►
From YouTube: OAUTH WG Interim Meeting, 2021-04-19
Description
OAUTH WG Interim Meeting, 2021-04-19
A
Welcome
everyone.
This
is
one
of
one
more
meeting,
one
one
more
of
internet
meeting.
So
as
a
reminder,
the
noteworld
applies
here
and
today
we
will
be
talking
about
vittorio,
will
will
entertain
us
with
the
identity,
use
cases
in
browser
catalog.
A
As
a
reminder,
we
still
have
two
more
meetings
and
next
week
and
the
week
after
that,
so
that's
all.
I
have
any
comments.
Questions
about
this.
B
B
B
Okay,
I'm
here
wonderful,
thank
you.
I
suddenly
felt
alone
and
scared
all
right.
Welcome
everyone
to
this
update
on
this
initiative
of
browser
changes
and
identity,
and
here
we
just
wanted
to
give
you
an
update
of
what
we
have
done
or
what
we
have
not
done
in
the
last
six
months
or
so,
and
so
I'm
just
going
to
give
you
a
quick
recap
of
what
we
are
doing.
B
I'm
going
to
give
you
a
update
of
what
we
have
done
in
terms
of
documents
and
then
I'll
give
you
a
bit
of
an
outlook
of
what's
being
planned
in
this
area,
not
necessarily
within
itf,
but
in
general,
like
the
entire
archipelago
or
the
things
that
are
happening
in
this
space
and
then
I'll
just
throw
a
couple
of
controversial
points.
So
we
can
have
a
classic
animated
discussion
very
good.
B
So
last
idea
we
had
this
discussion
just
about
informing
the
group
of
what
was
going
on,
and
the
idea
is
brothers
aren't
happy
that
advertisers
track
users
across
the
board,
or
at
least
that's
what
they
maintain
publicly,
and
so
they
are
taking
steps
for
preventing
some
of
the
most
gradual
scenarios
of
tracking
form
occurring,
and
the
idea
is
also
that
they
understand
that
identity
is
a
radical
in
that
context,
and
so
they
are
trying
to
introduce
new
primitives
that
will
somewhat
obviate
for
the
need
for
us
to
use
lower
level
primitives
and
here
pay
attention,
because
this
is
subtle.
B
B
B
Let's
preserve
the
scenarios
that
the
identity
has
in
the
context
of
the
browser
and
let's
put
those
in
a
format
so
that
we
can
use
those
scenarios
as
a
trade
as
a
concrete
anchors
in
the
discussion
with
a
browser
people
so
that
they
understand
the
true
impact
and
the
down
to
the
technical
details
of
the
changes
that
they
are
envisioning
and
that's
what
we
set
ourselves
up
to
do,
and
so,
after
a
super
long
time
trying
to
figure
out
rfcs
in
a
markdown
format:
official
thanks
to
daniel
and
brian
and
thorsen,
for
their
help
on
that,
we
have
never
been
able
to
do
anything
without
them,
helping
we
have
a
document,
and
basically
you
can
find
this
document
in
the
various
in
the
rapport
in
there
and
really
it's
pretty
simple.
B
We
just
created
these
high
level
framework
that
and
we
just
posted
it
as
a
draft,
because
that's
what
we
do
in
idea:
idf,
itf
medicine
in
the
morning.
My
english
co-processor
is
rusty.
B
That's
what
we
do
in
this
working
group,
but
the
actual
work
is
occurring
on
github
and
in
github
like
we
have
this
description
of
how
to
contribute
scenarios.
We
have
a
scenario
template
which
is
designed
to
tease
out
the
most
relevant
factoids
about
scenarios
in
the
context
of
working
with
brother
people
and
the
plans
they
have
and
similar,
and
we
have
a
list
of
issues
which
represent
scenarios
that
we
identified.
B
Initially,
we
just
fought
here
as
a
framework
and
people
will
propose
scenarios,
but
that
did
not
happen,
and
so
we
put
together
a
list
of
obvious
candidates,
and
then
we
started
the
asani
voice
in
a
manner
that
I
will
describe
in
a
second,
and
so
we
did
this
and
we
placed
it
on
the
list.
But
we
heard
the
pre-cuts.
B
No
one
really
proposed
any
scenario,
despite
the
poking
in
various
contexts.
Now,
at
the
same
time,
our
brethrens
at
the
openly
connect
foundation
started
an
interest
group
which
had
a
similar
goals
to
the
initiative
we're
doing
here
and
in
particular
on
how
to
keep
the
dialogue
open
with
browser
vendors
and
similar
and
that
team.
That
effort
is
led
by
tim
capali,
who,
I
believe
is
also
on
the
line,
and
there
we
we
did
do
some
progress.
B
Let's
say
that
we
poked
people
and
we
now
have
some
people
who
got
assigned
scenarios
and
wrote
some
of
them
also.
I
have
to
be
fair.
Someone
did
answer
the
call
and
in
particular,
ever
helped
with
summer
community,
and
we
have
a
couple
of
several
scenarios
in
the
list
as
well.
