- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Fri, 22 Dec 2006 10:51:13 +0000
- To: public-wsc-wg@w3.org
On the other day's call I was trying to make sure that the following, or similar, weren't ruled out of scope, and I think we did more-or-less agree that. I have a half-baked idea about that that I wanted to check with the list before I forget about it;-) Browser history is good security context info. User's want to flush browser history sometimes. Maybe we can preserve some security context and meet the history-flush requirement at the same time. One could imagine keeping some security context even after the browser history is flushed, iff we can maintain privacy. Some scheme whereby parts of the history are hashed and then those hashes can be used as security context might be able to preserve the required privacy. So, an almost-but-not-quite-working scheme would be preserving a list of the hashes of visited-URLs even after the history-flush. Then, when the user revisits a URL the security context handler can know that this isn't the 1st time, even though the URI itself isn't stored. The reason this doesn't quite work of course is that the stored hashes are vulnerable to a dictionary attack, but maybe some similar scheme could work. S.
Received on Friday, 22 December 2006 10:50:37 UTC