- From: <bugzilla@jessica.w3.org>
- Date: Tue, 26 Aug 2014 17:51:53 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26401 --- Comment #11 from Mark Watson <watsonm@netflix.com> --- (In reply to Joe Steele from comment #10) > (In reply to Mark Watson from comment #9) > > Perhaps we need some information in the security considerations about the > > need to protect initData ? > > This is a good idea. However we already have some text in section 7.1.3 > Tracking to address this (see "Encryption of user identifiers"). Maybe we > should expand that text to specifically discuss when identifiers are sent as > part of a key request message? > The attack is that the message is routed to the wrong place, which is a security issues. One of the things an attacker could do once they've achieved this might be to abuse identifiers in the messages, which would be a privacy issue. We should address the underlying security issue (mis-routing of messages) - it would still be an issue even if the identifiers were not present. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Tuesday, 26 August 2014 17:51:54 UTC