On Thu, May 21, 2020 at 6:48 AM Alissa Cooper via Datatracker <
noreply@ietf.org> wrote:
> Alissa Cooper has entered the following ballot position for
> draft-ietf-httpbis-client-hints-14: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-hints/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Section 1: "passively providing such information allows servers to silently
> fingerprint the user" --> isn't pretty much all fingerprinting silent?
>
> Moreover, I think it would be good to explain in Section 1 that Client
> Hints
> provides a way for servers to actively fingerprint clients rather than
> doing it
> passively.
>
I actually don't think this characterization is correct. Specifically:
- When something that clients unilaterally send now is replaced by a client
hint (e.g., User-Agent) then this changes fingerprinting from passive to
active
- When something that you currently have to call a JS API to get is
replaced by a client hint, then this makes it *more* passive because the
server only has to take one action to get the hint indefinitely.
-Ekr
>