- From: <bugzilla@jessica.w3.org>
- Date: Fri, 24 Oct 2014 23:27:37 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=27124 --- Comment #12 from David Dorwin <ddorwin@google.com> --- (In reply to Henri Sivonen from comment #10) > (In reply to David Dorwin from comment #2) > > but it must be per-origin > > individualization rather than user agent- or system-wide individualization. > > > > The rationale for not sending non-origini-specific individualization was > > mentioned at the end of [1]: > > "privacy with respect to whether the device has previously been > > initialized." > > As noted on public-html-media, unless origin-independent individualization > happens eagerly ahead of time, the application can deduce the lack of > previous individualization from the latency of the first operation requiring > individualization. Unless there are per-origin user prompts, which is probably a good practice for client individualization anyway (see bug 27165). Beyond that specific rationale, there are probably other concerns with deferring such operations to applications, similar to the central server concerns. > > Since PlayReady pricing currently disincents eager ahead-of-time > individualization, I bet there are people who'd be unhappy about the spec > requiring eager ahead-of-time individualization when individualization isn't > origin-dependent... I don't think the spec requires this. Avoiding such timing "attacks" is probably an implementation detail (for implementations not requiring user interaction before individualizing), though we could certainly add it to the privacy considerations section. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Friday, 24 October 2014 23:27:38 UTC