Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)

On 14 December 2012 08:51, Stan <stasson@orc.ru> wrote:

> First, I don't think it's convenient for users to register themselves
> on many sites, which they visit occasionally.
>

A device ID won't register a user.  Where will the profile information come
from?  If it comes from a web-based service (like Gravatar), then a device
ID is not required to address the inconvenience, because users will use
multiple devices over time.

I don't think making users register each device would be convenient, either.


> Second, user accounts are based on e-mails as a rule, which is not unique
> at all,
>

If an email address cannot uniquely identify a user's account, that's a
problem with the web application.


> every user can have multiple e-mails and multiple registrations.


A human can have multiple devices.


> Many web-services
> struggle against users' reputation spoofing made via such fake accounts.
>

The information sent to a web service can be spoofed/rewritten on the fly.
 Are web services struggling against humans manually creating fake accounts
or against automated systems creating fake accounts?

A human can own a several devices, a determined human can control thousands
more.

A device ID isn't going to be a foolproof countermeasure.  An automated
account spoofing system isn't going to have any trouble automatically
generating random device IDs to send to your web service.


> Third, I think it's up to a certain web-service design and requirements,
> if it
> needs to identify user accounts or user devices.  For example, usage of

the same profile on multiple devices can be a violation of a web-service
> license agreement


Can you tell me of such a service?  I would be so extremely disappointed if
a web service locked me into the first device I used to accessed it.  I
would not continue to use it, there would be absolutely no point in
committing myself to use it, too risky.

Only allowing a user to use 1 device at a time is more likely, but that is
trivial already, you don't need a device ID to enable that. The web
application just needs to store session IDs against users in a 1-to-1
ratio, so if a user logs in on a different device, the other device loses
its session, so only 1 device can be used at any moment.


> or a web-service may bind several devices to the same
> profile.


So that would permit concurrent access, device ID would not be useful there.


> Multiple browser profiles on the same device do not matter, because
> the same device ID will be returned.


That's a bold assumption. Perhaps "Multiple browser profiles on the same
device do not matter, IF the same device ID is returned".  It wouldn't be
inconceivable for one profile to have a browser plug-in installed to
manipulate the device ID.

Moving from one device to another,
> or virtual devices - is just the same thing as having multiple devices
> considered
> above.
>

Is it?  How?  They would return different device IDs, so how is it just the
same thing?


> The main point, if device ID could be available it would provide more great
> possibilities for users and web-services.
>

Such as?  It sounds like a device ID cannot possibly be guaranteed to be
unique, at all, therefore serves no benefit.  A web application needs to
maintain its own user session state, there are no short cuts, improvements
or simplifications such as trusting a client-provided arbitrary value, even
systems based on personal digital certificates have to be verified
server-side (e.g. was the certificate issued by a trusted authority?).

--
Lee

Received on Friday, 14 December 2012 12:04:44 UTC