[encrypted-media] Non-distinctive Permanent Identifiers may be exposed to the application or origin

ddorwin has just created a new issue for 
https://github.com/w3c/encrypted-media:

== Non-distinctive Permanent Identifiers may be exposed to the 
application or origin ==
The NOTE in [Use Per-Origin Per-Profile 
Identifiers](https://w3c.github.io/encrypted-media/#per-origin-per-profile-identifiers)
 currently [1] says:
>Permanent Identifiers MUST NOT be exposed to the application or 
origin.

This statement includes all permanent identifiers, including values 
that are shared by, for example, all users of a specific device model 
[2] or platform. This is _not_ the intent and would likely prohibit 
any implementation that does not use Distinctive Identifiers.

Looking at the the commit that 
[added](https://github.com/w3c/encrypted-media/commit/765295425f6fa259c76eea1169d24413268fce51#diff-f72607e47a6f74e53dc90eab8ee094e2R3262)
 this text, it appears this statement was intended to address the 
exception for Permanent Identifiers being per-origin in the normative 
text. However, I believe this should have been **Distinctive** 
Permanent Identifiers.

The lack of requirements around non-distinctive Permanent Identifiers,
 that is Permanent Identifiers that are not Distinctive Permanent 
Identifiers, would seem to indicate there are not significant concerns
 about these, and, as mentioned above, they are essentially required 
for implementations that avoid using user-specific Distinctive 
Identifiers.

[1] This is just used as a possible example. The spec does not say 
whether such a model key is distinctive. The spec says, "A Distinctive
 Permanent Identifier is a Permanent Identifier that is _not_ shared 
across a large population of users or client devices," but "large 
population" is not defined. This bug and example use here does not 
change that.

Please view or discuss this issue at 
https://github.com/w3c/encrypted-media/issues/308 using your GitHub 
account

Received on Tuesday, 30 August 2016 21:08:05 UTC