Double keying would be very useful, and in contexts other than WebRTC also.

I still think even in that case (where the deviceId is unique to the first-party/third-party combination), there should be no leakage until the user has first authorised the origin. And the authorisation should lapse after a reasonable period.

Mike

-----Original Message-----
From: Georg Koppen [mailto:gk@torproject.org]
Sent: 01 July 2015 22:07
To: Eric Rescorla; Nick Doty
Cc: Mike O'Neill; public-privacy (W3C mailing list); Jan-Ivar Bruaroey
Subject: Re: Request for feedback: Media Capture and Streams Last Call

*** gpg4o | Unknown Signature from EDC67D98A97A53DC 1 10 01 1435784824 9 ***

Eric Rescorla:
> Martin Thomson has suggested using double keying here. Would people
> consider that
> satisfactory?

Yes. I think this is a good idea.

Georg