W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2012

Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)

From: Lee Kowalkowski <lee.kowalkowski@googlemail.com>
Date: Fri, 14 Dec 2012 11:46:02 +0000
Message-ID: <CAGpS7GPVhH3OLCcBULR+RWXhzWojZonz9a1rWLizt6FHokybsw@mail.gmail.com>
To: Stan <stasson@orc.ru>
Cc: whatwg@lists.whatwg.org
On 13 December 2012 20:20, Stan <stasson@orc.ru> wrote:

> Hi,
>
> I'd like to proprose an API to get a unique device's ID in HTML5.


What is a unique device ID?  Do all devices have a unique ID?  Which bit of
hardware is responsible for storing such a thing?  Who guarantees it's
uniqueness, and how?


> In fact, a single method/property seems sufficient so far, say:
> window.navigator.deviceID.
>

I don't know if that's sufficient, I would presume it would also be
required by a web application as a request header?


> The property should return a string, either obtained directly from OS (as
> provided
> by manufacturer, for example, Android ID), or mangled with some "salt".
>

Then it's not a device ID.  You can have multiple OS on a device.  Is there
an existing hardware-based, unique ID that every OS can provide so user
agents can use that?  Is there a specification or standard for operating
systems so that this information can be guaranteed unique?  (No)


> Due to security and privacy considerations, the API should ask user
> confirmation to
> access the ID by current site, much like geolocation API does.
>

It's only a privacy consideration if you're associating the ID with
personal details.  So if you're requesting personal details, then just use
them, and not the device ID.  What's the reason to know the device ID in
this situation?


> The reasoning for this API is the need to uniquely identify every device in
> many web-applications.


OK.  The only real-world use case I've encountered where a web application
attempts to uniquely identify a device, was to detect whether a session had
been hijacked.  Each user of a web application has a unique session, the
assumption was therefore that the capabilities of the user's device would
not drastically change mid-session (as determined by periodically
fingerprinting a wide range of the user agent's
characteristics/capabilities).


> Currently the only option is to use some user registration
> scheme with cookies, local storage, etc.


That doesn't tell you anything about the device.  That's how a web
application remembers a user, but the web application decides the unique
session ID, and therefore the maximum length of the session, and whether or
not a user is allowed to have multiple concurrent sessions, etc.  In other
words, quite a lot depends on the context of the web application.


> It leads to overheads in development (user
> table support, authorization implementation), and inconveniences to end
> users
> which must register themselves on many sites.


I don't see how a device ID solves or assists.  Where will the user
information come from?  Are you interested in the user, or the device?
 Which?  A user is not a device.


> Seamless and unobtrusive,
> yet authorized identification of device would improve users' experience,
> imho.
>

It would?!? How?

No client information received by any web application should be trusted
outright, that would be a gaping hole in security.

Let's suppose a device is replaced, destroyed, cloned or stolen.  What
happens then?

Perhaps you're really looking for an identity assurance provider, or a
mechanism for a public user profile to be stored in the browser?
-- 
Lee
www.webdeavour.co.uk
Received on Friday, 14 December 2012 11:46:29 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:50 UTC