B
Okay,
so
these
assignments
didn't
occur
at
random,
but
we
prioritized
those
scenarios
in
the
order
in
which
we
expect
them
to
go
the
way
of
a
dodo
and,
in
particular
anything
that
relies
on
third-party
cookies,
such
as
various
flavors
of
log-out
refresher,
without
the
refresh
tokens
and
similar
are
the
ones
that
are
now
being
worked
on,
because
we
expect
the
bonus
to
perish
first,
and
so
that's
what
is
urgent.
We
actually
find
a
compromise
with
with
the
browser
people,
okay,.
B
I
occasionally
also
poke
a
back
channel,
but
again
I
every
time
I
fail
my
charisma
track,
because
people
don't
seem
to
be
jumping
on
the
opportunity
and
we
have
a
various
channels
open
with
browser
vendors
and
when
I
say
various
I
mean
one,
which
is
sam
goto
from
the
chrome
team,
who's
been
wonderfully
open
to
discuss
things
with
us,
and
in
fact
I
know
many
in
this
group
also
have
one
ones
with
him,
and
then
we
have
various
other
forums
where
we
participate
like
there
is
a
the
privacy
working
group
of
w3c
in
slack
and
there
we
occasionally
have
some
interactions
with
other
people.
B
In
general,
people
haven't
been
as
open
and
proactive
as
sam
and,
in
fact
like,
if
you
guys
have
ever
worked
with
apple,
you
know
what
awaits
us
so
other
really
nice,
clear
points
of
contact
will
have
are
at
the
end
of
this
month.
The
open
id
foundation
is
having
a
it's
a
semi-annual
workshop,
or
I
don't
know,
but
anyway
there
will
be
a
short
update
on
the
on
the
matter
and
at
least
there
will
be
a
number
of
people
gathered
that
are
interested
in
the
topic.
B
I
don't
know
how
much
progress
we'll
be
able
to
make
in
like
15
minutes,
but
still,
and
the
other
is
instead
way.
More
beefy
heller
is
organizing
a
summit
which
is
going
to
take
two
mornings
at
the
end
of
may
and
she's,
inviting
standard
providers
and
identity
people
and
so
yeah
she's
on
the
on
the
call
if
she
wants
to
give
more
details,
but
I
think
that
that
is
going
to
be
probably
our
best
bet
to
actually
put
at
least
the
problems
on
the
table
and
have
the
relevant
people
acknowledgement.
B
Now
we
are
almost
done
yeah.
I
know
summit
sounds
interesting.
Okay,
so
before
we
open
the
discussion,
let
me
seed
your
with
some
key
points
and
then
add
shut
up.
B
So
one
thing
that
we
suspected,
but
it
became
very
clear
in
the
work
in
the
last
few
months-
was
that
from
the
browser
perspective
sure
they
would
like
to
preserve
identity,
what
they
call
the
duration,
but
for
them
the
highest
vulnerability
is
privacy.
So
if,
for
the
sake
of
privacy,
the
identity
experiences
to
suffer
well,
that's
the
way
it's
gonna,
be
so
that's
an
important
element.
B
Whenever
you
negotiate
on
that
side
like
it's,
it's
gonna
cause
like
it
caused
already
some
hard
work,
and
I
think
it
will
keep
doing
so,
and
the
other
thing
is
that
we
say
browser
people,
but
in
fact
they
are
not
under
a
single
banner.
B
B
So,
even
if
we
are
successful
here,
we
might
need
to
be
successful
with
multiple
interlocutors
like
there
is
no
unified
front
and
rear
side,
and
that's
gonna
be
a
problem,
because
I
envisioned
a
comeback
of
the
2000s
in
which
websites
say
this
website
needs
a
internet
explorer
5.5,
because
it
will
not
work
with
files
or
it
needs
firefox
or
stuff
like
that,
which,
of
course,
I
know
we
are
not
keen
on
getting
back
to
the
other
thing.
B
Is
that
again
we
try
the
multiple
channels,
and
it's
just
hard
to
get
a
single
like
in
general.
It
looks
like
the
browser.
People
are
very
busy
with
something
else
which
is
like
dealing
with
ads
and
similar,
which
probably
move
way
more
money
than
we
do
at
least
on
the
surface
and
get
way
more
press
than
we
do.
So
it's
just
very
hard
to
make
those
connections,
and
also
in
terms
of
initiatives
very
like
I'd,
say
that
openly
connect
and
itf
collaborated
pretty
well.
B
Let's
say
that
the
team
was
always
very
open
in
leveraging
the
work
already
done
in
here
and
using
this
framework
and
similar.
B
But
apart
from
these,
everything
else
has
been
a
bit
random
and
then
the
final
thing
is
one
thing
that
was
clear:
is
that
our
best
engagement
so
far
with
some
somehow
suffered
from
the
fact
that
we
conflated
the
two
different
timelines
on
one
side,
there
is
the
forward-looking
timeline
which
is
like
a
research-like
rnd
like
of
a
web
id
and
new
high-level
primitives
and
signal
which
is
brand
new
is
like
a
longer
term,
and
it
deserves
some
time
to
get
it
right.
B
On
the
other,
there
is
the
imminence
of
the
demise
of
the
third
party
cookies
and
as
soon
as
those
are
gone,
who
knows
what
else
is
it
gonna
be
decorated
links?
Is
it
gonna,
be
redirects?
