Atlantic call (which generally has the highest participation rate) is March 20th; we will start digging into the proposals and your comments at that time. Kris, Tim, and I will decide what to do with the March 13th (Pacific) call next week. > > > > > > So, expect some updates from the w3.org calendar shortly, and please let me know if you have any questions! > > > > > > Heather Flanagan > > > Principal, Spherical Cow Consulting > > > hlf@sphericalcowconsulting.com > > > sphericalcowconsulting.com > > > the-writers-comfort-zone.community > > > hlflanagan > > > sphericalcowconsulting > > > twcz_community > > >
Received on Monday, 6 March 2023 16:59:50 UTC