- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Tue, 7 Feb 2023 17:41:37 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Feb 07, 2023 at 12:32:22PM +0000, Stephen Farrell wrote: > > On 07/02/2023 05:58, Mark Nottingham wrote: > > Hello everyone, > > > > We first discussed this draft at IETF114[1], saw implementation > > interest at IETF115, [2] and finally had some more list discussion. > > > > This is a Call for Adoption for: https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html > > > > Please indicate (in response to this message) whether you support > > adoption, and whether you intend to implement. > > I'm not sure. > > Can someone clarify whether the u= field amounts > to a super-cookie or not, and if not, how that > might be the case? > > If there's a good answer to the above, I'd support > adoption. If not, not. The u= is actually not username but key handle. And when it comes to tracking, the standard stuff for keys appiles: - Don't use the same key in places you don't want linked together. - If client chooses key identifiers, don't inclue any PII in those. (This is how Webauthn addresses the tracking vector.) -Ilari
Received on Tuesday, 7 February 2023 15:41:54 UTC