Who
knows-
and
the
point
is
that
our
customers
are
going
to
be
imminently
broken
just
like
what
happened
with
itp.
That's
going
to
happen
here
as
well.
So
we
in
the
recent
interactions,
raise
the
need
to
at
least
try
to
have
two
speeds
in
our
engagement.
B
One
is
helping
to
design
the
next
generation
of
high
level
primitives
dedicated
to
identity
in
the
browser.
The
other
is
containing
the
damage
and
making
sure
that,
once
third-party
cookies
appear,
people
that
are
still
stuck
with
all
the
styles
summer
don't
end
up
being
out
of
business
because
we
have
no
solution
for
them
wow.
That
was
a
one
long
single
breath.
So
let
me
shut
up
and
give
george
the
chance
to
get
some
word
in
if
he
wants
to.
D
Sure,
no,
you
did
a
great
job,
vittorio
categorizing
sort
of
the
state
of
of
things.
I
think
yeah.
What
became
especially
clear
in
the
last
couple
of
weeks
is
the
the
third
party
cookie
issue
and
our
need
to
determine
what
all
breaks
today
when
third-party
cookies
are
completely
gone,
because
that
that's
it's
it's,
there
is
no
decision.
There
is
no,
you
know
yeah
sure.
Maybe
the
right
set
of
companies
could
call
google
and
get
them
to
delay
a
couple
of
months
or
whatever.
But
this
is
a
non-negotiable
thing.
D
It
is
happening
and
there
may
there
may
be
willingness
on
the
browser
to
do
some
things
that
we
haven't
ever
had
the
browsers
willing
to
do
so.
I
will
give
you
my
favorite
one
at
the
moment,
which
is
log
out
because
federated
you
know,
log
out
from
an
openid
connect
perspective
is
completely
broken
in
safari,
and-
and
so
you
know,
if
the
browsers
are
willing,
let's
say
to
allow
the
idp
to
provide
the
browser.
D
A
set
of
you
know
urls
to
go
poke
right
to
let
those
relying
parties
know
that
the
user
logged
out
and
the
browsers
will
intermediate
that
for
us
and
send
credentials
where
they
wouldn't
with
normally,
because
they
know
it's
a
it's
a
classified
identity
flow.
Well
then,
you
know
maybe
that's
a
solution,
but
it
is
in
this.
It's
you
know
in
the
space,
but
it's
unclear.
E
Yeah
to
follow
on
from
what
george
is
saying,
I
think
we
should-
and
I
made
this
comment
the
last
time
we
all
talked
about
this.
We
should
look
at
this
as
an
opportunity
for
giving
feedback
to
the
browsers
on
what
would
be
some
great
features
now
that
we've
got
them
potentially
paying
attention
to
what
we're
doing.
We
could
look
at
what
are
some
things
that
would
be
really
useful
to
the
protocols
and
federated
identity
myself.
E
The
one
that
I'd
like
to
see
would
be
a
discovery
mechanism
so
that
the
web
page
can
say
hey
what
providers
does
this
user
have
in
a
privacy
protecting
way
which
I
think
is
potentially
going
to
have
to
happen?
If
the
flow
is
that
the
user
needs
to
decide
that
something
is
a
provider
they're
going
to
work
with,
which
means
that
then
the
browser
knows
what
our
providers,
the
user
says
they
have
versus
not.
A
F
Yeah
dick
and
that's
that's
a
super
important
point,
and
I
think
you
know
something
we
had
talked
about
early
on
in
this
process
was
like
what
do
we
envision
identity
on
the
web?
Looking
like
in
2022
kind
of
removing
things
like
web
id
and
having
a
more
you
know
higher
level
conversation,
and
we
did
start
talking
about.
F
You
know
what
we
have
all
these
conversations
around,
requesting
a
dig
and
wallet
discovery
and
all
of
even
web
offend
to
an
extent
that
all
involved
getting
prompting
the
user
for
a
credential
or
taking
some
action
which
are
just
going
to
be
if
web
id
were
to
be
implemented,
as
is
today,
which
I
you
know,
I
don't
think
we
are
expecting
that
you
know
the
users
can
have
like
seven
different
props
from
all
different
places,
some
from
the
browser
some
from
the
operating
system.
F
You
know
some
from
their
wallet,
and
you
know
it's
just
this
is
I
agree
with
you.
This
is
the
prime
time
to
look
at
what
we
want,
because
existing
experiences
like
redirecting
to
an
idp
just
to
do
web
authn.
Why?
Why
even
redirect
to
the
idp
anymore?
If
the
browser's
in
the
middle
right-
so
I
think
there's
there
is
some
this
I
agree.
This
is
the
time,
but
I
think
you
know
the
challenging
part
has
been
some.
F
F
It's
been
disheartening
to
me,
because
I
do
agree
that
this
is
the
time
to
really
paint
the
picture
for
the
next
10
years.
So
just
yeah
it's
unfortunate,
but
I
do
want
to
keep
the
conversations
going
if
we
can.
