W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: Coming back to CREDENTIAL.

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Mon, 17 Aug 2015 12:55:30 -0400
Message-ID: <55D21202.2010507@digitalbazaar.com>
To: Adrian Hope-Bailie <adrian@hopebailie.com>, Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Manu Sporny <msporny@digitalbazaar.com>, Brad Hill <hillbrad@gmail.com>, timeless <timeless@gmail.com>
On 07/31/2015 06:35 AM, Adrian Hope-Bailie wrote:
> Question 1: Origin bound federated credentials
> The fundamental question here is whether these credentials should be
>  origin-bound. In my opinion making them so renders this part of the
> spec fairly pointless because I still need to login (using my
> federated credential) on each relying-party site and only then can
> the RP site store the federated credential (or at least link it to
> the new origin that it is now useful for).
> Suggestion:
> When a user establishes a session at an identity provider that
> identity provider already has knowledge of which RP sites the user
> has authorised with the IdP. So when the IdP stores the federated
> credential why can't it also specify the origins that the credential
> is valid for? This could even be a user-mediated step.

One problem with this is that it would further build tracking into the
Web where it can easily be avoided. In this scenario, the IdP has full
knowledge of every site you're logging into; there's no privacy.

In the Credentials CG work, we've tried to take a different direction,
turning the browser into a blinding agent. If the user so desires, their
browser can obscure the sites they are presenting their credentials to
from their IdP. In other words, your IdP doesn't have to know which
sites you're logging into and federated login still works just fine.

I'd prefer we take this privacy-enhancing approach vs. further enabling
super providers to track every website a user logs into by mere virtue
of the protocols or standards involved.

Dave Longley
Digital Bazaar, Inc.
Received on Monday, 17 August 2015 16:55:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC