- From: Tamir Israel <tisrael@cippic.ca>
- Date: Thu, 14 Jun 2012 09:35:26 -0400
- To: JC Cannon <jccannon@microsoft.com>
- CC: "ifette@google.com" <ifette@google.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
- Message-ID: <4FD9E89E.3000900@cippic.ca>
Ok. Could/should some of this fall under Jonathan's outsourcing scenario? /3.3.2.3 Outsourcing A first party MAY outsource website functionality to a third party, in which case the third party may act as the first party under this standard with the following additional restrictions./ With accompanying conditions? On 6/13/2012 10:29 AM, JC Cannon wrote: > There may be cases where the identity provider supplies ongoing profile or configuration information on behalf of the user. > > JC > > -----Original Message----- > From: Tamir Israel [mailto:tisrael@cippic.ca] > Sent: Wednesday, June 13, 2012 7:25 AM > To:ifette@google.com > Cc:public-tracking@w3.org Group WG > Subject: Re: Identity providers as first parties > > Hi Ian, > > I'm not certain this is as clear as you imply. The entire concept of a federated identity system, for example, is to segregate the identity provider from any processing tasks beyond identity authentication. I would not expect an OpenID identity provider, for example, to suddenly become a 1st party simply because I used it to sign in). The role of that provider should be completed once my identity has been authenticated. > > Best, > Tamir > > On 6/13/2012 10:13 AM, Ian Fette (ã,¤ã,¢ãf³ãf.ã,§ãffãf+ã,£) wrote: >> This email is intended to satisfy ACTION-187 and ISSUE-99 >> >> I propose adding to the compliance spec the following: >> >> "If a site offers users the choice to log in with an identity >> provider, via means such as OpenID, OAuth, or other conceptually >> similar mechanisms, the identity provider is considered a first party >> for the current transactions and subsequent transactions for which the >> user remains authenticated to the site via the identity provider." >> >> Clearly when the user is logging in, there is a meaningful interaction >> with what was previously a third party widget, thus promoting it to a >> first party. If all that's being provided is a userid, then the >> interaction is basically over at that point. If more info is being >> provided from the user's account (such as a friend list, a chat >> widget, or whatever), I think one could still assume that the user >> made a meaningful interaction with that party and thus the party is >> still a first party. >> >> -Ian
Received on Thursday, 14 June 2012 13:36:10 UTC