B
B
A
battery
experience
would
be
really
nice,
but
I'm
more
concerned
about
all
the
code
out
there,
which
cannot
be
changed
and
that
it's
going
to
be
irremediably
broken,
like
think
of
all
the
siteminder
deployments,
which
do
some
like
distributed
sign
out
or
any
other
function
that
they
need
and
have
this
stuff
broken,
and
it's
already
difficult
to
get
their
browser
vendors
to
discuss
practical
solutions
to
these,
like,
for
example,
from
an
interstitial
dialogue
that
says
hey
this.
This
domain
is
trying
to
do
something
with
this
other
domain.
B
Are
you
okay
with
it
so
that
at
least
there
is
an
route
for
not
breaking
the
scenario
and
to
me
those
things
are
more
urgent
than
shaping
the
feature,
mostly
because
a
lot
of
the
people
that
are
leveraging
those
things
they
have
no
idea
that
they
have
like
this
taking
bomb
under
that
stuff.
And
if
you
tell
them
here,
there
is
a
much
better
primitive
array
platform.
They
will
not
have
a
platform,
so
we
are
just
going
to
cause.
B
Not
we
but
like
those
browser,
changes
are
gonna
cause
a
lot
of
pain
and
to
me
that
adjust
makes
sets
the
priorities
like.
I
would
like
to
say
the
word
that
pain
and
then
paint
a
more
futuristic
feature
as
well,
but
right
now
we
are
not
even
managing
to
do
the
bleeding
control
in
the
right
way.
So
far,.
D
Yeah
a
lot
of
similar
things
to
what
victoria
says.
I
think
we,
if
we
I
agree,
it
would
be
awesome
if
the
browsers
want
to
listen
right.
But
I
think
that
anything
that
we
do
at
that
level
is
effectively
a
new
protocol
right
which
isn't
necessarily
bad
right,
but
it
isn't
likely
saml
or
openid
connect
which
brings
us
back
to
the
you
know.
I
just
want
to
sort
of
echo
what
vittorio
was
saying,
that
we
have
huge
amounts
of
deployments
out
there
and
we
can't
be
looking
at
just.
D
You
know
what
it
would
be
nice
in
the
future
for
for
green
field
implementations,
but
we
have
to
be
looking
at.
How
can
we
work
with
the
browsers
to
ensure
that
what's
deployed
today
and
is
running
the
majority
of
the
web
right?
Doesn't
just
fall
over
and
and
so
we
need,
we
need
solutions
and
that
may
come
in
a
couple
of
flavors
right.
D
You
know
updated
to
whatever
the
new
thing
is
so,
but
today
right
I
mean
I
mean
fundamentally
today,
if
you
use
you
know,
saml
distributed
log
out
or
open
id
connect,
front
channel
log
out
and
your
user
shows
up
in
safari,
and
you
know
you're
the
relying
party
and
you
have
them
log
in
with
google,
it
is
impossible
for
google
to
get
them
logged
out
of
your
rp
because
they
can't
use
what's
defined
in
the
spec
right,
which
is
open,
an
iframe
or
a
you
know,
pixel
url
or
anything
of
that
nature
and
redirect
chains
are
going
to
break
right.
D
There
is
nothing
in
the
spec
that
says
when
the
idp
redirects
to
you,
the
rp
and
you
log,
the
user
out,
send
the
user
back
to
the
idp
and
no
rp
is
going
to
want
to
do
that.
Anyway,
right
I've
got
the
user
back.
Why
would
I
give
them
back
to
the
rp
so
they
can
send
them
to
my
competitor
right,
so
it's
just
fundamentally
broken,
and
so
today,
in
reality,
users
can't
log
out
if
they're
using
safari
so
yeah,
you
can
start
to
see
the
dangers
there.
E
So
I
appreciate
that
you
know
they're
they're,
making
changes
that
are
going
to
break
and
they're
going
to
break
some
things
because
well
right
now
it
looks
like
we're
saying
here's
how
the
world
works
today,
but
we're
not
putting
forward
any
you
know-
or
perhaps
I
haven't
seen
it,
but
the
document
we
have
is
here's
just
how
things
work
today,
we're
not
proposing
solutions
or
anything,
and
my
commentary
is
like
why
don't
we
propose
solutions
that
address
their
problem
and
that
mitigate
the
downsides
to
existing
things,
but
at
the
same
time,
can
go
and
enhance
the
existing
experiences?
E
E
E
You
know
apple
started
blocking
you
know
certain
types
of
flows
of
oauth
and
open
id
connect
in
the
past
and
all
those
app
developers
had
to
upgrade
their
apps
to
go
and
support
the
new
thing
much
harder
to
do
on
the
web.
But
you
know
the
president's
there.
The
people
say:
okay,
well,
move
to
the
new
thing,
you're
broken.
B
Just
to
give
a
quick
answer
to
this
I'll,
give
you
the
same
answer
that
we
gave
it
to
the
last
ipf
during
this
topic,
which
is
some
of
the
browser
goals,
are
goals
that
might
not
be
achievable
like,
for
example,
a
proposal
that
would
satisfy
them
would
have
to
satisfy
things
like
the
browser
is
always
in
full
control
of
what
information
is
being
exchanged
from
the
idp
to
the
rp
and
knows
the
meaning
of
every
attributes
and
has
a
chance
to
examine
the
artifacts
and
potentially
do
arbitrage
and
like
blocking
flows
and
similar.
