- From: Seetharama Rao Durbha <S.Durbha@cablelabs.com>
- Date: Thu, 8 Nov 2012 15:38:55 -0700
- To: Thomas Hardjono <hardjono@mit.edu>, Mark Watson <watsonm@netflix.com>, Wan-Teh Chang <wtc@google.com>
- CC: "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
- Message-ID: <CCC17FDA.7FB8%s.durbha@cablelabs.com>
I, again, feel that privacy is being brought into the conversation of pre-provisioned keys in an unrelated way. Recognize that, a single device may come with number of different applications, each with their own pre-provisioned key. A blu-ray player can come with a Netflix app, as well as an Amazon app – with totally different keys. When we talk about authorization, we are talking about user authorizing the Netflix app to access its key, and Amazon app to access its own key. These keys have nothing to do with the device identifier. These keys are not the same as TPM cert, or UID of Apple devices – which are unique per device. I do not understand how this becomes privacy-related. Recognize that the service accessed by the user already has so many avenues to collect data on them – they know how many simultaneous streams you have, from which locations (by IP address), viewing history, your preferences, and heck your credit card, address, phone number, and so on. Why are we talking about keys as somehow opening up user's treasure chest? On 11/8/12 12:59 PM, "Thomas Hardjono" <hardjono@mit.edu<mailto:hardjono@mit.edu>> wrote: -----Original Message----- From: Mark Watson [mailto:watsonm@netflix.com] Sent: Thursday, November 08, 2012 2:47 PM To: Wan-Teh Chang Cc: Thomas Hardjono; Seetharama Rao Durbha; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org> Group Subject: Re: Unique identifiers and WebCrypto On Nov 8, 2012, at 11:34 AM, Wan-Teh Chang wrote: > On Thu, Nov 8, 2012 at 11:27 AM, Mark Watson <watsonm@netflix.com<mailto:watsonm@netflix.com>> wrote: >> >> My objective with the feature in question here is that the privacy >> implications be no worse than (and hopefully better than) cookies and >> web storage. One aspect in which the situation is better is that >> users have very little idea what a site will use cookies and web >> storage for when they give permission. Giving a site permission to >> access an (origin-specific) device identifier is arguably easier to >> understand. > > If I understand it correctly, the perceived problem with an > origin-specific device identifier is that it is "read only" and cannot > be deleted by the user. Well, UAs may choose to allow users to delete the identifier. From the site's point of view that's indistinguishable anyway from the site not being authorized by the user to see it. The issue is that if you delete such an identifier, services that need it may not work any more and users need to be warned about that. On a TV this would be a "permanently disable service X" button. Personally I would happily use that feature on certain TV channels ;-) > > On the other hand, the user can effectively change the device > identifier by getting a new device, Depending on device implementation, it may be able to change its device identifier at user request. > whereas an (origin-specific) user identifier, such as my Yahoo Mail > account and Amazon.com account, usually last much longer than the > lifetime of a device. So it's not clear to me if a device identifier > has more serious privacy issues. > > Wan-Teh I may be way off, but isn't this precisely the challenge of privacy-preserving identity: (a) how a user-selected identifier can be bound (unbound) by the user to a service-issued identifier; (b) how the user can select a new identifier and re-bound it to an old service-issued identifier. (c) how to do (a) and (b) with the assurance that neither the UA nor the service is keeping track of the bindings. /thomas/
Received on Thursday, 8 November 2012 22:39:31 UTC