- From: <bugzilla@jessica.w3.org>
- Date: Thu, 15 Jan 2015 18:09:43 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=27268 --- Comment #6 from David Dorwin <ddorwin@google.com> --- (In reply to Henri Sivonen from comment #5) > (In reply to David Dorwin from comment #1) > > https://github.com/w3c/encrypted-media/commit/ > > ce5d69ae56fc9cc890a02b132533431d54089780 adds the definition. It is mostly > > the the proposed text from comment #0. > > > > I have some questions for Henri below. > > > > (In reply to Henri Sivonen from comment #0) > > > 3) It is used in more than one session > > By "session", do you really mean MediaKeySession? What about sessions within > > the same MediaKeys object? > > I think I don't understand the implications of the distinction well enough > to give an informed response at this time. I want to understand the type of session you were referring to so that I can eliminate the ambiguity in the spec. I think the problem is that the identifier is the same between, for example, visits to a page. This could be a browsing session. I don't think you meant MediaKeySession, since MediaKeySessions share a MediaKeys object and CDM instance and thus likely share identifiers. > > > > or is potentially used in one > > > persistent session across the point of persistence. > > Please clarify and/or explain the purpose of this text. > > The purpose of this text is to close a loophole where a never-ending > persistent session could carry around something that's seemingly a > throw-away (and, therefore, presumptively not distinctive) value like a > nonce, but it doesn't actually get thrown away in reasonable time and > becomes a tracking id (i.e. distinctive for practical purposes). Is the never-ending persistent session internal to the CDM or is it left and used by the application? Any persistent session provides tracking just like a cookie. It's unlikely that persistent sessions would be identical on two systems. What is your specific concern beyond that? Note: The user should be able to clear persistent sessions (like cookies), which should erase such an ID. > > > > * A nonce that's unique but used in only one non-persistent session. > > What is the importance of "non-persistent" here? (I did not include this in > > the change.) > > See above about using a never-ending persistent session for tracking users. Okay. If I understand correctly, you consider any nonce in a persistent session to be a distinctive identifier. I am arguing that any persistent session is likely to be a distinctive identifier by that logic. While such things could be used to track a user (unless/until the sessions are cleared by the user), I think this waters down the meaning of distinctive identifier and distracts from the far more concerning types of identifiers. Perhaps we should add a note somewhere explaining out persistent sessions could be used to track users. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Thursday, 15 January 2015 18:09:48 UTC