B
So
whenever
we
discuss
things
like,
there
are
flows
in
which
the
browser
knows
nothing,
and
so
it's
impossible
for
you
to
guarantee
the
things
that
you
want
to
guarantee
internal
privacy.
It
just
does
the
message
doesn't
come
across,
so
I
think
that
they're
creating
in
creating
a
proposal
that
today
would
work
with
them
on
these
particular
problems.
B
Like
the
thing
that
you're
saying
about
discovery,
it
is
very
interesting,
but
it
doesn't
go
at
the
heart
of
a
thing
that
they
want
to
solve,
which
is
a
complete
privacy
guarantees
which
we
believe
is
going
to
be
physically
impossible.
So
it's
very
hard
for
us
to
create
a
proposal
that
aligns
with
voice.
It
was
expectations
and
that's
why
we
felt
back
on
let's
document
what
we
have,
because
it's
like
objective
reality,
and
so
there
is
less
of
the
opinion
component
to
it.
E
Yeah,
well,
I
don't
think
their
proposal.
You
know
I've
had
a
number
of
chats
with
sam
and
have
reiterated
to
him
a
number
of
times
that
the
browser
totally
mediating
the
experience
as
a
non-starter,
because
the
browser
just
isn't
going
to
know
enough
stuff
and
then
what
happens
when
I'm
using
a
different
browser
on
a
different
computer?
E
You
know
where,
where
is
the
source
of
truth
from
all
my
information,
you
know,
so
I
think
we
need
to
sort
of
differentiate
between
things
where
you
know
they
view
the
browser
as
a
center
of
the
world
versus
some
of
the
things
that
they
clearly
are
trying
to
solve,
that
the
we
want
to
go
and
protect
all
the
privacy
is
is
the
dream
they
have,
but
there's
things
that
they
really
do
own,
which
is
like.
How
do
you
stop?
E
A
F
Okay,
tim
yeah
one
direct
response
to
something
you
just
said
dick.
I
think
I
think
an
even
bigger
concern
is
what,
if
I
use
another
browser
on
the
same
device
right,
it's
not
even
across
devices
we're
starting
to
run
into
that
with
fido
right.
You
can't
even
access
the
same
platform
credentials.
So
I
I
do
agree
like
these.
Are
they
don't
necessarily
have
to
be?
I
don't
think
having
this
conversation
needs
to
sideline
the
the
make
existing
stuff
keep
working
conversation.
F
I
just
think
how
we
how
we
present
it
is
important,
because
people
specifically
will
say
they
just
don't-
have
the
resources
to
talk
about
that
right
now,
because
they're
talking
about
not
breaking
things.
So
I
think
if
there
are
people
who
are
involved
that
aren't
necessarily
involved
in
the
the
work
that's
happening
now
and
don't
plan
to
be,
maybe
we
can
kind
of
have
a
parallel
conversation,
because
I
do
think
the
more
we
wait.
F
We're
just
gonna
shoot
ourselves
in
the
foot,
because
I
I
don't
you
know
we
took
a.
We
took
a
very
high
level
look
at
this
internally
at
microsoft,
and
you
know
we
don't
necessarily
believe
that
there's
a
need
for
new
protocols,
potentially
things
like
cred
man
and
there's
a
lot
of
things
out
there
that
aren't
being
fully
utilized
today
to
solve
things
like
the
nascar
problem
as
one.
F
So
I
think
it's
I
think
it's
worth
having
a
parallel
conversation
as
long
as
we
don't
take
our
eyes
off
of
the
main
priority
person.
D
Yeah
so
specifically
in
the
sense
of
making
proposals.
If
you
look
through
comments
on
issues,
I've
made
some
in
a
couple
of
different
ways
that
pretty
much
get
ignored.
That's
not
to
say
that
we
couldn't
have
more
weight.
If
you
know
was
a
a
proposal,
but
the
the
mechanism
in
the
sense
of
proposals
for
browsers,
largely
is
you
know,
write
an
explainer
for
the
privacy
cg
group
or
write
an
explainer
for
the
web
incubator
community
group
on
you
know
within
the
web,
id
environment
or
or
log
in
issue.
D
Saying
here's
my
proposal
for
how
to
make
it
better
and
that's
today,
that's
the
best
mechanism.
We
have
for
communicating
these
things
that
the
the
and
tim
I'll
invite
you
to
give
your
perspective,
but
in
the
last
privacy
community
group
right,
it
was
pretty
clear
that
even
within
an
enterprise
where
you
may
have
multiple
domains-
and
you
want
seamless
sso
to
work
right
where
I
go
to
one
site
and
it
redirects
me
to
the
idp
site
and
then
it
redirects
me
back,
you
know,
fill
in
your
favorite
cloud.
D
You
know
enterprise
idp
right
that
that
that
the
browsers
did
not
want
to
enable
that
seamless
sso
they
wanted
the
user
to
explicitly
give
a
consent
for
every
non-idp
domain
that
they
at
least,
I
think
that's
the
way
it
works.
