- From: Lee Kowalkowski <lee.kowalkowski@googlemail.com>
- Date: Fri, 14 Dec 2012 11:46:02 +0000
- To: Stan <stasson@orc.ru>
- Cc: whatwg@lists.whatwg.org
On 13 December 2012 20:20, Stan <stasson@orc.ru> wrote: > Hi, > > I'd like to proprose an API to get a unique device's ID in HTML5. What is a unique device ID? Do all devices have a unique ID? Which bit of hardware is responsible for storing such a thing? Who guarantees it's uniqueness, and how? > In fact, a single method/property seems sufficient so far, say: > window.navigator.deviceID. > I don't know if that's sufficient, I would presume it would also be required by a web application as a request header? > The property should return a string, either obtained directly from OS (as > provided > by manufacturer, for example, Android ID), or mangled with some "salt". > Then it's not a device ID. You can have multiple OS on a device. Is there an existing hardware-based, unique ID that every OS can provide so user agents can use that? Is there a specification or standard for operating systems so that this information can be guaranteed unique? (No) > Due to security and privacy considerations, the API should ask user > confirmation to > access the ID by current site, much like geolocation API does. > It's only a privacy consideration if you're associating the ID with personal details. So if you're requesting personal details, then just use them, and not the device ID. What's the reason to know the device ID in this situation? > The reasoning for this API is the need to uniquely identify every device in > many web-applications. OK. The only real-world use case I've encountered where a web application attempts to uniquely identify a device, was to detect whether a session had been hijacked. Each user of a web application has a unique session, the assumption was therefore that the capabilities of the user's device would not drastically change mid-session (as determined by periodically fingerprinting a wide range of the user agent's characteristics/capabilities). > Currently the only option is to use some user registration > scheme with cookies, local storage, etc. That doesn't tell you anything about the device. That's how a web application remembers a user, but the web application decides the unique session ID, and therefore the maximum length of the session, and whether or not a user is allowed to have multiple concurrent sessions, etc. In other words, quite a lot depends on the context of the web application. > It leads to overheads in development (user > table support, authorization implementation), and inconveniences to end > users > which must register themselves on many sites. I don't see how a device ID solves or assists. Where will the user information come from? Are you interested in the user, or the device? Which? A user is not a device. > Seamless and unobtrusive, > yet authorized identification of device would improve users' experience, > imho. > It would?!? How? No client information received by any web application should be trusted outright, that would be a gaping hole in security. Let's suppose a device is replaced, destroyed, cloned or stolen. What happens then? Perhaps you're really looking for an identity assurance provider, or a mechanism for a public user profile to be stored in the browser? -- Lee www.webdeavour.co.uk
Received on Friday, 14 December 2012 11:46:29 UTC