[wg/fedid] Federated Identity Working Group Charter

[plehegar]

New charter proposal, reviewers please take note.

Charter Review

Charter:

What kind of charter is this? Check the relevant box / remove irrelevant branches.

• New
  • [x] New WG

Horizontal Reviews: apply the Github label "Horizontal review requested" to request reviews for accessibility (a11y), internationalization (i18n), privacy, and security. Also add a "card" for this issue to the Strategy Funnel.

Communities suggested for outreach: ?

Known or potential areas of concern: ?

Where would charter proponents like to see issues raised? (this strategy funnel issue, a different github repo, email, ...) https://github.com/fedidcg/fedidcg.github.io/issues

Anything else we should think about as we review?

[plehegar]

cc @hlflanagan @asr-enid @timcappalli

[plehegar]

(advance notice should hopefully be out tomorrow)

[melvincarvalho]

Naming clash here with the existing spec "Web Identity and Discovery" authored by Henry Story, Tim Berners-Lee et al

https://www.w3.org/2005/Incubator/webid/spec/identity/

This spec will quite possibly be part of the solid WG too.

This has been in use since 2005, and is a different technology.

The federated identity community group should choose a name less likely to cause confusion, or perhaps revert back to the original title.

[plehegar]

"Web Identity" is pretty generic. Certainly, Solid doesn't pretend to define on Web Identity is done in general either. On the other hand, the overlap between the Solid WG proposal and this group is concerning. None of the Group proposals should move forward without this getting resolved.

[hlflanagan]

@plehegar My read of the Solid WG proposal is that it focuses on use cases where the user does not have an identity provider. The Web Identity Credential proposal covers what happens when the user has an identity provider, making sure that the user consents to the information being shared between an RP and an IdP for the purposes of authentication.

Would adding a note to that effect in our charter resolve your concern?

[plehegar]

Advance notice was sent in September.

[hlflanagan]

@plehegar We'd like to emphasize that the WG name is not the same as the spec name. We think the proposed WG name aligns well with the focus of the discussions we'll have. If we keep this name and emphasize that the scope of work is complementary to the Solid effort, will that resolve your concern?

[plehegar]

from the WebAuth WG: add WebAuth WG as a dependency

[himorin]

material for HR is still markdown format one, right??

[hlflanagan]

I've proposed some changes based on the feedback in this issue, directly against the charter in its repository, and in Slack discussions. See https://github.com/fedidcg/fedidcg.github.io/pull/21.

[himorin]

i18n would want to make text for coordinate section to align with the standard text, especially to include mention about HR before CR.

[matatk]

This is a comment from the APA WG.

We'd like to request that the Web Identity Credential Working Group Charter add us, the Accessible Platform Architectures (APA) WG, to the list of related W3C groups.

Justification: We (APA WG) seek to ensure that accessibility is kept front of mind, as authentication timing and the reliance on short term memory are known and thorny topics for people with disabilities. APA WG can represent these issues that have been raised in the Cognitive Accessibility (COGA) TF, and Accessibility Guidelines (AG) WG.

At a minimum, we'd like to ensure that any APIs specified ensure that any UI built on top of them would, at a minimum, meet WCAG Success Critereon 3.3.8 Accessible Authentication.

Ideally we would also want UIs built on top of the API to meet WCAG SC 3.3.9 Accessible Authentication (Enhanced) (particularly relevant to COGA needs), and WCAG SC 2.2.5 Re-authenticating.

We look forward to working with and supporting you in this regard.

APA WG meeting minutes where this charter was discussed

[plehegar]

several questions on this charter:

1. web platform tests is not a normative specification so not sure why it appears in that section.
2. it's missing links to proposed deliverables. where is the login status api spec for example?
3. timeline is either useless or incomplete. are the documents expected to reach CR within the 2 years timeframe?
4. success criteria section doesn't make sense. "The Working Group will bring one or more Review Drafts from W3C Candidate Recommendation to Proposed Recommendation." Yet, the Group doesn't intend to go beyond CR. "The Proposed Recommendation (PR) and Recommendation (REC) endorsement of WHATWG Review Drafts" ?!?!?
5. the coordination section removes a LOT of boilerplate text that is required by horizontal groups
6. Anti-Trust section needs to go. First, we don';t have a policy, but a guidance. Second, all Groups at W3C are subjected to the same guidance and adding it here would make one think that other groups are not subjected to it.

[hlflanagan]

Update - @plehegar , @asr-enid, and @hlflanagan met to review the listed concerns.

1. Web platform tests will be moved out of "normative" requirements and into "other requirements"
2. Since Login-Status-API was incorporated into the FedCM spec, it's being removed as a specific deliverable
3. The timeline has been updated to indicate target dates for the drafts rather than when we're going to have meetings
4. the success criteria will be changed to match the general template
5. boilerplate text will be returned
6. the anti-trust section will be removed; that was a very specific thing for the proposed PAT WG and doesn't apply to this WG.