D
Someone
else
can
correct
me
if
I'm
wrong
on
the
way
storage
access
api
works
in
in,
if
it's
rp
specific
you
know,
rp,
idp,
specific
or
just
idp,
but
effectively,
the
user
has
to
give
a
specific
consent
that
they
want
to
allow
the
sort
of
the
idp
to
access
certain
data
right
and
and
that's
there,
because
they
want
to
ensure
that
you
can't
you
know,
do
these
redirect
things,
but
the
ad
companies
can't
do
the
redirects.
D
You
know
where
I
bounce.
I
redirect
to
one
thing:
it
immediately.
Bounces
me
back
and
the
user
doesn't
understand,
but
you
know
I've
been
tracked
right.
So
there's
an
explicit
user
consent
event
that
happens
in
that
context
right,
and
it
was
very
clear
that
we
will
require
the
explicit
user
consent,
regardless
of
what
it
means
to
the
user
experience.
F
Yeah,
I
mean-
and
I
think
I
think
the
fear
right
now
right
so
that
is
I
I
think
we
we
caught.
We
caught
someone
in
a
bit
of
a
transitive
conundrum.
I
guess
I
could
call
it
in
that
they
they
want
to
maintain
sso,
but
they
are
against.
F
You
know
the
experience
that
tracking
that
ss,
the
tracking
experience
that
sso
gives
so
it
was
essentially
a
weird
way
to
say.
Yes,
we
want
both.
You
know
we
don't
want
tracking,
but
we
want
sso
but
transitively
they.
You
know
it
ends
up
being
the
same
thing
to
them.
So
they're
not
able
to
answer
that
question
well
and
the
default
response
is
used,
storage
access,
api
and,
as
I
think,
we've
seen
with
other
things
that
are
happening
on
the
platform
side.
F
There
is
very
little
control
over
what
that
message
says,
and
it
is
very
misleading
to
the
user,
so
the
user
simply
signing
in
is
gonna,
have
all
this
privacy
paranoia
thrown
at
them,
which
doesn't
tell
the
whole
story
of
what's
happening
so
there.
I
have
very
big
concerns
over
the
generic
prompts
for
storage
access
api
with
no
context
yep.
A
Okay,
mike,
you
have
a
question
on
the
chat.
Do
you
want
to
talk
about
that
question.
G
E
E
The
you
know,
ad
industry
uses
decorated.
Links
to
you,
know,
link,
you
know
the
user
in
one
context
to
another
context,
and
so
that's
a
privacy
issue
for
them.
B
E
What
about
fragrance,
it's
even
broader
than
that
it
doesn't
have
to
have
a
query
parameter
it
just.
It
fits
different
on
invocation
because
you
don't
need
to
go
and
have
a
query
parameter
to
make
the
url
unique,
and
so
the
browsers
are
looking.
It's
like.
Oh
the
user's
been
redirected
to
this
link,
but
it
changes
each
time
just
a
little
bit
and
that
looks
like
the
behavior
of
a
tracking
site
and
so
we're
going
to
start
to
do
something
to
it.
G
It
broke
up
for
me
for
the
last
30
seconds
or
something
so
it's
not
just
query
parameters.
What
other
kind
of
decorations
are
possibly
being
deprecated.
E
Well,
just
that
there's
analysis:
they
they
watch
a
link
and
they
see
hey.
It
looks
like
the
user
is
going
to
something
that's
sort
of
the
same,
but
a
little
different,
each
time,
which
is
a
behavior
similar
to
an
advertising
site.
So
it
doesn't
need
to
be
a
query
parameter.
It
could
just
be
a
different
change
in
the
url
somewhere.
B
B
So
it's
not
like
third
party
cookies
that
is
going
away
and
something
like
if
you
use
the
decoration
your
domain
might
receive
a
special
treatment
because
you
might
be
leaking
information
between
domains
which
might
be
tracking
right
well,.
E
The
information
that's
it's
dropped
is
the
cookie
right
and
so
because
the
decorated
link
links
from
where
the
user
is
coming
from
over
to
the
ad
site
and
the
ad
site
gets
its
cookie.
So
it
knows.
Okay,
I
know
it's
this
user
from
my
domain
and
now
I
can
link
that,
to
you
know
the
decoration
from
the
other
domain,
and
so
then
the
browsers
would
start
to
go
and
drop
the
cookie
when
it
redirects
over,
which
then
you
know
has
that
issue
in
a
lot
of
the
sso
environments.
It's
like.
E
D
That's
the
impact
right,
and
that
is
what
safari
has
implemented
so
as
I
understand
it
if
they
detect
what
they
call
bounce
tracking.
So
if,
if
the
idp
redirects
to
more
than
10
sites
in
this
sort
of
redirect
model
right,
then
the
iep
could
get
flagged
as
a
bounce
tracker,
and
what
safari
will
do
is
rewrite
your
cook,
your
same
site,
cookie
status
from
whatever
it
was
to
strict,
which
means
it
won't.
D
It
will
no
longer
flow
on
a
redirect
whether
you
could
redirect
to
yourself
and
get
it
is
unknown,
and
obviously
the
brow
if
the
browsers
felt
like
the
ad
platforms
were
doing
that,
then
they
would
go
fix.
That
too.
D
So
you
can,
you
can
look
this
up
in
the
itp
stuff
on
in
their
blogs,
where
they
basically
talk
about
same
site,
equals
strict
jail
and
getting
it
to
trigger
is
tricky.
