- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 29 Jan 2021 11:48:29 -0800
- To: Martin Thomson <mt@lowentropy.net>
- Cc: ietf-http-wg@w3.org
- Message-Id: <90D13384-9746-4760-8073-58212A500974@gbiv.com>
> On Jan 28, 2021, at 4:19 PM, Martin Thomson <mt@lowentropy.net> wrote: > > The things that we're talking about using this are those cases where we have identified a privacy risk associated with having a server being able to link requests. The original case in research was DNS queries, where it has been shown that building profiles of users based on their DNS activity has poor privacy properties. At Mozilla, we're also considering this style of approach in other places that browsers make requests with information that might be sensitive, like telemetry reporting. > > There are non-trivial costs associated with setting this up. As a proxy needs to be run by a separate entity, but they don't see any direct benefit from the service they provide, you have to arrange for their costs to be met somehow. You need to do so in a way that the server can ensure that the proxy is not enabling DoS attacks, while also retaining sufficient independence that clients can trust the proxy. This is harder as the use cases become more general, but we believe that this can be arranged for certain specific cases. > > Does the explanation about applicability help? I realize now that I shouldn't have left this up to inference, and the draft should probably at least address the point directly, so I'll make sure that the next version does something about that. Yes, that helps. I guess my big question is whether the proxy is aware of "for whom" (in an account sense) the proxy is doing this work (unlinkable requests), or does the scope require that the proxy be oblivious to both what is being requested and who is doing the requesting? ....Roy
Received on Friday, 29 January 2021 19:48:52 UTC