Re: Identity providers as first parties from Tamir Israel on 2012-06-13 (public-tracking@w3.org from June 2012)

From: Tamir Israel <tisrael@cippic.ca>
Date: Wed, 13 Jun 2012 10:35:33 -0400
To: ifette@google.com
CC: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <4FD8A535.3090804@cippic.ca>

Hi Ian,

I think you're flagging a valid issue.

My concern is the cross-over between OpenID type authentication and what 
Facebook type 'authentication'.

Best,
Tamir

On 6/13/2012 10:28 AM, Ian Fette (イアンフェッティ) wrote:
> Tamir,
>
> three questions.
>
> 1. Would you at least agree that during the sign-in flow, the identity 
> provider is a first party.
> 2. Is the part you disagree with the issue of whether the identity 
> provider remains a first party _after_ the login flow is completed?
> 3. When the user comes back to the site, if the site redirects the 
> user through the identity provider for re-authentication, do you agree 
> that the identity provider is a first party for the authentication 
> flow again on subsequent visits?
>
> On Wed, Jun 13, 2012 at 7:24 AM, Tamir Israel <tisrael@cippic.ca 
> <mailto:tisrael@cippic.ca>> wrote:
>
>     Hi Ian,
>
>     I'm not certain this is as clear as you imply. The entire concept
>     of a federated identity system, for example, is to segregate the
>     identity provider from any processing tasks beyond identity
>     authentication. I would not expect an OpenID identity provider,
>     for example, to suddenly become a 1st party simply because I used
>     it to sign in). The role of that provider should be completed once
>     my identity has been authenticated.
>
>     Best,
>     Tamir
>
>
>     On 6/13/2012 10:13 AM, Ian Fette (イアンフェッティ) wrote:
>
>         This email is intended to satisfy ACTION-187 and ISSUE-99
>
>         I propose adding to the compliance spec the following:
>
>         "If a site offers users the choice to log in with an identity
>         provider, via means such as OpenID, OAuth, or other
>         conceptually similar mechanisms, the identity provider is
>         considered a first party for the current transactions and
>         subsequent transactions for which the user remains
>         authenticated to the site via the identity provider."
>
>         Clearly when the user is logging in, there is a meaningful
>         interaction with what was previously a third party widget,
>         thus promoting it to a first party. If all that's being
>         provided is a userid, then the interaction is basically over
>         at that point. If more info is being provided from the user's
>         account (such as a friend list, a chat widget, or whatever), I
>         think one could still assume that the user made a meaningful
>         interaction with that party and thus the party is still a
>         first party.
>
>         -Ian
>
>

Received on Wednesday, 13 June 2012 14:36:11 UTC