So
if
anybody
has
the
ubiquitous
use
case
that
you
know
causes
safari
to
drop
into
this
behavior
I'd
love
to
see
that
documented.
D
What
what
happens
for
standard,
openid,
connector,
oauth
flows,
obviously
apple's
going
to
want
to
drive
people
to
use
sign
in
with
apple,
because
that
gives
them
much
greater
reach
and
much
better
for
their
advertising
platform
and
all
those
other
sorts
of
things.
I
probably
shouldn't
be,
quite
so
blunt
on
a
recorded
call
the
but
the,
but
I
don't
think
that
today
there's
anything
that
prohibits
standard,
oauth
flows,
because
you
should
be
using
universal
links,
which
is
part
of
you
know.
F
D
That
may
be,
but
at
the
moment,
for
you
know,
content
or
for
publishers
on
the
web,
it's
actually
more
advantageous
to
them
to
get
their
users
to
download
the
app,
because
certain
the
things
you
can
do
in
the
app
are
quite
different
than
the
things
you
can
do
on
the
web
right.
So
it
sort
of
goes
both
ways.
The
issue
is
that
users
don't
want
to
right.
D
If
I'm,
if
I'm
using
google
news
on
my
android
device-
and
I
see
something
interesting
and
that
you
know
minus
one
swipe
left
screen
and
I
click
it
and
it
takes
me
to
you-
know
news.foobar.example
right.
I
probably
do
not
want
to
download
the
fubar.example
app,
because
I
may
never
go
back
to
read
another
article
from
that
site.
A
Okay,
so
so,
since
there's
there's
no
other
questions
coming,
I
wanted
to
go
back
to
vittorio's
comment
about
short-term
versus
long-term,
like
we
know
that
there
is
some
thing
coming
soon.
So
do
we
want
to
do
something
like
do
two
different
activities
around
one
around
the
short
term
and
then,
while
still
kind
of
going
and
working
the
long
term
issue
is:
is
that
reasonable
or
do
we
do
you
wanna,
do
something
about
that?.
B
Unless
you
are
thinking
about
like
writing,
proposals
and
then
submitting
those
proposals,
I
don't
think
that
we
have
the
ability
to
differentiate,
as
in
we
engage
with
a
browser
people
whenever
we
can,
whenever
we
have
their
attention
and
we
try
to
steer
the
conversation
towards
the
things
that
we
want
to
talk
about,
and
that's
kind
of
like
how
it's
been
working
and
maybe
haver's
workshop
will
change
things.
And
if
your
comment
influences
the
agenda,
that
haver
is
putting
together
great.
B
But
otherwise
I
don't
know
how
much
we
can
do
on
our
side
to
actually
differentiate
between
those
two.
C
C
So
what
we're
looking
at
is
a
let
me
back
up
real,
quick,
I'm
being
contracted
by
google
to
help
them
have
these
conversations,
because
my
my
human
network
is
actually
a
little
bit
better
than
theirs
when
it
comes
to
having
conversations
so
so
that
in
mind,
I
am
what
I'm
trying
to
do
is
a
a
two-day
workshop
may
25
and
26
10
a.m
to
1
p.m.
Pacific
time
this
may
be
the
first
of
several
workshops.
It's
going
to
kind
of
depend
on
who
I
can
get
to
show
up.
C
C
In
the
first
day,
I'm
trying
to
get
the
major
browser
vendors
to
come
in
and
say:
okay,
what
can
you
please
describe
your
approach
for
how
how
you
think
you're
handling
this
so
to
get
someone
from
safari
to
talk
about
itp,
to
get
someone
from
firefox
to
talk
about
etp,
to
get
someone
from
chrome
to
talk
about
privacy,
sandbox
and
also
possibly
getting
the
folks
from
the
microsoft
edge
team,
brave,
maybe
even
opera?
I
don't
know
yet.
C
That
actually
is
enough
to
fill
up
just
that
that
first
three
hours,
because
of
course,
there's
also
going
to
be
an
intro
to
make
sure
everybody
understands
where
we
are
with
the
problem.
Space
there'll
be
some
pre-reading.
If
you
haven't
read
the
explainers
that
sam
has
put
together
either
on
cookies.
C
C
Day,
two
and
again
this
is
this
is
stuff
where
I'm
still
designing
this
and
I'd
like
to
make
sure
that
google
and
others
are
willing
is
I
want
to
go
through
several
major
reference,
implementations
that
say:
okay,
here's,
how
microsoft
teams
uses
cookies
and
where
they're,
anticipating
that
things
are
going
to
break
here's.
How
google
sign
in
because,
oddly
enough
we're
breaking
some
of
google's
things
too,
here's
their
you
know
implementation
and
what
they
anticipate
it's
going
to
break.
C
We'll
see
we'll
see
who
I
can
get
to
the
table
to
have
that
and
then
there's
going
to
be
actually
a
bit
of
the
the
thing
that
we
all
love
to
hate
the
having
a
meeting
about
how
to
have
a
meeting.
I
need
to
know
how
to
continue
this
conversation
because
part
of
the
challenges,
as
you
all
have
identified
is
I
have
several
standards.
