<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Isn't enabling SLO without a guarantee of universal logout
    dangerous?  People will walk away from browsers with an expectation
    that they've logged out.  I don't want to undermine things, but I
    worry about the security implications and the difficulty of user
    education in shared environments.<br>
    <br>
    Best,<br>
    <br>
    Nick<br>
    <br>
    <div class="moz-cite-prefix">On 8/31/16 1:28 PM, Filip Skokan wrote:<br>
    </div>
    <blockquote
      cite="mid:5FB3B321-226E-4FB7-B2F7-131AC678B555@gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div>In those cases RP logout will not be performed as reported by
        the original contributors. Since clients may not even support
        any form of downstream logout it's not like the OP can guarantee
        SLO anyway. </div>
      <div id="AppleMailSignature"><br>
      </div>
      <div id="AppleMailSignature">I would be interested if this is a
        globally applicable case or just user-agent specific. <br>
        <br>
        Sent from my iPhone</div>
      <div><br>
        On 31 Aug 2016, at 21:10, Nick Roy <<a moz-do-not-send="true"
          href="mailto:nroy@internet2.edu">nroy@internet2.edu</a>>
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div> What if the user declines to accept cookies for the third
          party?<br>
          <br>
          Nick<br>
          <br>
          <div class="moz-cite-prefix">On 8/31/16 9:58 AM, Filip Skokan
            wrote:<br>
          </div>
          <blockquote
            cite="mid:D7435DC9-6255-41FF-9B66-135375463572@gmail.com"
            type="cite">
            <div>I am not aware of any issues in the regulatory part.
              Afterall you're loading content of the third party but not
              directly accessing it. It's the third party RP handling
              the logout itself<br>
              <br>
              Sent from my iPhone</div>
            <div><br>
              On 31 Aug 2016, at 15:38, Nick Roy via Openid-specs-ab
              <<a moz-do-not-send="true"
                href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>
              wrote:<br>
              <br>
            </div>
            <blockquote type="cite">
              <div>
                <p dir="ltr">Will this be a problem in the EU re:
                  privacy laws?</p>
                <p dir="ltr">Best,</p>
                <p dir="ltr">Nick</p>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Aug 30, 2016 7:35 PM,
                    Michael Jones via Openid-specs-ab <<a
                      moz-do-not-send="true"
                      href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>
                    wrote:<br type="attribution">
                    <blockquote class="quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div><font size="2"><span style="font-size:10pt"></span></font>
                        <div>New issue 1003: Document possible impacts
                          of disabling third-party cookies on
                          front-channel logout<br>
                          <a moz-do-not-send="true"
href="https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling">https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling</a><br>
                          <br>
                          Michael Jones:<br>
                          <br>
                          Contributors have described that their
                          front-channel logout implementations do not
                          work when third-party cookies are disabled. 
                          The working group should discuss this
                          situation and at a minimum, document that
                          front-channel logout may/will not work with
                          third-party cookies disabled, and describe why
                          this is the case.  If it is possible to work
                          around this situation, the work-arounds should
                          also be described.<br>
                          <br>
                          <br>
_______________________________________________<br>
                          Openid-specs-ab mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
                          <a moz-do-not-send="true"
                            href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </blockquote>
            <blockquote type="cite">
              <div><span>_______________________________________________</span><br>
                <span>Openid-specs-ab mailing list</span><br>
                <span><a moz-do-not-send="true"
                    href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br>
                <span><a moz-do-not-send="true"
                    href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
              </div>
            </blockquote>
          </blockquote>
          <br>
        </div>
      </blockquote>
    </blockquote>
    <br>
  </body>
</html>