<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 8/31/16 2:02 PM, Mike Jones wrote:<br>
</div>
<blockquote
cite="mid:DM2PR0301MB063750D72904E59EA044B124F5E30@DM2PR0301MB0637.namprd03.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#002060;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">As
a practical matter, if the user has taken an explicit step
to disable third party cookies in their browser, they’ve
also broken a whole lot of web scenarios besides this one.
I think that our obligation is just to inform implementers
and deployers of the possible consequences of this user
choice. That’s what the issue is about.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">If
you want guaranteed logout, you have to instead go the (much
heavier weight) back-channel logout specification.</span></p>
</div>
</blockquote>
<br>
Thanks Mike, understood.<br>
<br>
Nick<br>
<br>
<blockquote
cite="mid:DM2PR0301MB063750D72904E59EA044B124F5E30@DM2PR0301MB0637.namprd03.prod.outlook.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
Openid-specs-ab
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Nick Roy via Openid-specs-ab<br>
<b>Sent:</b> Wednesday, August 31, 2016 12:41 PM<br>
<b>To:</b> Filip Skokan <a class="moz-txt-link-rfc2396E" href="mailto:panva.ip@gmail.com"><panva.ip@gmail.com></a><br>
<b>Cc:</b> Michael Jones
<a class="moz-txt-link-rfc2396E" href="mailto:issues-reply@bitbucket.org"><issues-reply@bitbucket.org></a>;
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Issue #1003:
Document possible impacts of disabling third-party
cookies on front-channel logout (openid/connect)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Isn't enabling
SLO without a guarantee of universal logout dangerous? People
will walk away from browsers with an expectation that they've
logged out. I don't want to undermine things, but I worry
about the security implications and the difficulty of user
education in shared environments.<br>
<br>
Best,<br>
<br>
Nick<o:p></o:p></p>
<div>
<p class="MsoNormal">On 8/31/16 1:28 PM, Filip Skokan wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">In those cases RP logout will not be
performed as reported by the original contributors. Since
clients may not even support any form of downstream logout
it's not like the OP can guarantee SLO anyway. <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">I would be interested if this is a
globally applicable case or just user-agent specific. <br>
<br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 31 Aug 2016, at 21:10, Nick Roy <<a
moz-do-not-send="true" href="mailto:nroy@internet2.edu">nroy@internet2.edu</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">What if
the user declines to accept cookies for the third party?<br>
<br>
Nick<o:p></o:p></p>
<div>
<p class="MsoNormal">On 8/31/16 9:58 AM, Filip Skokan
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">I am not aware of any issues in
the regulatory part. Afterall you're loading content
of the third party but not directly accessing it.
It's the third party RP handling the logout itself<br>
<br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 31 Aug 2016, at 15:38, Nick Roy via
Openid-specs-ab <<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p>Will this be a problem in the EU re: privacy
laws?<o:p></o:p></p>
<p>Best,<o:p></o:p></p>
<p>Nick<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Aug 30, 2016 7:35 PM,
Michael Jones via Openid-specs-ab <<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">New issue 1003:
Document possible impacts of disabling
third-party cookies on front-channel
logout<br>
<a moz-do-not-send="true"
href="https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling">https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling</a><br>
<br>
Michael Jones:<br>
<br>
Contributors have described that their
front-channel logout implementations do
not work when third-party cookies are
disabled. The working group should
discuss this situation and at a minimum,
document that front-channel logout
may/will not work with third-party
cookies disabled, and describe why this
is the case. If it is possible to work
around this situation, the work-arounds
should also be described.<br>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
</blockquote>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>