- From: ddorwin via GitHub <sysbot+gh@w3.org>
- Date: Wed, 08 Jun 2016 01:34:58 +0000
- To: public-html-media@w3.org
ddorwin has just created a new issue for https://github.com/w3c/encrypted-media: == The Origin-Independent Individualization process would not generate a compliant Distinctive Identifier == The current Origin-Independent Individualization process currently says the following: 1. "The resulting identifier MUST be origin- and application-independent." 1. "Implementations MAY derive non-associable per-origin identifiers from such identifiers and provide those to the application (encrypted)." I think this text is outdated and based on an old definition of Distinctive Identifier before privacy-related requirements were added. As with "Per-Origin Individualization" in #110, I think this section needs to be updated. Distinctive Identifiers must be per-origin, so (1) means the value cannot be used directly. (Per the parent section, this process is supposed to provide a Distinctive Identifier, which is not the case.) However, I believe any derivation as mentioned in (2) would either a) be associable (e.g. because the interim value is used to sign the derived identifiers and maintain the attestation chain or b) break the usefulness of such an identifier for attestation. I believe what is really intended is "Direct Individualization" where we allow indelible identifiers to be used because they do not go through the application. Similarly, "Per-Origin Individualization" should be "App-Based Individualization." I will make an attempt at this and create a PR for review. Please view or discuss this issue at https://github.com/w3c/encrypted-media/issues/231 using your GitHub account
Received on Wednesday, 8 June 2016 01:34:59 UTC