RE: Identity providers as first parties from JC Cannon on 2012-06-14 (public-tracking@w3.org from June 2012)

From: JC Cannon <jccannon@microsoft.com>
Date: Thu, 14 Jun 2012 15:36:06 +0000
To: Tamir Israel <tisrael@cippic.ca>
CC: "ifette@google.com" <ifette@google.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <BB17D596C94A854E9EE4171D33BBCC81B345B1@TK5EX14MBXC125.redmond.corp.microsoft.co>

No, that’s a different scenario. The identity provider is supplying the first-party site information on behalf of the user to simplify transfer of data.

JC

From: Tamir Israel [mailto:tisrael@cippic.ca]
Sent: Thursday, June 14, 2012 6:35 AM
To: JC Cannon
Cc: ifette@google.com; public-tracking@w3.org Group WG
Subject: Re: Identity providers as first parties

Ok.

Could/should some of this fall under Jonathan's outsourcing scenario?

3.3.2.3 Outsourcing
A first party MAY outsource website functionality to a third party, in which case the third party may act as the first party under this standard with the following additional restrictions.

With accompanying conditions?

On 6/13/2012 10:29 AM, JC Cannon wrote:

There may be cases where the identity provider supplies ongoing profile or configuration information on behalf of the user.

JC

-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Wednesday, June 13, 2012 7:25 AM

To: ifette@google.com<mailto:ifette@google.com>

Cc: public-tracking@w3.org<mailto:public-tracking@w3.org> Group WG

Subject: Re: Identity providers as first parties

Hi Ian,

I'm not certain this is as clear as you imply. The entire concept of a federated identity system, for example, is to segregate the identity provider from any processing tasks beyond identity authentication. I would not expect an OpenID identity provider, for example, to suddenly become a 1st party simply because I used it to sign in). The role of that provider should be completed once my identity has been authenticated.

Best,

Tamir

On 6/13/2012 10:13 AM, Ian Fette (ã‚¤ã‚¢ãƒ³ãƒ•ã‚§ãƒƒãƒ†ã‚£) wrote:

This email is intended to satisfy ACTION-187 and ISSUE-99

I propose adding to the compliance spec the following:

"If a site offers users the choice to log in with an identity

provider, via means such as OpenID, OAuth, or other conceptually

similar mechanisms, the identity provider is considered a first party

for the current transactions and subsequent transactions for which the

user remains authenticated to the site via the identity provider."

Clearly when the user is logging in, there is a meaningful interaction

with what was previously a third party widget, thus promoting it to a

first party. If all that's being provided is a userid, then the

interaction is basically over at that point. If more info is being

provided from the user's account (such as a friend list, a chat

widget, or whatever), I think one could still assume that the user

made a meaningful interaction with that party and thus the party is

still a first party.

-Ian

Received on Thursday, 14 June 2012 15:37:06 UTC