- From: David Singer <singer@apple.com>
- Date: Thu, 29 Jan 2015 19:24:45 +0100
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: Wendy Seltzer <wseltzer@w3.org>, chaals@yandex-team.ru, Robin Wilton <wilton@isoc.org>, Joseph Hall Lorenzo <joe@cdt.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Wenning Rigo <rigo@w3.org>, "public-privacy mailing list) (W3C" <public-privacy@w3.org>
> On Jan 29, 2015, at 19:09 , Mike O'Neill <michael.oneill@baycloud.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >> Interesting mix of norms and tech -- and yes, a different privacy threat >> model from the one many of us are accustomed to considering. Here, we're >> trusting the server to share our interests and want to help us enforce >> the contextual boundaries we choose, even if its knowledge could span >> those boundaries. >> >> This model is a better match with the Web Origin security model -- where >> an origin site is presumed to have control of the web application >> security, and the end-user must choose to trust the origin (with limited >> user-side overrides) or not visit the site. >> >> I wonder what sorts of feedback could help to reinforce to end-users >> that their trust was in fact merited. >> >> --Wendy >> > > > It would have to include all the servers being accessed, third-parties also. I think David's header would be seen all of them, and it would only take one to ignore the contextual boundaries, decide to combine multiple personas with other data in a PII keyed database, then broadcast it to the world (and UA based UUIDs are far more reliably user-identifying than IP addresses which are usually ephemeral and non-unique). True, but don’t forget we’re coming from a state where the servers don’t even know of the desire. I don’t mind machine-based discoverability, but it’s tricky to work out how to include transparent proxies and caches in that. > > Maybe there should be an implicit web of trust that covers all the servers receiving user specific data on a page, where they all commit to a common declared level of privacy and security. The browser could then have UI to communicate that. The problem comes from elements not directly on the page, of course. > > WebID could be used to identify all the parties (not just origins), and a manifest could define the trust relationship. > > Mike > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.4.19.5391 - http://www.gpg4o.com/ > Charset: utf-8 > > iQEcBAEBAgAGBQJUyndEAAoJEHMxUy4uXm2JSeMIAMmr8UE6vjZuhQnhBfNihFsr > Tjm9k8/l0OwywckMwFadKL/sFP2SSLP8tzWnXI87UScAJXXAM9/y3bxUKLzY88+9 > rnYRQYHGzEpIzuSN/rRvf8/EOiVfA2CrMQ0h4c+WofrqARNU2xhI7XPY2nI7v2Nl > sCsK0y89+cKCBDe41jkWvs+vkjrlaCcMvpold6BOPFgIcKSWlDtDKek8bQ78qxi4 > sgmAr41TL6/BnBjxgUh5NDescGLh7DPDmK4/YoLjr1E3IAU2io7h1WevVzxgC+tj > H/W2oeFlU9dLASm0aFPOfQ98zWvDen94XYFd4SNFJqYgPGwMgcM+7p+ku429n/Q= > =lP8p > -----END PGP SIGNATURE----- > > David Singer Manager, Software Standards, Apple Inc.
Received on Thursday, 29 January 2015 18:25:18 UTC