OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Official statement to W3C WG about impact on SAML?

I certainly want the SSTC to make some kind of statement.

I am looking at the FedCM website. (https://developer.chrome.com/en/docs/privacy-sandbox/fedcm)

There is a lot of information so it will take time for me to absorb it.

My main goal is to understand the basic issues: What is the new architecture? What problems is it trying to solve? Can an IDP run in mixed mode with some users running SAML 2.0 and others running FedCM? What code changes to an Idp are required to support FedCM? More importantly, what is the operational impact of supporting FedCM?

It appears that at least some of these questions are answered on the web site, I don't know yet.

Perhaps a useful step would be to create a list of principles which should be followed to phase in the new architecture.

We should definitely have the call scheduled for May 9, to discuss this.

Hal


On Thu, Mar 30, 2023 at 11:57âAM Cantor, Scott <cantor.2@osu.edu> wrote:
There have been continued conversations (and one workshop) with some of the players in the browser space that are active in the W3C privacy WG that's proposing various browser changes.

The general status right now is that the main FedCM draft proposal is just an outright break of both SAML and OpenID Connect, with (IMHO) no obvious "tweak" possible to fix it.

A proposal has been formulated for discussion for a lighter-weight consent-oriented proposal in place of the full FedCM work that would be 99% compatible with the existing SSO protocols (a small _javascript_ addition to the SP/RP end).

There is some sense that having an official-ish statement from OASIS or at least the SSTC that "hey, SAML is an ISO standard and your proposal breaks it in a way that isn't just easily fixable, a different approach is needed for a number of years if we need to effect a transition away from existing protocols".

Is that something we could consider?

We don't know who else we can come up with that the W3C or this WG might hear.

-- Scott


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]