RE: Identity providers as first parties

There may be cases where the identity provider supplies ongoing profile or configuration information on behalf of the user.

JC

-----Original Message-----
From: Tamir Israel [mailto:tisrael@cippic.ca] 
Sent: Wednesday, June 13, 2012 7:25 AM
To: ifette@google.com
Cc: public-tracking@w3.org Group WG
Subject: Re: Identity providers as first parties

Hi Ian,

I'm not certain this is as clear as you imply. The entire concept of a federated identity system, for example, is to segregate the identity provider from any processing tasks beyond identity authentication. I would not expect an OpenID identity provider, for example, to suddenly become a 1st party simply because I used it to sign in). The role of that provider should be completed once my identity has been authenticated.

Best,
Tamir

On 6/13/2012 10:13 AM, Ian Fette (イアンフェッティ) wrote:
> This email is intended to satisfy ACTION-187 and ISSUE-99
>
> I propose adding to the compliance spec the following:
>
> "If a site offers users the choice to log in with an identity 
> provider, via means such as OpenID, OAuth, or other conceptually 
> similar mechanisms, the identity provider is considered a first party 
> for the current transactions and subsequent transactions for which the 
> user remains authenticated to the site via the identity provider."
>
> Clearly when the user is logging in, there is a meaningful interaction 
> with what was previously a third party widget, thus promoting it to a 
> first party. If all that's being provided is a userid, then the 
> interaction is basically over at that point. If more info is being 
> provided from the user's account (such as a friend list, a chat 
> widget, or whatever), I think one could still assume that the user 
> made a meaningful interaction with that party and thus the party is 
> still a first party.
>
> -Ian

Received on Wednesday, 13 June 2012 14:30:03 UTC