Re: Unique identifiers and WebCrypto

I, again, feel that privacy is being brought into the conversation of pre-provisioned keys in an unrelated way.

Recognize that, a single device may come with number of different applications, each with their own pre-provisioned key. A blu-ray player can come with a Netflix app, as well as an Amazon app – with totally different keys. When we talk about authorization, we are talking about user authorizing the Netflix app to access its key, and Amazon app to access its own key. These keys have nothing to do with the device identifier.

These keys are not the same as TPM cert, or UID of Apple devices – which are unique per device.

I do not understand how this becomes privacy-related. Recognize that the service accessed by the user already has so many avenues to collect data on them – they know how many simultaneous streams you have, from which locations (by IP address), viewing history, your preferences, and heck your credit card, address, phone number, and so on. Why are we talking about keys as somehow opening up user's treasure chest?

On 11/8/12 12:59 PM, "Thomas Hardjono" <hardjono@mit.edu<mailto:hardjono@mit.edu>> wrote:


-----Original Message-----
From: Mark Watson [mailto:watsonm@netflix.com]
Sent: Thursday, November 08, 2012 2:47 PM
To: Wan-Teh Chang
Cc: Thomas Hardjono; Seetharama Rao Durbha; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>
Group
Subject: Re: Unique identifiers and WebCrypto
On Nov 8, 2012, at 11:34 AM, Wan-Teh Chang wrote:
> On Thu, Nov 8, 2012 at 11:27 AM, Mark Watson <watsonm@netflix.com<mailto:watsonm@netflix.com>>
wrote:
>>
>> My objective with the feature in question here is that the
privacy
>> implications be no worse than (and hopefully better than) cookies
and
>> web storage. One aspect in which the situation is better is that
>> users have very little idea what a site will use cookies and web
>> storage for when they give permission. Giving a site permission
to
>> access an (origin-specific) device identifier is arguably easier
to
>> understand.
>
> If I understand it correctly, the perceived problem with an
> origin-specific device identifier is that it is "read only" and
cannot
> be deleted by the user.
Well, UAs may choose to allow users to delete the identifier. From
the
site's point of view that's indistinguishable anyway from the site
not
being authorized by the user to see it. The issue is that if you
delete
such an identifier, services that need it may not work any more and
users need to be warned about that. On a TV this would be a
"permanently disable service X" button. Personally I would happily
use
that feature on certain TV channels ;-)
>
> On the other hand, the user can effectively change the device
> identifier by getting a new device,
Depending on device implementation, it may be able to change its
device
identifier at user request.
> whereas an (origin-specific) user identifier, such as my Yahoo
Mail
> account and Amazon.com account, usually last much longer than the
> lifetime of a device. So it's not clear to me if a device
identifier
> has more serious privacy issues.
>
> Wan-Teh

I may be way off, but isn't this precisely the challenge of
privacy-preserving identity:
(a) how a user-selected identifier can be bound (unbound) by the user
to a service-issued identifier;
(b) how the user can select a new identifier and re-bound it to an old
service-issued identifier.
(c) how to do (a) and (b) with the assurance that neither the UA nor
the service is keeping track of the bindings.


/thomas/

Received on Thursday, 8 November 2012 22:39:31 UTC