[encrypted-media] The Origin-Independent Individualization process would not generate a compliant Distinctive Identifier

ddorwin has just created a new issue for 
https://github.com/w3c/encrypted-media:

== The Origin-Independent Individualization process would not generate
 a compliant Distinctive Identifier ==
The current Origin-Independent Individualization process currently 
says the following:

1. "The resulting identifier MUST be origin- and 
application-independent."
1. "Implementations MAY derive non-associable per-origin identifiers 
from such identifiers and provide those to the application 
(encrypted)."

I think this text is outdated and based on an old definition of 
Distinctive Identifier before privacy-related requirements were added.
 As with "Per-Origin Individualization" in #110, I think this section 
needs to be updated.

Distinctive Identifiers must be per-origin, so (1) means the value 
cannot be used directly. (Per the parent section, this process is 
supposed to provide a Distinctive Identifier, which is not the case.) 
However, I believe any derivation as mentioned in (2) would either a) 
be associable (e.g. because the interim value is used to sign the 
derived identifiers and maintain the attestation chain or b) break the
 usefulness of such an identifier for attestation.

I believe what is really intended is "Direct Individualization" where 
we allow indelible identifiers to be used because they do not go 
through the application. Similarly, "Per-Origin Individualization" 
should be "App-Based Individualization."

I will make an attempt at this and create a PR for review.

Please view or discuss this issue at 
https://github.com/w3c/encrypted-media/issues/231 using your GitHub 
account

Received on Wednesday, 8 June 2016 01:34:59 UTC