- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Mon, 17 Aug 2015 12:55:30 -0400
- To: Adrian Hope-Bailie <adrian@hopebailie.com>, Mike West <mkwst@google.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Manu Sporny <msporny@digitalbazaar.com>, Brad Hill <hillbrad@gmail.com>, timeless <timeless@gmail.com>
On 07/31/2015 06:35 AM, Adrian Hope-Bailie wrote: > > Question 1: Origin bound federated credentials > > The fundamental question here is whether these credentials should be > origin-bound. In my opinion making them so renders this part of the > spec fairly pointless because I still need to login (using my > federated credential) on each relying-party site and only then can > the RP site store the federated credential (or at least link it to > the new origin that it is now useful for). > > Suggestion: > > When a user establishes a session at an identity provider that > identity provider already has knowledge of which RP sites the user > has authorised with the IdP. So when the IdP stores the federated > credential why can't it also specify the origins that the credential > is valid for? This could even be a user-mediated step. One problem with this is that it would further build tracking into the Web where it can easily be avoided. In this scenario, the IdP has full knowledge of every site you're logging into; there's no privacy. In the Credentials CG work, we've tried to take a different direction, turning the browser into a blinding agent. If the user so desires, their browser can obscure the sites they are presenting their credentials to from their IdP. In other words, your IdP doesn't have to know which sites you're logging into and federated login still works just fine. I'd prefer we take this privacy-enhancing approach vs. further enabling super providers to track every website a user logs into by mere virtue of the protocols or standards involved. -- Dave Longley CTO Digital Bazaar, Inc. http://digitalbazaar.com
Received on Monday, 17 August 2015 16:55:55 UTC