Re: Guidance, I mentioned on the call

On Aug 25, 2012, at 2:25 , Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:

> Hi David,
> 
> in the guidelines we had specifically focused on aspects that concern protocol specification development. For that reason we are not talking too much, for example, about the duration of data storage.

Hi

for most IETF specifications, indeed we are talking about classic protocols, and duration is not relevant.  But many W3C specifications are at the presentation layer and have storage, or relationships to it, built in.  Think of HTML local storage, for example.

Even at the IETF, cookies are an aspect of HTTP.

I think it may be helpful to 'debug the bugs', and look back and ask "what questions could have helped mitigate previous privacy issues?".  For example, link-visited in CSS was about the storage of visit history and accidentally exposing that to script.


> 
> For example, we ask a question regarding the persistence of identifiers because the ability to create new identifiers on the fly typically has impact on the entire protocol architecture. For example, in SIP a separate mechanism was defined to request and obtain these identifiers. When used the also have an impact on the access control mechanisms (when you think about white- and blacklists, or reputation that is associated with identifiers).
> 
> Your comments quite nicely illustrate the importance of deciding about the target audience and the scope of guidelines Your questions would be most likely targeted to someone who is building a product rather than a specification.

Alas, no, it is the 'naive implementation of the specification as written' and the consequences of that that most concern me in a W3C/IETF context.


David Singer
Multimedia and Software Standards, Apple Inc.

Received on Saturday, 25 August 2012 20:00:21 UTC