W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2019

Re: Migrating some high-entropy HTTP headers to Client Hints.

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Tue, 29 Jan 2019 07:34:43 +0000
To: Ilya Grigorik <igrigorik@google.com>
CC: Mike West <mkwst@google.com>, Yoav Weiss <yoavweiss@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <0cc2af58-4bcb-b1dc-329f-bc7700ca6a9a@it.aoyama.ac.jp>
Hello Ilya,

On 2019/01/29 08:07, Ilya Grigorik wrote:

> Hi Martin.
> 
> To echo what Mike highlighted before, I don't think we're suggesting that
> CH will eliminate fingerprinting. To your point, yes 3P providers will
> likely request that site owners grant access to these hints, but that in
> itself is already a significant step forward: hints are restricted to
> secure transports (significantly reduced fingerprinting surface area for
> unencrypted traffic); 1P must explicitly state what hints they want to
> receive (auditing); 1P must explicitly delegate permission to 3Ps (auditing
> and permission based access). Compare that to status quo today, where there
> are no signals on what data is being requested and used by whom, and most
> 1P's being entirely unaware of which 3P's are collecting what data from
> their users.
> 
> CH is not a magic bullet but the constraints it introduces — I think —
> offer significant accountability and transparency improvements over status
> quo.

Thanks for the explanations. If something similar can go into the 
relevant draft, in a "Privacy Considerations" section if there is one, 
and if not as part of the "Security Considerations" section or in some 
other appropriate place, then that would be great.

Regards,   Martin.

> ig
> 
Received on Tuesday, 29 January 2019 07:35:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 29 January 2019 07:35:11 UTC