- From: Lee Kowalkowski <lee.kowalkowski@googlemail.com>
- Date: Fri, 14 Dec 2012 12:03:41 +0000
- To: Stan <stasson@orc.ru>
- Cc: whatwg@lists.whatwg.org
On 14 December 2012 08:51, Stan <stasson@orc.ru> wrote: > First, I don't think it's convenient for users to register themselves > on many sites, which they visit occasionally. > A device ID won't register a user. Where will the profile information come from? If it comes from a web-based service (like Gravatar), then a device ID is not required to address the inconvenience, because users will use multiple devices over time. I don't think making users register each device would be convenient, either. > Second, user accounts are based on e-mails as a rule, which is not unique > at all, > If an email address cannot uniquely identify a user's account, that's a problem with the web application. > every user can have multiple e-mails and multiple registrations. A human can have multiple devices. > Many web-services > struggle against users' reputation spoofing made via such fake accounts. > The information sent to a web service can be spoofed/rewritten on the fly. Are web services struggling against humans manually creating fake accounts or against automated systems creating fake accounts? A human can own a several devices, a determined human can control thousands more. A device ID isn't going to be a foolproof countermeasure. An automated account spoofing system isn't going to have any trouble automatically generating random device IDs to send to your web service. > Third, I think it's up to a certain web-service design and requirements, > if it > needs to identify user accounts or user devices. For example, usage of the same profile on multiple devices can be a violation of a web-service > license agreement Can you tell me of such a service? I would be so extremely disappointed if a web service locked me into the first device I used to accessed it. I would not continue to use it, there would be absolutely no point in committing myself to use it, too risky. Only allowing a user to use 1 device at a time is more likely, but that is trivial already, you don't need a device ID to enable that. The web application just needs to store session IDs against users in a 1-to-1 ratio, so if a user logs in on a different device, the other device loses its session, so only 1 device can be used at any moment. > or a web-service may bind several devices to the same > profile. So that would permit concurrent access, device ID would not be useful there. > Multiple browser profiles on the same device do not matter, because > the same device ID will be returned. That's a bold assumption. Perhaps "Multiple browser profiles on the same device do not matter, IF the same device ID is returned". It wouldn't be inconceivable for one profile to have a browser plug-in installed to manipulate the device ID. Moving from one device to another, > or virtual devices - is just the same thing as having multiple devices > considered > above. > Is it? How? They would return different device IDs, so how is it just the same thing? > The main point, if device ID could be available it would provide more great > possibilities for users and web-services. > Such as? It sounds like a device ID cannot possibly be guaranteed to be unique, at all, therefore serves no benefit. A web application needs to maintain its own user session state, there are no short cuts, improvements or simplifications such as trusting a client-provided arbitrary value, even systems based on personal digital certificates have to be verified server-side (e.g. was the certificate issued by a trusted authority?). -- Lee
Received on Friday, 14 December 2012 12:04:44 UTC