Development
organizations
that
touch
on
this.
We've
got
the
ietf.
C
We've
got
the
openid
foundation,
we've
got
oasis,
we've
got
the
w3c,
we
have
groups
that
are
very,
very
interested
in
privacy,
but
they
happen
to
not
actually
have
digital
identity.
People
usually
engaged
so
they're
coming
at
it.
From
a
very,
very
focused
perspective.
C
We
have
people
who
deal
with
identity
federation
and
that's
what
they
do
for
a
living.
You
know
and
they
come
at
it
from
another
perspective,
and
then
we
I
mean
there's
so
many
different
groups
and
they're
all
having
their
disparate
conversations.
C
I
want
to
know
can
can
this
be
this
type
of
workshop
or
forum
or
summit?
I
liked
the
summit
one.
Can
we
keep
meeting
in
with
with
these
people,
because
I'm
hoping
that
will
be
the
right
group
to
get
and
us
cross-pollination
of
discussion
to
figure
out
how
we
can
handle
the
next
steps
if
it
does
turn
out
that
this
is
the
right
group
and
that
they're
willing
to
continue
conversations,
then
future
meetings
would
involve
things
like
focusing
on.
C
I
want
to
know
a
lot
more
about
the
social
idps
and
are
they
aware
what
kind
of
problems
are
they
going
to
have?
So
you
know
get
facebook
in
the
room,
get
twitter
in
the
room,
get
microsoft
from
their
linkedin
platform
in
the
room.
Another
meeting
focusing
very
much
on
the
rp
experience,
have
something
that's
a
very
semi
specific
meeting
where
that's
actually
looking
at
the
enterprise
bilateral
use
cases
I
know
salesforce
has
thousands,
if
not
tens
of
thousands
of
saml
arrangements
going
on
and
the
academic
use
cases
which
are
these.
C
You
know
bizarre
multilateral,
every
direction,
interacting
in
a
trusted
way
with
every
other
direction,
to
have
a
session
about
that.
C
So
his
explainer,
which
is
at
the
top
of
that
repository
now,
actually
does
have
a
timeline
that
says
all
right.
We're
going
to
start
with
trying
to
figure
out
are
there
mitigations
that
could
be
put
in
place
for
third-party
cookies
once
we've
identified
those
and
they
start
to
be
implemented.
C
I
I
A
D
Reasonable,
I
I
think
as
far
as
ietf,
that
may
be
fine,
but
I
would
say
please
look
at
the
scenarios
list
that
vittorio
you
know
mentioned
at
the
beginning
and
grab
one
and
write
it
up
right,
because
at
the
end
of
the
day
we
need
to
be
able
to
point
people,
because
you
know
you
listen
to
the
conversations
and
I
think
that,
while
you
know
browsers
may
unders
in
general,
the
people
working
on
browsers
may
understand
you
know
signing
with
google
flow
or,
or
you
know,
at
a
user
experience
kind
of
a
thing.
D
They
don't
know
the
intricacies
of
identity
and
what
we're
doing
in
all
the
different
use
cases
and
when
they
occur
and
so
having
something
that
we
can
point
them
to
and
say
hey
you
know
this
is
this
is
a
critical
capability
that
is,
you
know
active
today,
you
know,
and
ideally,
if
you're
using
something-
and
you
can
say
you
know-
and
we
you
know
we
see
about
this
much
traffic
right,
especially
you
know
like
in
the
major
you
know
cloud
identity,
space
right,
here's
the
amount
of
traffic
we
see
coming
through
that
adds
significant
weight
into
them.
J
Yeah,
just
a
quick
question:
the
use
cases
list.
Is
there
a
form
or
is
there
a
way
for
us
to
go
dips
on
one
of
the
one
of
the
use
cases
so
that
two
people
by
accident
don't
work
on
the
same
thing,
issues.
B
In
the
repo
like,
if
you
go
on
that
app,
when
you
see
the
list
of
issues,
you'll
see
that
the
team
called
the
dibs
on
some
of
those
scenarios,
you
can
do
the
same
all
right.
Thank
you.
A
A
Okay,
on
the
workshop,
will
you
be
able
to
send
a
notification
or
an
email
to
the
list
when
that
is
kind
of
when
you
have
it
defined
or
yeah?.
C
Yeah
as
soon
as
I
figure
out
the
this,
I'm
not
normally
a
secretariat
so
trying
to
get
all
of
these
different
groups
to
actually
play
well
with
each
other
and
then
to
figure
out
having
it
under
the
w3cs
auspices
makes
the
most
sense
in
terms
of
of
where
browsers
are
most
likely
to
be
where
I
can
get
the
privacy,
people
etc.
But
I
need
to
understand
how
how
they
do
their
workshops
in
terms
of
signups
and
everything.
C
A
C
For
a
community
group,
you
need
to
be
a
member
of
the
community
group,
but
that
isn't
the
same
thing
as
being
a
w3c
member.
A
A
Perfect
well
vittorio
and
george
and
heather.
Thank
you
very
much.
That
was
a
great
discussion
presentation
and,
let's
hope
we
can
make
some
progress
with
this.
Okay.
Thank
you
all
appreciate.
It.