@plehegar will submit a PR with those changes and a proper HTML format and the FedID CG will review on their 23 January 2024 call.

[plehegar]

New draft charter is now available, now in this repository.

I also added the Motivation/Background section. Hopefully, what I wrote make sense, otherwise we can easily change it.

[plehegar]

if the requirement to go through the CG for proposals isn't strong enough in the coordination section, we could also add wording in the scope section.

[plehegar]

6. the anti-trust section will be removed; that was a very specific thing for the proposed PAT WG and doesn't apply to this WG.

clarification: the anti-trust guidelines do apply to ALL groups, and thus don't need to be pointed out separately in each charter.

[plehegar]

(waiting on Fed CG to have a final look at the charter before moving forward)

[plehegar]

Added back the Login Status API

[himorin]

An acronym(?) FedCM (or Fed CM with white-sp) is used in Section 3.1 for Federated Credential Management API, but see no definition.

[plehegar]

Final changes in https://github.com/w3c/charter-drafts/pull/481

[plehegar]

Note that the charter rules out interactions with identity wallets, which explains why the Verifiable Credentials Working Group is not listed as a dependency.

[plehegar]

Charter is out of review: https://lists.w3.org/Archives/Public/public-new-work/2024Jan/0006.html

Deadline for comments is 2024-02-29

[melvincarvalho]

Thanks for the name change, and link to the charter. FYI: the WebID (Web Identity) group is active again now.

A couple of things that may be of interest:

From the spec, the opening line is:

A global distributed Social Web requires that each person be able to control their identity, that this identity be linkable across sites - placing each person in a Web of relationships - and that it be possible to authenticate globally with such identities.

The terms federated and distributed might have some synergy here.

Secondly, the modernization of WebID involves an identity spec, and "extension" authentication specs. One of the authentication specs planned is WebID-OIDC. There's no current plans to do WebID-SAML but such a thing could be added if there is appetite for it.

I just thought I'd point this out in case wants to collaborate on similar goals. Feel free to follow the work of the WebID Community Group

[plehegar]

From AC Review:

We support the creation of this working group and look forward to participating.

We request the addition of a deliverable, Digital Credentials, currently being incubated in the WICG. We anticipate it being ready to "graduate" from incubation early enough in the term of this charter that it would be a shame to have to recharter just a few weeks or months from now. This addition could be to the list in §3.1, or a new list could be added, as seen in many other recent charters, identifying additional deliverables the working group may choose to take up without rechartering.

Additionally, we request an addition to the list of out-of-scope topics in §2.1:

• Performing any security or confidence assessment

[plehegar]

From AC Review:

We see no issue with the charter as it stands, but other feedback on the charter suggests that there is an opportunity to use this group as a venue for discussing other aspects of identity. The topic of how identity is managed online is important, but there is a risk of having multiple uncoordinated efforts in the space.

While the WICG work on identity credentials is not as mature as FedCM, we would much prefer to see this work moved to a working group. We suggest that this work be listed as an additional deliverable the working group may choose to take up without rechartering.

[npdoty]

I don't think it would be appropriate to add such significant scope now, when that deliverable was explicitly excluded from the scope when the charter went to the AC for review. As I noted preemptively in my review, that deliverable shows substantial risks to human rights. Something that significant should get direct AC review and would also need some demonstrated way of mitigating those profound potential harms before the Consortium should commit to it.

[plehegar]

Additionally, we request an addition to the list of out-of-scope topics in §2.1:

• Performing any security or confidence assessment

We received a clarification about what constitute a "security or confidence assessment": [[ The primary purpose of FedCM is for site A to be able to ask the question "is the user $username on site B?" Site B can answer "yes" or "no". This isn’t an assessment. If Site B were instead able to answer "we’re 65% confident the user is who they say they are," that would be an assessment. ]]

I'm now proposing to add in the out of scope: [[

• Performing any security or confidence assessment of identity assertions ]]

[samuelgoto]

I'm now proposing to add in the out of scope:

That generally works for me. I think this may be even more specific:

• Performing any security or confidence assessment (e.g. checking signatures, audience, encoding, etc) of the token that encodes the identity assertions.

[plehegar]

My current recommendation is to:

• Move forward with the proposed charter once https://github.com/w3c/charter-drafts/pull/486 gets merged
• Propose a short revision after the W3C AC meeting to add Digital Credentials in the scope, per https://github.com/w3c/charter-drafts/pull/484 . Note that this Pull Request will need significant work before it can be integrated.

[plehegar]

There is now a new poll sent to the AC Reps who responded to the oriignal charter. Deadline is March 19.

[plehegar]

Group should be launched this Friday or Monday

[plehegar]

@simoneonofri will be the Team Contact for the Working Group and is finalized the little tidbits for the Group launch.

[plehegar]

we should probably open a separate issue to track the Digital Credential addition.

[plehegar]

Launched: https://lists.w3.org/Archives/Member/w3c-ac-members/2024JanMar/0058.html

[plehegar]

For further follow up see https://github.com/w3c/strategy/issues/450