27168 2014-10-24 23:45:49 +0000 Individualization text regarding device identifiers is overbroad and should be more specific 2015-10-20 23:32:45 +0000 1 1 1 Unclassified HTML WG Encrypted Media Extensions unspecified PC All RESOLVED MOVED Privacy P2 normal --- 1 steele adrianba ddorwin mike public-html-media public-html-bugzilla oldest_to_newest 113744 0 steele 2014-10-24 23:45:49 +0000 Section 9.4 contains the following text: "Such implementations should not use identifiers for a device or user of a device in the individualization process." This is too broad. I proposed instead the following: "Such implementations should not directly provide identifiers for a device or user of a device in any messages sent during the individualization process." This allows for implementations which generate unique identifiers not directly associable with the device or user by digesting a mixture of device identifiers. These identifiers can have the security property that two different devices are unlikely to generate the same identifier, but also have the privacy property that it is very difficult to match an identifier to a user+device. 114184 1 ddorwin 2014-10-28 21:11:45 +0000 I'm fine with changing the text, but I think we should be more precise in what is and is not recommended. These sections contain recommendations for implementers, so we can be specific, aim high, and included the reasons and/or an analysis of such problems. Henri provides some relevant analysis in http://lists.w3.org/Archives/Public/public-html-media/2014Oct/0092.html 123796 2 ddorwin 2015-10-20 00:26:51 +0000 Is this issue still relevant? Is there a specific suggestion addressing comment #1? If so, please open a GitHub issue. Either way, we should close this legacy bug. 123797 3 steele 2015-10-20 06:11:07 +0000 Yes, this issue is still relevant. I would prefer not to be much more specific, since different implementations may use different types of identifiers. Any proprietary algorithms involved do not need to be made explicit. I can create a GitHub issue -- but it will basically just duplicate this information. Is that useful? 123814 4 ddorwin 2015-10-20 23:32:45 +0000 Migrated to https://github.com/w3c/encrypted-media/issues/110.