- From: Mark Watson <watsonm@netflix.com>
- Date: Thu, 8 Nov 2012 20:22:42 +0000
- To: Thomas Hardjono <hardjono@MIT.EDU>
- CC: Wan-Teh Chang <wtc@google.com>, Seetharama Rao Durbha <S.Durbha@cablelabs.com>, "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
On Nov 8, 2012, at 11:59 AM, Thomas Hardjono wrote: > >> -----Original Message----- >> From: Mark Watson [mailto:watsonm@netflix.com] >> Sent: Thursday, November 08, 2012 2:47 PM >> To: Wan-Teh Chang >> Cc: Thomas Hardjono; Seetharama Rao Durbha; public-webcrypto@w3.org >> Group >> Subject: Re: Unique identifiers and WebCrypto >> >> >> On Nov 8, 2012, at 11:34 AM, Wan-Teh Chang wrote: >> >>> On Thu, Nov 8, 2012 at 11:27 AM, Mark Watson <watsonm@netflix.com> >> wrote: >>>> >>>> My objective with the feature in question here is that the > privacy >>>> implications be no worse than (and hopefully better than) cookies >> and >>>> web storage. One aspect in which the situation is better is that >>>> users have very little idea what a site will use cookies and web >>>> storage for when they give permission. Giving a site permission > to >>>> access an (origin-specific) device identifier is arguably easier > to >>>> understand. >>> >>> If I understand it correctly, the perceived problem with an >>> origin-specific device identifier is that it is "read only" and >> cannot >>> be deleted by the user. >> >> Well, UAs may choose to allow users to delete the identifier. From > the >> site's point of view that's indistinguishable anyway from the site > not >> being authorized by the user to see it. The issue is that if you > delete >> such an identifier, services that need it may not work any more and >> users need to be warned about that. On a TV this would be a >> "permanently disable service X" button. Personally I would happily > use >> that feature on certain TV channels ;-) >> >>> >>> On the other hand, the user can effectively change the device >>> identifier by getting a new device, >> >> Depending on device implementation, it may be able to change its > device >> identifier at user request. >> >>> whereas an (origin-specific) user identifier, such as my Yahoo > Mail >>> account and Amazon.com account, usually last much longer than the >>> lifetime of a device. So it's not clear to me if a device > identifier >>> has more serious privacy issues. >>> >>> Wan-Teh > > I may be way off, but isn't this precisely the challenge of > privacy-preserving identity: > (a) how a user-selected identifier can be bound (unbound) by the user > to a service-issued identifier; > (b) how the user can select a new identifier and re-bound it to an old > service-issued identifier. > (c) how to do (a) and (b) with the assurance that neither the UA nor > the service is keeping track of the bindings. Are you suggesting that all identifiers should have the above properties ? Or just that we should make identifiers with these properties available to users and services ? If the former, how would you support a service which offered each person a one-off one-month free trial ? How would you detect fraud ? …Mark > > > /thomas/ > > > > > > >
Received on Thursday, 8 November 2012 20:23:11 UTC