W3C home > Mailing lists > Public > public-webcrypto@w3.org > November 2012

Re: Rethinking KeyStorage

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 7 Nov 2012 23:16:02 +0000
To: Ryan Sleevi <sleevi@google.com>
CC: David Dahl <ddahl@mozilla.com>, public-webcrypto <public-webcrypto@w3.org>, Arun Ranganathan <arun@mozilla.com>, Harry Halpin <hhalpin@w3.org>
Message-ID: <7219A969-C017-4AF8-A578-B75F95D52C55@netflix.com>

On Nov 7, 2012, at 2:58 PM, Ryan Sleevi wrote:

> It seems like the crux of your argument is "If we standardize it,
> people can then be aware of how bad it is for user privacy",

No, if we standardize it, people can be aware of it, it's pros and cons, and of how to control their own privacy.

You are making big value judgements here. It's not a bad thing if users are empowered to trade personal information for services, if they so wish. It's a bad thing if some group presumes to dictate to users that they shall not do this (and consequently shall not have access to as many services).

> while the
> argument that I'm presenting is that "If we standardize it, we are
> explicitly recommending it" (see, for example, the name of W3C specs -
> Recommendations).

Again, no. If we standardize it we are recommending that "if you do this, do it this way". In the example of Netflix, our decision to require strong device authentication is a business decision which is unlikely to be influenced by anything the W3C says. Again, it's a benefit to users (vs the status quo) if TV manufacturers and others approached this requirement in a standard way.

> Leaving it unspecified is no more nor less
> problematic than the fact that <embed> as a giant black hole, while
> specifying it, even as a "may", is a clear and direct signal that
> implementors "SHOULD" or "MAY" consider hostile-to-user-privacy
> features, which is a real reversal of course in terms of the W3C's and
> user agents' concerns for user privacy.

No doubt that there needs to be discussion, but users need to be empowered to understand and control private information, not dictated to as to what services they can use on the web.

Also, I really think you are overstating the problem. We are entirely within the same-origin policy here. If a user wishes to grant a particular origin access to their "device serial number", in return for enhanced services, they should be allowed to. Or are you just saying that the web should not support services like Netflix and similar ?

ůMark 
Received on Wednesday, 7 November 2012 23:16:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:14 UTC