W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2023

Re: Call for Adoption: HTTP Unprompted Authentication

From: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Tue, 7 Feb 2023 17:41:37 +0200
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Y+JxMcIde1NPyD7b@LK-Perkele-VII2.locald>
On Tue, Feb 07, 2023 at 12:32:22PM +0000, Stephen Farrell wrote:
> 
> On 07/02/2023 05:58, Mark Nottingham wrote:
> > Hello everyone,
> > 
> > We first discussed this draft at IETF114[1],  saw implementation
> > interest at IETF115, [2] and finally had some more list discussion.
> > 
> > This is a Call for Adoption for: https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html
> > 
> >  Please indicate (in response to this message) whether you support
> > adoption, and whether you intend to implement.
> 
> I'm not sure.
> 
> Can someone clarify whether the u= field amounts
> to a super-cookie or not, and if not, how that
> might be the case?
> 
> If there's a good answer to the above, I'd support
> adoption. If not, not.

The u= is actually not username but key handle. And when it comes to
tracking, the standard stuff for keys appiles:

- Don't use the same key in places you don't want linked together.
- If client chooses key identifiers, don't inclue any PII in those.

(This is how Webauthn addresses the tracking vector.)



-Ilari
Received on Tuesday, 7 February 2023 15:41:54 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 7 February 2023 15:41:54 UTC