Re: Identity providers as first parties from Tamir Israel on 2012-06-14 (public-tracking@w3.org from June 2012)

From: Tamir Israel <tisrael@cippic.ca>
Date: Thu, 14 Jun 2012 09:35:26 -0400
To: JC Cannon <jccannon@microsoft.com>
CC: "ifette@google.com" <ifette@google.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <4FD9E89E.3000900@cippic.ca>

Ok.

Could/should some of this fall under Jonathan's outsourcing scenario?

/3.3.2.3 Outsourcing
A first party MAY outsource website functionality to a third party, in 
which case the third party may act as the first party under this 
standard with the following additional restrictions./

With accompanying conditions?


On 6/13/2012 10:29 AM, JC Cannon wrote:
> There may be cases where the identity provider supplies ongoing profile or configuration information on behalf of the user.
>
> JC
>
> -----Original Message-----
> From: Tamir Israel [mailto:tisrael@cippic.ca]
> Sent: Wednesday, June 13, 2012 7:25 AM
> To:ifette@google.com
> Cc:public-tracking@w3.org  Group WG
> Subject: Re: Identity providers as first parties
>
> Hi Ian,
>
> I'm not certain this is as clear as you imply. The entire concept of a federated identity system, for example, is to segregate the identity provider from any processing tasks beyond identity authentication. I would not expect an OpenID identity provider, for example, to suddenly become a 1st party simply because I used it to sign in). The role of that provider should be completed once my identity has been authenticated.
>
> Best,
> Tamir
>
> On 6/13/2012 10:13 AM, Ian Fette (ã,¤ã,¢ãf³ãf.ã,§ãffãf+ã,£) wrote:
>> This email is intended to satisfy ACTION-187 and ISSUE-99
>>
>> I propose adding to the compliance spec the following:
>>
>> "If a site offers users the choice to log in with an identity
>> provider, via means such as OpenID, OAuth, or other conceptually
>> similar mechanisms, the identity provider is considered a first party
>> for the current transactions and subsequent transactions for which the
>> user remains authenticated to the site via the identity provider."
>>
>> Clearly when the user is logging in, there is a meaningful interaction
>> with what was previously a third party widget, thus promoting it to a
>> first party. If all that's being provided is a userid, then the
>> interaction is basically over at that point. If more info is being
>> provided from the user's account (such as a friend list, a chat
>> widget, or whatever), I think one could still assume that the user
>> made a meaningful interaction with that party and thus the party is
>> still a first party.
>>
>> -Ian

Received on Thursday, 14 June 2012 13:36:10 UTC