- From: <bugzilla@jessica.w3.org>
- Date: Tue, 13 Aug 2013 05:33:59 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=22910 --- Comment #1 from Glenn Adams <glenn@skynav.com> --- Propose the following draft text, to be added as a new top level section or a sub-section of the Introduction. Note that this proposal is little more than an outline intended to be elaborated after further discussion in the TF. X Privacy Considerations This section is non-normative. Fingerprinting Malicious applications may be able to fingerprint users or user agents by detecting or enumerating the list of key systems that are supported. Tracking If user agents permit keys to be re-used between origins, without performing any secondary operations such as key derivation that includes the origin, then it may be possible for two origins to collude and track a unique user by recording their ability to access a common key. Super-cookies With the exception of ephemeral keys, its often desirable for applications to strongly associate users with keys. These associations may be used to enhance the security of authenticating to the application, such as using a key stored in a secure element as a second factor, or may be used by users to assert some identity, such as an e-mail signing identity. As such, these keys often live longer than their counterparts such as usernames and passwords, and it may be undesirable or prohibitive for users to revoke these keys. Because of this, keys may exist longer than the lifetime of the browsing context [HTML] and beyond the lifetime of items such as cookies, thus presenting a risk that a user may be tracked even after clearing such data. This is especially true for keys that were pre-provisioned for particular origins and for which no user interaction was provided. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Tuesday, 13 August 2013 05:34:04 UTC