[Bug 27269] New: Normatively require distinctive identifiers to be different by top-level and EME-using origin

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27269

            Bug ID: 27269
           Summary: Normatively require distinctive identifiers to be
                    different by top-level and EME-using origin
           Product: HTML WG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Encrypted Media Extensions
          Assignee: adrianba@microsoft.com
          Reporter: hsivonen@hsivonen.fi
        QA Contact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-media@w3.org
        Depends on: 27268

In order to make distinctive identifiers useless for tracking users across
sites (whether the tracking is performed by a video hosting service serving
many sites, an ad or analytic service whose scripts are included by many sites
or by a network MITM who injects EME usage into many non-https sites), please
require that  distinctive identifiers (bug 27268) be different whenever the
origin of the document in the top-level browsing context or the origin using
EME is different.

This bug does not address tracking across time on a particular site. I will
file another bug on that topic.

(Start proposed spec text for a *normative* section) 

Implementations MUST ensure that the same distinctive identifier is not exposed
to two different combinations of the origin of the document in the top-level
browsing context and the origin of the document using the interfaces defined in
the specification. It is RECOMMENDED that ensuring this be the responsibility
of the User Agent rather than the responsibility of the CDM. Implementations
MUST ensure that CDM instances from different combinations of the origin of the
document in the top-level browsing context and the origin of the document using
the interfaces defined in the specification do not communicate with each other
either directly or through shared storage. It is RECOMMENDED that it is the
responsibility of the User Agent to enforce the communication restriction
stated in the previous sentence.

Note: The most obvious way to meet this requirement is to ensure that the CDM
itself does not have any distinctive identifiers built into it (i.e. the CDM
itself is identical across a large population of devices) and any distinctive
identifiers that the CDM is allowed to obtain from the local device be hashed
with a salt  randomly generated by the User Agent and associated, by the User
Agent, with the pair of the origin of the document in the top-level browsing
context and the origin using the the interfaces defined in the specification
(or the distinctive identifiers be derived from such a hash). To meet the
requirement about storage, storage available to the CDM can be partitioned such
that each salt value remembered by the User Agent is associated with a distinct
storage partition.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Friday, 7 November 2014 12:16:14 UTC