- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Mon, 27 Aug 2018 09:21:03 +0000
- To: Mike West <mkwst@google.com>
- cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, rigo@w3.org, squid3@treenet.co.nz, rigo@w3c.org, HTTP Working Group <ietf-http-wg@w3.org>
-------- In message <CAKXHy=eVOjyXa8+iLrXt8AYtFj1wDPrp_ZQAHjX3f4U_=niPgA@mail.gmail.com> , Mike West writes: >> >> Not sure I agree there, if UAs by default sent a different >> >> 64 bit randomly generated ID to each origin and kept those >> >> IDs for a long time, that seems worse to me than the current >> >> situation. (I'm not saying that's Mike's proposal, but >> >> just disagreeing with your "no big difference" statement.) >> > >> > How is that worse than sending an opaque cookie, >> >> If it was always sent, with no opt-out. (Again, I'm not >> saying that was Mike's proposal though.) >> > >IMO, users must always have the ability to opt-out of sending this >identifier to any entity, just as they do with cookies today. User agents >should likely aim above that bar, but an opt-out is the bare minimum. My original proposal was that this identifier is 100% under the clients control, and that one bit is a courtesy bit where the client signals if it intends this to be a permanent session or an ephemeral/temporary session. As a starting point, browsing in private mode would set the bit to ephemeral, browsing in normal mode would set it to permanent. But obviously the user should have a way to say "always send ephemeral id's to $ADNETWORK" etc. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 27 August 2018 09:21:29 UTC