[w3ctag/design-reviews] Delegation-oriented FedCM (Issue #1039) from Sam Goto on 2025-01-16 (public-webapps-github@w3.org from January 2025)

From: Sam Goto <notifications@github.com>
Date: Wed, 15 Jan 2025 16:58:21 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1039@github.com>

こんにちは TAG-さん!

I'm requesting an early TAG design review of the Delegation-oriented FedCM.

An extension to FedCM to allow Social login on the Web without phone-homing the Identity Provider. 

  - Explainer¹: [here](https://github.com/w3c-fedid/FedCM/issues/677#issuecomment-2594192449)
  - User research: TBD
  - Security and Privacy self-review²: TBD
  - GitHub repo: [here](https://github.com/w3c-fedid/FedCM/issues/677#issuecomment-2594192449)
  - Primary contacts:
      - @samuelgoto
  - Organization/project driving the design: Google
  - Multi-stakeholder feedback³:
    - Chromium comments: [intent to prototype](https://groups.google.com/a/chromium.org/g/blink-dev/c/rwu9wFl0mF4/m/MWYK64jgBQAJ?e=48417069)
    - Mozilla comments: We believe this addresses part of the original feedback we got for FedCM from Mozilla [here](https://github.com/mozilla/standards-positions/issues/618#issuecomment-1221964677): "We ultimately want to be able to offer options where IdPs are not in a position to track users through their use of identity information. The current design always involves notifying the IdP of all login attempts. This has a number of advantages from a security perspective. The IdP is able to audit logins and present users with information about their activities. Also, the IdP is in a better position to block access to identity information for bad RPs. Ultimately, we would like to be able to offer users at least the option of a more private choice here, but we recognize the practical security benefits of the current design."
    - WebKit comments: TBD

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - The group where the incubation/design work on this is being done (or is intended to be done in the future): [FedID CG](https://www.w3.org/community/fed-id/)
  - The group where standardization of this work is intended to be done ("unknown" if not known): [FedID WG](https://www.w3.org/groups/wg/fedid/)
  - Existing major pieces of multi-implementer review or discussion of this design:
  - Major unresolved issues with or opposition to this design:
  - This work is being funded by:

You should also know that...

This is very early and we are looking for directional guidance.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1039
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1039@github.com>

Received on Thursday, 16 January 2025 00:58:24 UTC